nftables weitgehend fertig

This commit is contained in:
Alfred Krohmer 2014-03-01 23:47:22 +01:00
parent e852a06fbb
commit 1a199b912b
22 changed files with 1054 additions and 194 deletions

View File

@ -0,0 +1,36 @@
\documentclass{standalone}
\usepackage[utf8]{inputenc}
\usepackage{pgfplots}
\pgfplotsset{compat=1.3}
\usepgfplotslibrary{units}
\usepgfplotslibrary{dateplot}
\usepackage{tikz}
\usepackage{pgfplotstable}
\usepackage{csquotes}
\usepackage{float}
\begin{document}
\pgfplotstableread{nft/ipt-nft-simple-drop-response.txt}{\nftsimpledropresponse}
\begin{tikzpicture}
\begin{axis}[
yshift=-0.5cm,
xtick={10000,20000,30000,40000,50000,60000,70000,80000,90000,100000},
xmin=200, xmax=100000,
ymin=0,
xlabel={Anzahl der Firewall-Regeln}, ylabel={Antwortzeit [ms]},
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
width=15cm, height=10cm,
legend entries={iptables,nftables},
scaled ticks=false
]
\addplot[smooth,blue] table [x={rules}, y={ipt}] {\nftsimpledropresponse};
\addplot[smooth,red] table [x={rules}, y={nft}] {\nftsimpledropresponse};
\end{axis}
\end{tikzpicture}
\end{document}

View File

@ -0,0 +1,36 @@
\documentclass{standalone}
\usepackage[utf8]{inputenc}
\usepackage{pgfplots}
\pgfplotsset{compat=1.3}
\usepgfplotslibrary{units}
\usepgfplotslibrary{dateplot}
\usepackage{tikz}
\usepackage{pgfplotstable}
\usepackage{csquotes}
\usepackage{float}
\begin{document}
\pgfplotstableread{nft/ipt-nft-simple-drop.txt}{\nftsimpledrop}
\begin{tikzpicture}
\begin{axis}[
yshift=-0.5cm,
xtick={5000,10000,15000,20000,25000,30000},
xmin=200, xmax=30000,
ymin=0, ymode=log,
xlabel={Anzahl der Firewall-Regeln}, ylabel={PPS},
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
width=15cm, height=10cm,
legend entries={iptables,nftables},
scaled ticks=false
]
\addplot[smooth,blue] table [x={rules}, y={iptpps}] {\nftsimpledrop};
\addplot[smooth,red] table [x={rules}, y={nftpps}] {\nftsimpledrop};
\end{axis}
\end{tikzpicture}
\end{document}

View File

@ -0,0 +1,106 @@
\documentclass{standalone}
\usepackage[utf8]{inputenc}
\usepackage{pgfplots}
\pgfplotsset{compat=1.3}
\usepgfplotslibrary{units}
\usepgfplotslibrary{dateplot}
\usepackage{tikz}
\usepackage{pgfplotstable}
\usepackage{csquotes}
\usepackage{float}
\begin{document}
\pgfplotstableread{
size rate pps load
1500 982.38 81865 0.5
1450 981.1512 84582 0.7
1400 983.4272 87806 0.6
1350 981.936 90920 0.6
1300 979.9816 94229 0.8
1250 977.44 97744 0.5
1200 980.7936 102166 0.8
1150 978.5396 106363 0.7
1100 975.6472 110869 0.6
1050 972.3588 115757 0.9
1000 977.192 122149 0.8
950 974.0312 128162 0.8
900 970.6896 134818 1.0
850 965.4368 141976 0.9
800 970.8992 151703 1.0
750 966.756 161126 0.9
700 960.9544 171599 1.2
650 956.2592 183896 4.6
600 961.4736 200307 15.3
550 954.8088 217002 19.6
500 946.992 236748 23.7
450 928.7784 257994 25.1
400 823.2672 257271 25.3
350 722.5316 258047 25.4
300 615.1632 256318 25.5
250 492.206 246103 25.5
200 406.3824 253989 25.5
150 299.2116 249343 25.3
100 205.8888 257361 25.2
50 123.79728 257911 25.5
}\sizerateppsrecv
\begin{tikzpicture}
\pgfplotsset{
y axis style/.style={
yticklabel style=#1,
y axis line style=#1,
ylabel style=#1,
ytick style=#1
}
}
\begin{axis}[
width=15cm, height=10cm,
title=Empfänger,
xmin=1,
xmax=1500,
xlabel={Ethernet Frame-Größe},
xtick={100,300,500,700,900,1100,1300,1500},
ymin=0,ymax=1000,
axis y line*=left,
ylabel={Datenrate [MBit/s]},
y axis style=blue!75!black,
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
scaled ticks=false
]
\addplot[smooth,blue] table[x={size}, y={rate}] {\sizerateppsrecv};
\end{axis}
\begin{axis}[
width=15cm, height=10cm,
xmin=1,
xmax=1500,
axis x line=none,
ymin=0,ymax=500000,
ytick pos=right,
axis y line* = right,
ylabel={PPS},
ylabel near ticks,
ytick={100000,200000,300000,400000},
y axis style=red!75!black,
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
scaled ticks=false
]
\addplot[smooth,red] table[x={size}, y={pps}] {\sizerateppsrecv};
\end{axis}
\begin{axis}[
width=15cm, height=10cm,
xmin=1,
xmax=1500,
axis x line=none,
ymin=0,ymax=26,
axis y line=none,
]
\addplot[smooth,green] table[x={size}, y={load}] {\sizerateppsrecv};
\end{axis}
\end{tikzpicture}
\end{document}

