Network processor acceleration for a Linux* netfilter firewall

2005 Symposium on Architectures for Networking and Communications Systems (ANCS) Pub Date : 2005-10-26 DOI:10.1145/1095890.1095906

Kristen Accardi, T. Bock, F. Hady, Jon Krueger

{"title":"Network processor acceleration for a Linux* netfilter firewall","authors":"Kristen Accardi, T. Bock, F. Hady, Jon Krueger","doi":"10.1145/1095890.1095906","DOIUrl":null,"url":null,"abstract":"Network firewalls occupy a central role in computer security, protecting data, compute, and networking resources while still allowing useful packets to flow. Increases in both the work per network packet and packet rate make it increasingly difficult for general-purpose processor based firewalls to maintain line rate. In a bid to address these evolving requirements we have prototyped a hybrid firewall, using a simple firewall running on a network processor to accelerate a Linux* Netfilter Firewall executing on a general purpose processor. The simple firewall on the network processor provides high rate packet processing for all the packets while the general-purpose processor delivers high rate, full featured firewall processing for those packets that need it. This paper describes the hybrid firewall prototype with a focus on the software created to accelerate Netfilter with a network processor resident firewall. Measurements show our hybrid firewall able to maintain close to 2 Gb/sec line rate for all packet sizes, a significant improvement over the original firewall. We also include the hard won lessons learned while implementing the hybrid firewall.","PeriodicalId":417086,"journal":{"name":"2005 Symposium on Architectures for Networking and Communications Systems (ANCS)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"15","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2005 Symposium on Architectures for Networking and Communications Systems (ANCS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1095890.1095906","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 15

Abstract

Network firewalls occupy a central role in computer security, protecting data, compute, and networking resources while still allowing useful packets to flow. Increases in both the work per network packet and packet rate make it increasingly difficult for general-purpose processor based firewalls to maintain line rate. In a bid to address these evolving requirements we have prototyped a hybrid firewall, using a simple firewall running on a network processor to accelerate a Linux* Netfilter Firewall executing on a general purpose processor. The simple firewall on the network processor provides high rate packet processing for all the packets while the general-purpose processor delivers high rate, full featured firewall processing for those packets that need it. This paper describes the hybrid firewall prototype with a focus on the software created to accelerate Netfilter with a network processor resident firewall. Measurements show our hybrid firewall able to maintain close to 2 Gb/sec line rate for all packet sizes, a significant improvement over the original firewall. We also include the hard won lessons learned while implementing the hybrid firewall.

查看原文本刊更多论文

网络处理器加速为Linux* netfilter防火墙

网络防火墙在计算机安全中扮演着中心角色，在保护数据、计算和网络资源的同时仍然允许有用的数据包流动。每个网络数据包的工作量和数据包速率的增加使得基于通用处理器的防火墙越来越难以维持线路速率。为了满足这些不断变化的需求，我们设计了一个混合防火墙的原型，使用在网络处理器上运行的简单防火墙来加速在通用处理器上执行的Linux* Netfilter防火墙。网络处理器上的简单防火墙为所有数据包提供高速率的数据包处理，而通用处理器为那些需要它的数据包提供高速率、全功能的防火墙处理。本文介绍了混合防火墙的原型，重点介绍了使用网络处理器驻留防火墙来加速Netfilter的软件。测量结果表明，我们的混合防火墙能够在所有数据包大小的情况下保持接近2 Gb/秒的线路速率，这是对原始防火墙的显著改进。我们还包括在实现混合防火墙时获得的来之不易的经验教训。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2005 Symposium on Architectures for Networking and Communications Systems (ANCS)

自引率

0.00%

发文量