Netfilter - is there something faster ?

Hi !

I am working on ethernet bridge device based on embedded linux and ADM5120
chip. I want basic firewall funcionality in my kernel, but i dont need
most of netfilter advanced features. Simply filtering based on source and
dst ip address, source and dst port number and protocol type is everything
what i need.

I've tested two configurations of kernel (i am using 2.6 kernel tree):
first - no netfilter enabled - my device was able to bridge 70 Mbit of
traffic.
second - netfilter compiled in, but no rules applied - traffic is only 20
Mbit Adding some test rules has minor affect to traffic. Simply
existence of netfiler makes maximal possible traffic to be equal one third
of that when only routing exists in kernel.

Then I found ebtables. As much simplier than netfilter it should be also
much faster. But there is no way to use only ebtables. Netfilter must be
enabled in .config if you want use ebtables.

So i have two questions:

1. Is it possible to simplify netfilter somehow ? I need only very basic
filtering (no statefull inspection, only IP header based packet
filtering) ? I need it to be much faster and much simplier than it is
now. Maybe there is any 'light' version of netfiler ?

2. Is it possible to use only ebtables, without netfilter ?




--
z powazaniem "In every work of genius we recognize
Marcin Szczepaniak our own rejected thoughts."
-- Ralph Waldo Emerson

Marcin Szczepaniak wrote:
> I've tested two configurations of kernel (i am using 2.6 kernel tree):
> first - no netfilter enabled - my device was able to bridge 70 Mbit of
> traffic.
> second - netfilter compiled in, but no rules applied - traffic is only 20
> Mbit Adding some test rules has minor affect to traffic. Simply
> existence of netfiler makes maximal possible traffic to be equal one third
> of that when only routing exists in kernel.

This seems quite strange. Maybe the conntrack system it's to blame.
You could put a greater value at /proc/sys/net/ipv4/ip_conntrack_max
or if you use tcp-window-tracking at
/proc/sys/net/ipv4/netfilter/ip_conntrack_max

> 1. Is it possible to simplify netfilter somehow ? I need only very basic
> filtering (no statefull inspection, only IP header based packet
> filtering) ? I need it to be much faster and much simplier than it is
> now. Maybe there is any 'light' version of netfiler ?

First you should compile the netfilter support as modules, that way
you can load only the parts of netfilter that you need.

You can use iptables without using the conntrack system. Just load the
ip_tables and iptable_filter modules. Use:
modprobe iptable_filter

But then you can't use the conntrack capabilities of the firewall (NEW,
RELATED, ESTABLISHED, etc).

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

On Tue, 22 Mar 2005 12:55:02 +0000 (UTC), Marcin Szczepaniak
<(E-Mail Removed)> wrote:

>
>
>Hi !
>
>I am working on ethernet bridge device based on embedded linux and ADM5120
>chip. I want basic firewall funcionality in my kernel, but i dont need
>most of netfilter advanced features. Simply filtering based on source and
>dst ip address, source and dst port number and protocol type is everything
>what i need.

Because of the bridging, I don't know if either of these are
appropriate, but have a look at http://www.hipac.org/ and
http://lists.netfilter.org/pipermail...ly/008468.html

--
buck