View File

@ -0,0 +1,95 @@
\documentclass{standalone}
\usepackage[utf8]{inputenc}
\usepackage{pgfplots}
\pgfplotsset{compat=1.3}
\usepgfplotslibrary{units}
\usepgfplotslibrary{dateplot}
\usepackage{tikz}
\usepackage{pgfplotstable}
\usepackage{csquotes}
\usepackage{float}
\begin{document}
\pgfplotstableread{
size rate pps
1500 986.004 82167
1450 985.7216 84976
1400 984.7376 87923
1350 984.2904 91138
1300 983.4968 94567
1250 982.78 98278
1200 982.08 102300
1150 981.18 106650
1100 980.2496 111392
1050 979.2384 116576
1000 978.304 122288
950 977.36 128600
900 975.0024 135417
850 974.27 143275
800 972.5888 151967
750 970.572 161762
700 968.3856 172926
650 966.2328 185814
600 963.1056 200647
550 959.7588 218127
500 955.604 238901
450 951.588 264330
400 945.3248 295414
350 937.3336 334762
300 923.2584 384691
250 855.588 427794
200 662.5952 433335
150 527.3604 439467
100 354.96 443700
50 207.176 446500
}\sizeratepps
\begin{tikzpicture}
\pgfplotsset{
y axis style/.style={
yticklabel style=#1,
y axis line style=#1,
ylabel style=#1,
ytick style=#1
}
}
\begin{axis}[
width=15cm, height=10cm,
title=Sender,
xmin=1,
xmax=1500,
xlabel={Ethernet Frame-Größe},
xtick={100,300,500,700,900,1100,1300,1500},
ymin=0,ymax=1000,
axis y line*=left,
ylabel={Datenrate [MBit/s]},
y axis style=blue!75!black,
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
scaled ticks=false
]
\addplot[smooth,blue] table[x={size}, y={rate}] {\sizeratepps};
\end{axis}
\begin{axis}[
width=15cm, height=10cm,
xmin=1,
xmax=1500,
axis x line=none,
ymin=0,ymax=500000,
ytick pos=right,
axis y line* = right,
ylabel={PPS},
ylabel near ticks,
ytick={100000,200000,300000,400000},
y axis style=red!75!black,
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
scaled ticks=false
]
\addplot[smooth,red] table[x={size}, y={pps}] {\sizeratepps};
\end{axis}
\end{tikzpicture}
\end{document}

View File

@ -0,0 +1,102 @@
rules ipt nft
0 1.1179999999999999 0.93220000000000014
1000 0.91959999999999997 1.0016
2000 1.0592000000000001 0.88159999999999994
3000 1.2508000000000001 1.1870000000000001
4000 1.2505999999999999 1.2645999999999999
5000 1.1401999999999999 1.0672000000000001
6000 1.3677999999999999 1.2315999999999998
7000 1.4196000000000002 1.3560000000000001
8000 1.4826000000000001 1.1912
9000 1.274 1.2216
10000 1.4966000000000002 1.4909999999999999
11000 1.8840000000000003 1.5668
12000 1.4045999999999998 1.7600000000000002
13000 1.8855999999999997 1.73
14000 1.9919999999999998 1.6111999999999997
15000 2.3679999999999999 1.722
16000 2.1486000000000001 1.734
17000 1.998 1.7899999999999998
18000 2.4379999999999997 1.7719999999999998
19000 2.1299999999999999 1.7120000000000002
20000 1.7900000000000003 1.8879999999999999
21000 2.5439999999999996 2.222
22000 2.6060000000000003 2.028
23000 2.8420000000000001 2.1640000000000001
24000 3.2079999999999997 2.1179999999999999
25000 3.3480000000000003 1.9599999999999997
26000 3.7160000000000002 2.214
27000 3.6520000000000001 2.3459999999999996
28000 3.3820000000000001 2.6499999999999995
29000 3.5720000000000001 2.6759999999999997
30000 3.964 2.754
31000 3.9900000000000007 2.98
32000 3.9839999999999995 2.9319999999999999
33000 4.1880000000000006 2.6360000000000001
34000 4.3559999999999999 3.0600000000000001
35000 4.5819999999999999 2.9020000000000001
36000 4.6779999999999999 2.9560000000000004
37000 4.5739999999999998 3.2359999999999998
38000 4.5699999999999994 3.444
39000 5.2820000000000009 3.4400000000000004
40000 5.1300000000000008 3.2680000000000007
41000 5.2879999999999994 3.2379999999999995
42000 5.3339999999999987 3.6700000000000004
43000 5.7480000000000002 3.7399999999999998
44000 5.6019999999999994 3.8220000000000001
45000 5.5099999999999998 3.71
46000 5.8879999999999999 3.556
47000 5.8799999999999999 4.0839999999999996
48000 6.306 3.968
49000 6.403999999999999 4.0619999999999994
50000 6.3399999999999999 4.3499999999999996
51000 6.4219999999999997 4.2999999999999998
52000 7.0659999999999998 4.3239999999999998
53000 7.589999999999999 4.426
54000 7.0080000000000009 4.516
55000 6.9059999999999988 4.9399999999999995
56000 7.0980000000000008 4.5340000000000007
57000 7.1819999999999995 5.0220000000000002
58000 7.2739999999999991 4.8239999999999998
59000 7.2180000000000009 4.9580000000000002
60000 7.5760000000000005 5.1500000000000004
61000 7.7780000000000005 4.9560000000000004
62000 7.645999999999999 4.9599999999999991
63000 7.9139999999999988 5.4740000000000002
64000 7.7520000000000007 5.4260000000000002
65000 8.2720000000000002 5.4059999999999997
66000 8.4920000000000009 5.21
67000 8.6600000000000001 5.6319999999999997
68000 8.581999999999999 5.6080000000000005
69000 8.3739999999999988 5.7279999999999998
70000 8.6000000000000014 5.8259999999999996
71000 8.7960000000000012 5.6379999999999999
72000 8.8840000000000003 5.7739999999999991
73000 8.8940000000000001 5.8560000000000008
74000 8.7960000000000012 5.9119999999999999
75000 9.4499999999999993 5.7419999999999991
76000 9.2480000000000011 6.3260000000000005
77000 9.5719999999999992 6.3480000000000008
78000 9.3640000000000008 6.1659999999999995
79000 9.7859999999999978 6.379999999999999
80000 9.8760000000000012 6.5060000000000002
81000 10.013999999999999 6.3819999999999997
82000 9.9960000000000004 6.6119999999999992
83000 10.001999999999999 6.5900000000000007
84000 10.087999999999999 6.7380000000000013
85000 10.298 6.8420000000000005
86000 10.559999999999999 6.6540000000000008
87000 10.512 6.8639999999999999
88000 10.790000000000001 6.8180000000000005
89000 10.788 7.4459999999999997
90000 11.008000000000001 7.1599999999999993
91000 10.988 7.1319999999999997
92000 11.134 7.2919999999999998
93000 11.130000000000001 7.1659999999999995
94000 11.523999999999999 7.1139999999999999
95000 11.468 7.2280000000000015
96000 11.524000000000001 7.298
97000 11.498000000000001 7.7939999999999996
98000 11.728 7.596000000000001
99000 11.9 7.8160000000000007
100000 12.098000000000001 7.6139999999999999

