Mailing List Archive

[RFC] iptables namespaces
Hi again,

I've been thinking about some kind of namespaces in iptables where one can
switch from one set of rules to another set of rules by flicking a switch.

In our current setup, we have about 7000 firewall rules. Every time the
rules get updated, all of them are removed and uploaded again by a script.
Loading all these rules takes a while (let's say a minute, I'm not sure).

The result is that for 1 minute, some traffic can get through the firewall rules
while other can not. We have had problems with spam getting through to
mailservers behind the firewall, because not all firewall rules were loaded.

Using namespaces would make it possible to load all rules in another namespace
and when all rules are loaded, a switch can be toggled to switch over to the new
ruleset atomically.

As far as I know, this is not possible with the regular tools at the moment.
Every time a rule gets added, the old rules are fetched from the kernel, the new
rule is added and the entire resulting new ruleset is uploaded to kernelspace
again. But it's not possible to collect all 7000 rules in userspace only, using
the iptables command, and then sending them all to userspace in one big batch.

I can see 2 ways that this can work:

* By providing namespaces in the kernel, one can easily select a namespace with
e.g. an ioctl and then upload rules to that namespace using iptables.
* By providing a "staging area" in userspace to collect the entire ruleset
before sending the batch to kernelspace.

Assuming that something like this does not yet exist, which approach would be
best ?

kind regards,
-- Steven
Re: [RFC] iptables namespaces [ In reply to ]
Am Friday, den 7 September hub Steven Van Acker folgendes in die Tasten:

Hi!

> I've been thinking about some kind of namespaces in iptables where one can
> switch from one set of rules to another set of rules by flicking a switch.

> In our current setup, we have about 7000 firewall rules. Every time the
> rules get updated, all of them are removed and uploaded again by a script.
> Loading all these rules takes a while (let's say a minute, I'm not sure).

> The result is that for 1 minute, some traffic can get through the firewall rules
> while other can not. We have had problems with spam getting through to
> mailservers behind the firewall, because not all firewall rules were loaded.

That problem can be solved.
man iptables-restore

> Using namespaces would make it possible to load all rules in another namespace
> and when all rules are loaded, a switch can be toggled to switch over to the new
> ruleset atomically.

That would be most probably nothing different to a iptables-restore.
If you want to emulate that, load your 7000 iptables rules on a
temp-machine, use iptables-save, copy the file to your firewalls and run
iptables-restore

Ciao
max
--
Follow the white penguin.
Re: [RFC] iptables namespaces [ In reply to ]
On Fri, Sep 07, 2007 at 08:46:42PM +0200, Maximilian Wilhelm wrote:
> > The result is that for 1 minute, some traffic can get through the firewall rules
> > while other can not. We have had problems with spam getting through to
> > mailservers behind the firewall, because not all firewall rules were loaded.
>
> That problem can be solved.
> man iptables-restore

iptables-restore takes a file as input, not a series of iptables
commands. This means I would have to edit the file manually, not
something I want to do with 7000 firewall rules.

> > Using namespaces would make it possible to load all rules in another namespace
> > and when all rules are loaded, a switch can be toggled to switch over to the new
> > ruleset atomically.
>
> That would be most probably nothing different to a iptables-restore.
> If you want to emulate that, load your 7000 iptables rules on a
> temp-machine, use iptables-save, copy the file to your firewalls and run
> iptables-restore

That looks somewhat complicated to me. Loading the rules on another
machine, with the only purpose to generate an iptables-restore file,
then copying that to the real firewall and loading it there.

iptables-restore can indeed be a solution, but then only if iptables can
use it as a staging area. That way you can tweak the firewall config
with the iptables command untill it fits your needs, before sending the
entire file to kernelspace with iptables-restore.

