Overview

Fast Path Filtering IPv4 provides IPv4 filtering in the fast path.

To ensure maximal performance, this module implements simple functions based on information found in the shared memory.

If the module cannot find in the shared memory the relevant information based on L3, L4, and L5 headers, the fast path raises an exception.

In accordance with configured filter rules with higher priorities, this exception:

  • interacts with other 6WINDGate entities, or,

  • drops the packet for security reasons.

Features

  • Filtering, stateless 5-tuple based ACLs (Netfilter)

  • Support filter, mangle, raw and NAT tables

  • Rules per VR

  • “Netfilter-like” connection tracking (limited to tcp, udp, sctp, gre, ah, esp and ipip protocols)

  • Fast lookup tables

  • RPF Check

  • Support for the following netfilter targets
    • DROP

    • ACCEPT

    • RETURN

    • SNAT

    • DNAT

    • MARK

    • DSCP

    • TOS

    • REJECT

    • CHECKSUM

    • MASQUERADE

    • NETMAP

    • NOTRACK

    • CT (limited to –zone, –notrack and –helper)

    • CONNMARK

    • CLASSIFY

    • user-defined chains

  • Support for conntrack zones

  • Support for the following netfilter matches:
    • addrtype (limited to –src-type and –dst-type with unicast, local, broadcast, multicast, blackhole and throw route types)

    • BPF (cBPF only)

    • comment

    • connmark

    • conntrack (limited to –ctstate, –ctdir, –ctstatus)

    • devgroup

    • dscp

    • frag

    • hashlimit

    • icmp

    • icmp6

    • limit

    • mac

    • mark

    • multiport

    • nfacct (limited support)

    • owner (limited support)

    • physdev

    • policy (see limitations below)

    • rpfilter

    • sctp

    • set

    • state

    • tcp

    • tcpmss

    • tos

    • u32

    • udp

  • Support for the following ip set types:
    • hash:ip

    • hash:net

    • hash:mac

    • hash:net,net

    • hash:net,port

    • hash:net,port,net

    • hash:ip,port

    • hash:ip,port,ip

    • hash:ip,port,net

policy match support

Options supported: –dir {in|out} –pol {none|ipsec) –proto {ah|esp} [!] –mode {tunnel|transport}

All other options are not supported.

Dependencies

6WINDGate modules

Linux

  • Netfilter: create audit records for x_tables replaces is a kernel patch (upstream 3.9)

  • RPF: netfilter: export xt_rpfilter.h to userland is a kernel patch (upstream 3.12)