View File

@ -16,12 +16,13 @@
\usepgfplotslibrary{units} \usepgfplotslibrary{units}
\usepgfplotslibrary{dateplot} \usepgfplotslibrary{dateplot}
\RequirePackage{mymacros}
\usepackage{tikz} \usepackage{tikz}
\usepackage{pgfplotstable} \usepackage{pgfplotstable}
\usepackage{csquotes} \usepackage{csquotes}
\usepackage{float} \usepackage{float}
\RequirePackage{mymacros}
\lstset{basicstyle=\footnotesize\ttfamily,breaklines=true,xleftmargin=1cm} \lstset{basicstyle=\footnotesize\ttfamily,breaklines=true,xleftmargin=1cm}
% schönere Hyperlinkfarben % schönere Hyperlinkfarben

Binary file not shown.

After

Width:  |  Height:  |  Size: 29 KiB

View File

@ -19,164 +19,13 @@ Zur Überwachung der Messdaten (Datenrate und PPS) habe ich auf allen vier Netzw
\paragraph{Testeinstellung} Zunächst habe ich die Datenrate und die PPS in Abhängigkeit der Ethernet Frame-Größe gemessen um festzustellen, mit welcher Paketgröße die Messungen am besten durchzuführen sind. \\ \\ \paragraph{Testeinstellung} Zunächst habe ich die Datenrate und die PPS in Abhängigkeit der Ethernet Frame-Größe gemessen um festzustellen, mit welcher Paketgröße die Messungen am besten durchzuführen sind. \\ \\
\pgfplotstableread{ \includegraphics{benchmarks/nft-size-load-rate-send.pdf}
size rate pps
1500 986.004 82167
1450 985.7216 84976
1400 984.7376 87923
1350 984.2904 91138
1300 983.4968 94567
1250 982.78 98278
1200 982.08 102300
1150 981.18 106650
1100 980.2496 111392
1050 979.2384 116576
1000 978.304 122288
950 977.36 128600
900 975.0024 135417
850 974.27 143275
800 972.5888 151967
750 970.572 161762
700 968.3856 172926
650 966.2328 185814
600 963.1056 200647
550 959.7588 218127
500 955.604 238901
450 951.588 264330
400 945.3248 295414
350 937.3336 334762
300 923.2584 384691
250 855.588 427794
200 662.5952 433335
150 527.3604 439467
100 354.96 443700
50 207.176 446500
}\sizeratepps
\begin{tikzpicture} \vspace{0.5cm}
\pgfplotsset{
y axis style/.style={
yticklabel style=#1,
y axis line style=#1,
ylabel style=#1,
ytick style=#1
}
}
\begin{axis}[
width=15cm, height=10cm,
title=Sender,
xmin=1,
xmax=1500,
xlabel={Ethernet Frame-Größe},
xtick={100,300,500,700,900,1100,1300,1500},
ymin=0,
axis y line*=left,
ylabel={Datenrate [MBit/s]},
y axis style=blue!75!black,
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
scaled ticks=false
]
\addplot[smooth,blue] table[x={size}, y={rate}] {\sizeratepps};
\end{axis}
\begin{axis}[
width=15cm, height=10cm,
xmin=1,
xmax=1500,
axis x line=none,
ymin=0,ymax=500000,
ytick pos=right,
axis y line* = right,
ylabel={PPS},
ylabel near ticks,
ytick={100000,200000,300000,400000},
y axis style=red!75!black,
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
scaled ticks=false
]
\addplot[smooth,red] table[x={size}, y={pps}] {\sizeratepps};
\end{axis}
\end{tikzpicture}
\vspace{1cm} \includegraphics{benchmarks/nft-size-load-rate-recv.pdf}
\pgfplotstableread{ Beim Sender betrug die Prozessor-Last dauerhaft 100 \%, für den Empfänger ist die CPU-Last zusätzlich grün eingetragen.
size rate pps
1500 982.38 81865
1450 981.1512 84582
1400 983.4272 87806
1350 981.936 90920
1300 979.9816 94229
1250 977.44 97744
1200 980.7936 102166
1150 978.5396 106363
1100 975.6472 110869
1050 972.3588 115757
1000 977.192 122149
950 974.0312 128162
900 970.6896 134818
850 965.4368 141976
800 970.8992 151703
750 966.756 161126
700 960.9544 171599
650 956.2592 183896
600 961.4736 200307
550 954.8088 217002
500 946.992 236748
450 928.7784 257994
400 823.2672 257271
350 722.5316 258047
300 615.1632 256318
250 492.206 246103
200 406.3824 253989
