Link to home
Start Free TrialLog in
Avatar of FireBall
FireBall

asked on

Need an advice about kernel area

Hello ,

We are building an IDS/IPS/Waf system that reads the packets from PF_Ring and apply rules to IPTables / Netfilter / Ntuple .
That software needs to access to userspace for iptables and kernelspace for netfilter. So we already pipe the both side.
But our main concern is about the performace issue. Time is our biggest enemy and need to solve the problem in mikro / mili seconds.
So where is the best place working area for our  main core of software for performance ? kernel area or user area ? and why .

Thanks for information
Avatar of David Favor
David Favor
Flag of United States of America image
If I were faced with this, I'd use nftables, which compiles rules into VM code which lives in the kernel.

So you get speed + no worries about memory management or pointer boundaries. Debugging kernel code requires tremendous time.

https://netfilter.org/ provides details.

https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables provides a cursory overview of moving to nftables.

Keep in mind stable nftables requires a very recent OS.

If your product has to run on many different OS versions, then best stick with iptables.

Also, if you have rules which apply to many IPS, then using ipset will greatly speed up your product's performance.
Avatar of FireBall
FireBall

ASKER

IP tables has some issues when it is under huge traffic load for ex. a test result as given below on net_recv

iptables -I INPUT -s xx.xx.xx.xx -j DROP applied only  -> this is dropping the traffic and the first test with this rule has been made it is ok
i have add an other rule with A defination to be second rule after blocking

iptables -I INPUT -p tcp -j ACCEPT

and the given result below. if i add some rules other after blocking the traffic it makes latency issue more , i think iptables has keeping usage on mem or other some place so when i apply more rules that after the traffic  cleaned it steel keeping get huger latency


[root@centos7 staps]# sh receive.sh 
Pass 1: parsed user script and 120 library scripts using 227452virt/40492res/3256shr/37432data kb, in 430usr/20sys/458real ms.
Pass 2: analyzed script: 4 probes, 3 functions, 4 embeds, 3 globals using 265312virt/79368res/4452shr/75292data kb, in 720usr/200sys/922real ms.
Pass 3: using cached /root/.systemtap/cache/71/stap_71b15524ce81fbb06b5374bfceef9648_4311.c
Pass 4: using cached /root/.systemtap/cache/71/stap_71b15524ce81fbb06b5374bfceef9648_4311.ko
Pass 5: starting run.
Duration min:0us avg:3us max:168us count:2866019
Duration (us):
value |-------------------------------------------------- count
    0 |                                                     32167
    1 |                                                      9999
    2 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  1723569
    4 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@                        973472
    8 |@@@                                                 111055
   16 |                                                     14777
   32 |                                                       376
   64 |                                                       585
  128 |                                                        19
  256 |                                                         0
  512 |                                                         0


Pass 5: run completed in 0usr/50sys/30580real ms.

[root@centos7 staps]# sh receive.sh 
Pass 1: parsed user script and 120 library scripts using 227460virt/40492res/3256shr/37440data kb, in 460usr/60sys/522real ms.
Pass 2: analyzed script: 4 probes, 3 functions, 4 embeds, 3 globals using 265320virt/79372res/4452shr/75300data kb, in 1000usr/300sys/1299real ms.
Pass 3: using cached /root/.systemtap/cache/71/stap_71b15524ce81fbb06b5374bfceef9648_4311.c
Pass 4: using cached /root/.systemtap/cache/71/stap_71b15524ce81fbb06b5374bfceef9648_4311.ko
Pass 5: starting run.
Duration min:0us avg:46us max:172119us count:2288864
Duration (us):
 value |-------------------------------------------------- count
     0 |@                                                    39677
     1 |                                                      7751
     2 |                                                      1599
     4 |                                                       320
     8 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  1853507
    16 |@@@@@@@@@                                           342500
    32 |                                                     34038
    64 |                                                       751
   128 |                                                       158
   256 |                                                       286
   512 |                                                      6175
  1024 |                                                      1348
  2048 |                                                         0
  4096 |                                                         1
  8192 |                                                         0
 16384 |                                                         4
 32768 |                                                        56
 65536 |                                                       680
131072 |                                                        13
262144 |                                                         0
524288 |                                                         0

Open in new window

Avatar of skullnobrains
skullnobrains
please remove freebsd from the topics : this is clearly linux-specific.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.