Also, this assumes that nothing will go wrong when entering the
firewall rules into kernel space, which means userspace and kernelspace
need to be in synch module-wise

kind regards,
-- Steven
Re: [RFC] iptables namespaces [ In reply to ]
Steven Van Acker wrote:
> On Fri, Sep 07, 2007 at 08:46:42PM +0200, Maximilian Wilhelm wrote:
>
>>> The result is that for 1 minute, some traffic can get through the firewall rules
>>> while other can not. We have had problems with spam getting through to
>>> mailservers behind the firewall, because not all firewall rules were loaded.
>>>
>> That problem can be solved.
>> man iptables-restore
>>
>
> iptables-restore takes a file as input, not a series of iptables
> commands. This means I would have to edit the file manually, not
> something I want to do with 7000 firewall rules.
>

The write a script. I use Perl for this, but then, I'm a freak. But most
existing scripts can be trivialy modified to produce a file which can be
fed to iptables-restore.

Something along the lines of (completely untested, my bash is very rusty):

IPTABLES=writeit
>rulez
#IPTABLES=/sbin/iptables # To slow!

function writeit {
echo $@ >>rulez
}

$IPTABLES -A INPUT -p tcp ... etc

You'll have to write some preamble and COMMIT afterwards, that is left
as an execise for the reader.

HTH,
M4
Re: [RFC] iptables namespaces [ In reply to ]
On Sep 7 2007 19:06, Steven Van Acker wrote:
>> > The result is that for 1 minute, some traffic can get through the firewall rules
>> > while other can not. We have had problems with spam getting through to
>> > mailservers behind the firewall, because not all firewall rules were loaded.
>>
>> That problem can be solved.
>> man iptables-restore
>
>iptables-restore takes a file as input, not a series of iptables
>commands.

Yes, it takes a file. And if you looked at it, yes, it takes iptables
commands! (besides the table and counter markers)

>This means I would have to edit the file manually, not
>something I want to do with 7000 firewall rules.

Where is the difference between...

iptables -A INPUT -m foobar -j FOOBAR

and adding

-A INPUT -m foobar -j FOOBAR

to the

*filter

section? (Otherwise, write a script, as suggested, or use a GUI ;-)



Jan
--
Re: [RFC] iptables namespaces [ In reply to ]
On Sat, Sep 08, 2007 at 09:26:09AM +0200, Jan Engelhardt wrote:
> >iptables-restore takes a file as input, not a series of iptables
> >commands.
>
> Yes, it takes a file. And if you looked at it, yes, it takes iptables
> commands! (besides the table and counter markers)
>
> >This means I would have to edit the file manually, not
> >something I want to do with 7000 firewall rules.
>
> Where is the difference between...
>
> iptables -A INPUT -m foobar -j FOOBAR
>
> and adding
>
> -A INPUT -m foobar -j FOOBAR
>
> to the
>
> *filter
>
> section? (Otherwise, write a script, as suggested, or use a GUI ;-)

Hi,

it's remarkable that we have never tried it this way before.
I tested adding 10000 lines with iptables, then using iptables-save and
iptables-restore. The difference in speed is amazing. With iptables it
takes 5 minutes and 10 seconds, while iptables-restore takes 0.3
seconds.

Moreover, if there is an error in iptables-restore, none of the changes
are committed to kernelspace. So I no longer need to use fancy checking
while I'm loading my firewall rules.

Thank you both for the information :)

kind regards,
-- Steven
Re: [RFC] iptables namespaces [ In reply to ]
On Sep 8 2007 13:28, Steven Van Acker wrote:
>
>it's remarkable that we have never tried it this way before.
>I tested adding 10000 lines with iptables, then using iptables-save and
>iptables-restore. The difference in speed is amazing. With iptables it
>takes 5 minutes and 10 seconds, while iptables-restore takes 0.3
>seconds.

Well obviously. Because *for EACH* iptables command that you run,
it does a load and store. That, by definition, takes O(n*(n+1));
where iptables-restore is like O(n) for n rules.



Jan
--
Re: [RFC] iptables namespaces [ In reply to ]
Steven Van Acker wrote:
> [...]
> Moreover, if there is an error in iptables-restore, none of the changes
> are committed to kernelspace. So I no longer need to use fancy checking
> while I'm loading my firewall rules.

Correct me if I'm wrong but IIRC the tables are still committed
individually. Ie you cannot commit filter, nat and mangle in one
run.

cu
Ludwig

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)