150 299.2116 249343
100 205.8888 257361
50 123.79728 257911
}\sizerateppsrecv
\begin{tikzpicture}
\pgfplotsset{
y axis style/.style={
yticklabel style=#1,
y axis line style=#1,
ylabel style=#1,
ytick style=#1
}
}
\begin{axis}[
width=15cm, height=10cm,
title=Empfänger,
xmin=1,
xmax=1500,
xlabel={Ethernet Frame-Größe},
xtick={100,300,500,700,900,1100,1300,1500},
ymin=0,
axis y line*=left,
ylabel={Datenrate [MBit/s]},
y axis style=blue!75!black,
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
scaled ticks=false
]
\addplot[smooth,blue] table[x={size}, y={rate}] {\sizerateppsrecv};
\end{axis}
\begin{axis}[
width=15cm, height=10cm,
xmin=1,
xmax=1500,
axis x line=none,
ymin=0,ymax=500000,
ytick pos=right,
axis y line* = right,
ylabel={PPS},
ylabel near ticks,
ytick={100000,200000,300000,400000},
y axis style=red!75!black,
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
scaled ticks=false
]
\addplot[smooth,red] table[x={size}, y={pps}] {\sizerateppsrecv};
\end{axis}
\end{tikzpicture}
\pagebreak \pagebreak
@ -196,43 +45,6 @@ Letztendlich habe ich dazu entschieden, auf der Empfängerseite mit \texttt{ipta
\paragraph{Einfache Drop-Regeln} Für den nachfolgenden Benchmark habe ich entsprechend viele Regeln generieren lassen, die besagen, dass von (zufällig gewählten) IP-Adressen alle Pakete gedropt werden sollen. \\ \paragraph{Einfache Drop-Regeln} Für den nachfolgenden Benchmark habe ich entsprechend viele Regeln generieren lassen, die besagen, dass von (zufällig gewählten) IP-Adressen alle Pakete gedropt werden sollen. \\
\pgfplotstableread{benchmarks/nft/ipt-nft-simple-drop.txt}{\nftsimpledrop} \includegraphics{benchmarks/nft-ipt-drop.pdf}
\begin{minipage}{\textwidth}
\flushright
\begin{tikzpicture}
\begin{axis}[
name=plot1,
xtick={5000,10000,15000,20000,25000,30000},
xmin=200, xmax=30000,
ymin=0,
xlabel={Anzahl der Firewall-Regeln}, ylabel={Datenrate [MBit/s]},
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
width=15cm, height=10cm,
legend entries={iptables,nftables},
scaled ticks=false
]
\addplot[smooth,blue] table [x={rules}, y={iptrate}] {\nftsimpledrop};
\addplot[smooth,red] table [x={rules}, y={nftrate}] {\nftsimpledrop};
\end{axis}
\begin{axis}[
name=plot2,
at=(plot1.below south), anchor=above north,
yshift=-0.5cm,
xtick={5000,10000,15000,20000,25000,30000},
xmin=200, xmax=30000,
ymin=0,
xlabel={Anzahl der Firewall-Regeln}, ylabel={PPS},
tick label style={/pgf/number format/fixed,/pgf/number format/1000 sep = \thinspace},
width=15cm, height=10cm,
legend entries={iptables,nftables},
scaled ticks=false
]
\addplot[smooth,blue] table [x={rules}, y={iptpps}] {\nftsimpledrop};
\addplot[smooth,red] table [x={rules}, y={nftpps}] {\nftsimpledrop};
\end{axis}
\end{tikzpicture}
\end{minipage} \\
Die Datenrate und die Anzahl an PPS liegen initial bei den bereits zuvor gemessenen ca. 980 MBit/s und 250000 Paketen pro Sekunde. Jedoch bricht die Leistungsfähigkeit bei beiden Firewall-Lösungen schnell erheblich ein. So kann \texttt{iptables} bei 5000 Regeln nur noch ca. 100 MBit/s bei 28000 Paketen verarbeiten, \texttt{nftables} schafft hier nur ca. 50 MBit/s bei 14000 Paketen. Die Datenrate und die Anzahl an PPS liegen initial bei den bereits zuvor gemessenen ca. 980 MBit/s und 250000 Paketen pro Sekunde. Jedoch bricht die Leistungsfähigkeit bei beiden Firewall-Lösungen schnell erheblich ein. So kann \texttt{iptables} bei 5000 Regeln nur noch ca. 100 MBit/s bei 28000 Paketen verarbeiten, \texttt{nftables} schafft hier nur ca. 50 MBit/s bei 14000 Paketen.

Binary file not shown.

View File

@ -0,0 +1,333 @@
\documentclass[10pt]{beamer}
%\usepackage[utf8x]{inputenc}
\usepackage{ngerman}
\usepackage[ngerman]{babel}
\usepackage{amsmath}
\usepackage{bbm}
\usepackage{tabularx}
\usepackage{graphicx}
\usepackage{subfigure}
\usepackage{url}
%\usepackage{hyperref}
\usepackage{eurosym}
\usepackage{listings}
\usepackage{multirow}
\usepackage{colortbl}
\usepackage{booktabs}
\usepackage{setspace}
\usepackage[utf8]{inputenc}
\input{theme/theme}
\title{Linux Cluster in Theorie und Praxis}
\subtitle{\texttt{iptables} und \texttt{nftables}}
\author{Alfred Krohmer}
\date{4. März 2014}
\institute[ZIH TUD]{Zentrum für Informationsdienste und Hochleistungsrechnen -- TU Dresden}
%\room{INF 1046}
\address{Nöthnitzer Straße 46}
\city{01189 Dresden}
%\phone{+49 0351 - 463 38783}
\email{s4039299@mail.zih.tu-dresden.de}
\setbeamercovered{transparent}
\begin{document}
\zihmaketitle
\begin{frame}
\frametitle{Inhalt}
\tableofcontents
\end{frame}
\section{Einführung}
\begin{frame}
\frametitle{Einführung}
Zielstellungen bei der Entwicklung bei \texttt{nftables}
\begin{itemize}
\item Vereinfachung der Kernel-ABI
\item Vermeidung von Code-Redundanz
\item effizientere Abarbeitung der Regeln
\item bessere Fehlermeldungen
\end{itemize}
\end{frame}
\section{Rückblick / bisherige Firewall-Lösungen}
\begin{frame}
\frametitle{Rückblick / bisherige Firewall-Lösungen}
\begin{itemize}
\item 1994: ipfw
\item 1996: ipfwadm
\item 1999: ipchains
\item 2000: iptables
\item \textbf{2014: nftables}
\end{itemize}
\end{frame}
\section{Funktionsweise iptables vs. nftables}
\begin{frame}
\frametitle{Funktionsweise iptables vs. nftables}
iptables:
\begin{itemize}
\item nur für IPv4
\item andere Tools für andere Protokolle:
\begin{itemize}
\item ip6tables
\item arptables
\item ebtables
\end{itemize}
\item für jedes Protokoll eine eigenständige Implementierung im Kernel
\item Code für jedes Protokoll sehr spezifisch
\begin{itemize}
\item viel replizierter Code
\item hohe Performance
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Funktionsweise iptables vs. nftables}
\begin{center}
\includegraphics[width=10cm]{../iptables.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Funktionsweise iptables vs. nftables}
nftables:
\begin{itemize}
\item ein Tool für alle Protokolle \\
(IPv4, IPv6, Ethernet-Bridging, ARP)
\item inheitliche Schnittstelle zum Kernel
\item Implementierung als kleine virtuelle Maschine im Kernel
\item Regeln werden im Userspace zu Byte-Code kompiliert
\item Byte-Code kann auf Feldern und Bits der Pakete Operationen ausführen:
\begin{itemize}
\item vergleichen (matching) $\rightarrow$ bedingte Sprünge
\item arithmetische und logische Operationen
\item beliebige Änderungen am Paketinhalt
\end{itemize}
\item atomares Ersetzen von Regeln über Netlink-Transaktionen
\item funktioniert mit bisher verfügbaren Tools noch nicht effektiv
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Funktionsweise iptables vs. nftables}
\begin{center}
\includegraphics[width=8cm]{../nftables.jpg}
\end{center}
\end{frame}
\lstset{
basicstyle=\ttfamily\small
}
\begin{frame}[fragile]
\frametitle{Funktionsweise iptables vs. nftables}
\begin{itemize}
\item \hspace{0.3cm}
\begin{minipage}{.45\linewidth}%
\begin{lstlisting}
payload load 4 offset network header + 16 => reg 1
compare reg 1 192.168.0.1
\end{lstlisting}
\end{minipage}
\item \hspace{0.3cm}
\begin{minipage}{.45\linewidth}%
\begin{lstlisting}
payload load 4 offset network header + 16 => reg 1
set lookup reg 1 load result in verdict register
{ "192.168.0.1" : jump chain1,
"192.168.0.2" : drop,
"192.168.0.3" : jump chain2 }
\end{lstlisting}
\end{minipage}
\end{itemize}
\end{frame}
\section{Syntax und Tools}
\begin{frame}
\frametitle{Funktionsweise iptables vs. nftables}
iptables:
\begin{itemize}
\item iptables -A INPUT -p tcp --dport 22 -j LOG
\item iptables -A INPUT -p tcp --dport 22 -j DROP
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Funktionsweise iptables vs. nftables}
nftables: nft
\begin{itemize}
\item nft add table filter
\item nft add chain filter input "\{ type filter hook input priority 0; \}" \\ \vspace{0.3cm}
\item nft add rule filter input \
tcp dport 22 log drop \\ \vspace{0.3cm}
\item als Script: \\
\begin{minipage}{.45\linewidth}%
\begin{lstlisting}
#!/usr/bin/nft -f
table filter {
chain input {
type filter hook input priority 0;
ip protocol tcp dport 22 drop log
}
\end{lstlisting}
\end{minipage}
\item nft bisher noch kaum in Linux-Distributionen verfügbar
\item in Arch Linux bisher nur im AUR verfügbar
\end{itemize}
\end{frame}
\section{Performance-Vergleich}
\begin{frame}
\frametitle{Performance-Vergleich}
Testaufbau:
\begin{center}
\includegraphics[width=10cm]{../../../bericht/bilder/nft-layout.pdf}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Performance-Vergleich}
\begin{itemize}
\item Hardware:
\begin{itemize}
\item Sender / Empfänger:
\begin{itemize}
\item Intel Atom 330 (1,6 GHz)
\item NVIDIA MCP79 Ethernet Controller
\item 2 GB RAM
\end{itemize}
\item Firewall:
\begin{itemize}
\item Intel Core 2 Duo E6750 (2,6 GHz)
\item Intel 82572EI und 82566DM-2 Ethernet Controller
\item 2 GB RAM
\end{itemize}
\end{itemize}
\item Software:
\begin{itemize}
\item Paket-Generator: pktgen
\item Netzwerk-Monitor: ifpps (aus netsniff-ng)
\end{itemize}
\item Testablauf:
\begin{itemize}
\item zotac3 sendet Pakete über zotac-firewall an zotac4
\item Firewall hat entsprechend viele Regeln
\item Empfänger verwirft Pakete noch im iptables-Stack
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Performance-Vergleich}
\begin{center}
\includegraphics[width=11cm]{../../../bericht/benchmarks/nft-size-load-rate-send.pdf}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Performance-Vergleich}
\begin{center}
\includegraphics[width=11cm]{../../../bericht/benchmarks/nft-size-load-rate-recv.pdf}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Performance-Vergleich}
\begin{center}
\includegraphics[width=11cm]{../../../bericht/benchmarks/nft-ipt-drop.pdf}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Performance-Vergleich}
\begin{center}
\includegraphics[width=11cm]{../../../bericht/benchmarks/nft-ipt-drop-response.pdf}
\end{center}
\end{frame}
\section{Schlussfolgerung}
\begin{frame}
\frametitle{Schlussfolgerung}
\begin{itemize}
\item iptables bezüglich Durchsatz noch überlegen, bei sehr vielen Regeln etwa gleich bzw. etwas schlechter als nftables
\item nftables skaliert bezüglich Antwortzeit besser
\item Vorteile nftables:
\begin{itemize}
\item Konzept mit virtueller Maschine mächtig
\item leichte Erweiterbarkeit
\end{itemize}
\item aber:
\begin{itemize}
\item momentan bei mittlerer Regelanzahl noch wesentlich schlechter performant als iptables
\item bisher so gut wie keine Dokumentation verfügbar
\end{itemize}
\end{itemize}
\end{frame}
\section{Quellen}
\begin{frame}
\frametitle{Quellen}
\begin{itemize}
\item Projekt-Website von nftables: \\
\url{http://netfilter.org/projects/nftables/}
\item Tutorial von Eric Leblond:
\url{https://home.regit.org/netfilter-en/nftables-quick-howto/}
\item nftables Wiki: \\
\url{http://wiki.nftables.org/wiki-nftables/}
\item Wikipedia-Artikel: \\
\url{http://en.wikipedia.org/wiki/Nftables}
\end{itemize}
\end{frame}
\end{document}

View File

@ -0,0 +1,74 @@
\DeclareOptionBeamer{shadow}[true]{\def\beamer@themerounded@shadow{#1}}
\ExecuteOptionsBeamer{shadow=false}
\ProcessOptionsBeamer
\mode<presentation>
\newlength{\dings}\setlength{\dings}{7.2mm}
%%% set variales for author details
\newcommand{\room}[1]{\def\ROOM{#1}}
\newcommand{\address}[1]{\def\ADR{#1}}
\newcommand{\city}[1]{\def\CITY{#1}}
\newcommand{\phone}[1]{\def\PHONE{#1}}
\newcommand{\email}[1]{\def\EMAIL{#1}}
%%% command to insert author details
\newcommand{\insertauthordetails}{\ADR\\\CITY}
\newcommand{\insertemail}{\usebeamercolor[fg]{titlepage}E-Mail:
\href{mailto:\EMAIL}{\EMAIL}}
%\newcommand{\insertphone}{\usebeamercolor[fg]{titlepage}Telefon: \PHONE}
\setbeamertemplate{blocks}[rounded][shadow=\beamer@themerounded@shadow]
\setbeamertemplate{items}[ball]
\setbeamertemplate{sections/subsections in toc}[ball]
\setbeamertemplate{part page}[default][colsep=-4bp,rounded=true,shadow=\beamer@themerounded@shadow]
%\definecolor{darkblue}{rgb}{0.04, 0.16, 0.32}
\defbeamertemplate*{title page}{zih}[1][]
{
\definecolor{zihorange}{rgb}{0.898, 0.420, 0.125}
\setbeamercolor{title}{fg=zihorange}
\setbeamercolor{subtitle}{fg=zihorange}
\setbeamercolor{titlepage}{fg=white}
\vbox{}
\vfill
\begin{centering}
\vspace{22mm}%
\parbox{\textwidth}{%for positioning title,subtitle and date
\begin{centering}
{\LARGE\usebeamercolor[fg]{title}\inserttitle\par}%
\ifx\insertsubtitle\@empty%
\else%
\vspace{5mm}%
{\itshape\usebeamercolor[fg]{subtitle}\insertsubtitle\par}%
\fi%
\vspace{3mm}%
\usebeamercolor[fg]{titlepage}\insertauthor\\
\vspace{2mm}%
\scriptsize\usebeamercolor[fg]{titlepage}\insertdate\\
\end{centering}
}%
\vspace{3mm}
\includegraphics[height=0.2\textheight]{theme/logo/LCTP-logo}%
\end{centering}%
\vspace{13mm}
\parbox{0.7\textwidth}{%positioning author information
\footnotesize\usebeamercolor[fg]{titlepage}
%\insertauthordetails \\
%\vspace{-1mm}\\
%\insertphone\\
\insertemail
}
}
\setbeamertemplate{title page}[zih][colsep=-4bp,rounded=true,shadow=\beamer@themerounded@shadow]
\mode<all>

View File

@ -0,0 +1,139 @@
%
% A Beamer Theme Which Looks A Bit Like ZIH Presentation Template
%
% Matthias.Lieber@tu-dresden.de
%
%
% Setup stuff:
%
\definecolor{darkblue}{rgb}{0.04, 0.16, 0.32}
% color for footer and navigation header (if activated, see below)
\setbeamercolor*{palette primary}{fg=black,bg=white}
% color for subsection navigation (if activated, see below)
\setbeamercolor*{palette secondary}{fg=white,bg=darkblue}
% Add the typical beamer navigation stuff in the head?
\newif\ifbeamer@theme@navigation
\beamer@theme@navigationfalse
%\beamer@theme@navigationtrue
% Include subsection names in the head navigation?
\newif\ifbeamer@theme@subsection
\beamer@theme@subsectionfalse
%\beamer@theme@subsectiontrue
% define left and right logo
\pgfdeclareimage[width=5.2em,interpolate=true]{logo-l}{theme/logo/tu_logo}
\pgfdeclareimage[width=5.2em,interpolate=true]{logo-r}{theme/logo/zih_logo_ml}
% we use tikz for the color gradient
\usepackage{tikz}
\setbeamercolor{subsection in head/foot}{parent=palette secondary}
\setbeamercolor{section in head/foot}{parent=palette primary}
\setbeamercolor{author in head/foot}{parent=palette primary}
\definecolor{zihorange}{rgb}{0.898, 0.420, 0.125}
\defbeamertemplate*{footline}{zih01 theme}
{%
\begin{beamercolorbox}[colsep=1.5pt]{lower separation line head}
\hfill\rule{0cm}{0.7cm}
\end{beamercolorbox}
% fancy color gradient, see
% /usr/share/texmf/doc/generic/pgf/version-for-pdftex/en/pgfmanual.pdf
\begin{tikzpicture}[x=\paperwidth,y=0.5pt]
\shade[left color=white,right color=white] (0.0,0) rectangle (0.2,1);
\shade[left color=darkblue,right color=zihorange] (0.2,0) rectangle (0.8,1);
% \shade[left color=zihorange,right color=zihorange] (0.819,0) rectangle
% (0.978,1);
\end{tikzpicture}
% logo, page number, yet anoter logo
\begin{beamercolorbox}[ht=2.5ex,dp=1.125ex,leftskip=.3cm,rightskip=.3cm plus1fil]{author in head/foot}%
\pgfuseimage{logo-l}
\hfill%
%\leavevmode{\usebeamerfont{author in head/foot}\insertshortauthor}%
\leavevmode{\usebeamerfont{author in head/foot}\insertframenumber/\inserttotalframenumber}%
\hfill%
\pgfuseimage{logo-r}
\end{beamercolorbox}%
}
\DeclareOptionBeamer{footline}{\csname beamer@theme@footline@#1\endcsname}
\DeclareOptionBeamer{subsection}[true]{\csname beamer@theme@subsection#1\endcsname}
\ProcessOptionsBeamer
\mode<presentation>
% Head
\defbeamertemplate*{headline}{zih01 theme}
{%
\begin{beamercolorbox}[colsep=1.5pt]{upper separation line head}
\end{beamercolorbox}
% Navigation
\ifbeamer@theme@navigation
\begin{beamercolorbox}{section in head/foot}
\vskip2pt\insertnavigation{\paperwidth}\vskip2pt
\end{beamercolorbox}%
\fi%
% Section > Subsection
\ifbeamer@theme@subsection%
\begin{beamercolorbox}[colsep=1.5pt]{middle separation line head}
\end{beamercolorbox}
\begin{beamercolorbox}[ht=2.5ex,dp=1.125ex,leftskip=.3cm,rightskip=.3cm plus1fil]{subsection in head/foot}
\usebeamerfont{subsection in head/foot}\insertsectionhead\ \hfill \insertsubsectionhead
\end{beamercolorbox}%
\else%
\begin{beamercolorbox}{subsection in head/foot}
\rule{0cm}{0.7pt}
\end{beamercolorbox}%
\fi%
\begin{beamercolorbox}[colsep=1.5pt]{lower separation line head}
\end{beamercolorbox}
}
% Frametitle
\defbeamertemplate*{frametitle}{zih01 theme}[1][left]
{%
\ifbeamercolorempty[bg]{frametitle}{}{\nointerlineskip}%
\@tempdima=\textwidth%
\advance\@tempdima by\beamer@leftmargin%
\advance\@tempdima by\beamer@rightmargin%
\begin{beamercolorbox}[sep=0.3cm,#1,wd=\the\@tempdima]{frametitle}
\usebeamerfont{frametitle}%
\vbox{}\vskip-1ex%
\if@tempswa\else\csname beamer@fte#1\endcsname\fi%
\strut\hspace{3mm}\insertframetitle\strut\par%
\vspace{-3.8mm}%
\begin{tikzpicture}[x=\paperwidth,y=0.65pt]
\shade[left color=white,right color=white] (0.0,0) rectangle (0.001,1);
\shade[left color=zihorange,right color=darkblue] (0.02,0) rectangle (0.938,1);
\shade[left color=darkblue,right color=zihorange] (0.01,3) rectangle (0.928,4);
\end{tikzpicture}
{%
\ifx\insertframesubtitle\@empty%
\else%
{\usebeamerfont{framesubtitle}\usebeamercolor[fg]{framesubtitle}\hspace{3mm}\insertframesubtitle\strut\par}%
\fi
}%
\vskip-1ex%
\if@tempswa\else\vskip-.3cm\fi% set inside beamercolorbox... evil here...
\end{beamercolorbox}%
}
\mode
<all>

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 487 KiB

Binary file not shown.

View File

@ -0,0 +1,126 @@
\newif\ifzihbackground
\zihbackgroundtrue
%\zihbackgroundfalse
% Yes, this is dirty
\newcommand\zihmaketitle{
\definecolor{white}{gray}{1.00}%
\setbeamercolor{normaltext}{bg=darkblue}%
\setbeamertemplate{headline}{%
\vskip6.15mm\color{white}\setlength{\arrayrulewidth}{0.3pt}%
\begin{tabular*}{\paperwidth}[b]{l@{\extracolsep\fill}}%
\hspace*{3.0mm}\color{white}%
\includegraphics[height=7.81mm]{theme/logo/tu_logo_black}\\[1.2mm]%
\hline\hspace*{11.76mm}\rule[-0.8mm]{0pt}{2.47mm}%
\def\@@dummyComma{}\rule{0pt}{5.8pt}%
\insertinstitute \\%
\hline%
\end{tabular*}%
\hspace{-\paperwidth}%
}%
\ifzihbackground
\setbeamertemplate{footline}{}
\setbeamertemplate{background}{\includegraphics[height=\paperheight,width=\paperwidth]{theme/logo/bg}}
\else
\setbeamertemplate{footline}{
\parbox[t][22mm]{\paperwidth}{
\vspace*{-8.18mm}
\rule
{98.6mm}{0pt}\includegraphics[height=15mm]{theme/logo/zih_logo_white}
}
}
\fi%
\frame{\titlepage}
% Kopf-/Fusszeilen fuer restliche Folien
\setbeamercolor{normal text}{bg=white}
\setbeamertemplate{background}{}
\setbeamertemplate{headline}[zih01 theme]
\setbeamertemplate{footline}[zih01 theme]
}
\usetheme{Dresden}
%\useoutertheme{theme/zih01}
%\useinnertheme{theme/zih01}
\usepackage{theme/beamerouterthemezih01}
\usepackage{theme/beamerinnerthemezih01}
%\useinnertheme{rounded}
\definecolor{darkblue}{rgb}{0.04, 0.16, 0.32}
% font color for headlines etc.
\setbeamercolor*{structure}{fg=darkblue,bg=white}
% disable navigation symbols
\setbeamertemplate{navigation symbols}{}
% can't remember what this is good for
\setbeamercovered{transparent}
% reduce margin size
\setbeamersize{text margin left=0.7cm}
\setbeamersize{text margin right=0.7cm}
%
% Outer Color Theme "whale" sorgt f?r strenge farbliche Trennen zwischen Zierrat
% und dem eigentlichen Inhalt. Ein dunkler Hintergrund f?r den Folientitel wirkt
% aber zu aufdringlich.
%
\usecolortheme{orchid}
%\setbeamercolor{titlelike}{parent=structure}
%
% Inner Color Theme "orchid" sorgt f?r farblich abgesetzt Bl?cke (Definitionen,
% S?tze, Beispiele, Beweise, ...).
%
%\usecolortheme{orchid}
%zum drucken
%\usepackage{pgfpages}
%\pgfpagesuselayout{resize to}[a4paper,border shrink=5mm,port]
%\pgfpagesuselayout{4 on 1}[a4paper,border shrink=3mm, landscape]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\definecolor{LightGray} {gray}{0.9}
\definecolor{Gray} {gray}{0.5}
\definecolor{DarkGray} {gray}{0.2}
\definecolor{listinggray} {gray}{0.96}
\definecolor{DarkGreen} {rgb}{0.0,0.6,0.0}
\definecolor{DarkRed} {rgb}{0.6,0.0,0.0}
\definecolor{DarkBlue} {rgb}{0.0,0.0,0.6}
\definecolor{DarkCyan} {rgb}{0.7,0.7,0.2}
\definecolor{DarkDarkGreen} {rgb}{0.0,0.4,0.0}
\lstset{language=C}
\lstset{linewidth=0.99\textwidth}
%\lstset{boxpos=c}
\lstset{xleftmargin=0.03\textwidth}
%\lstset{breaklines=true}
\lstset{framexleftmargin=0.03\textwidth}
\lstset{abovecaptionskip=\smallskipamount}
\lstset{belowcaptionskip=\smallskipamount}
\lstset{basicstyle=\ttfamily\tiny}
\lstset{backgroundcolor=\color{listinggray}}
%\lstset{frameround=ffff}
%\lstset{frame=shadowbox}
%\lstset{rulesepcolor=\color{Gray}}
\lstset{numbers=left}
\lstset{numberstyle=\tiny \color{DarkGray}}
\lstset{numbersep=0.01\textwidth}
\lstset{showstringspaces=false}
%\lstset{showspaces=false}
\lstset{tabsize=4}
%% all words in the following list are printed in bold letters in a listing
\lstset{emph={__asm__, __volatile__, return, main,},emphstyle={\bfseries\color{DarkGray}}}
\lstset{captionpos=b}
% Style für C Sourcecode
\lstdefinestyle{CA}{
language=C,
basicstyle=\ttfamily\scriptsize,
keywordstyle=\ttfamily\bfseries\color{DarkBlue},
stringstyle=\ttfamily\color{DarkRed},
commentstyle=\ttfamily\color{DarkGreen},
identifierstyle=\ttfamily\color{DarkCyan},
backgroundcolor=\color{listinggray},
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 85 KiB