Erven Coronado Padilla: bien...es hora de comenzar
César Pérez Turrado Hello, we have with us Harald
Welte, core developer of the NetFilter project, the packet filtering and mangling engine for Linux 2.4. He's now getting sponsored for his work on his free software projects by Conectiva.
He's now going to talk about Firewalling IPv6 with ip6tables in linux 2.4.x
Harald, when you want :)
Harald Welte ok :) Hi everybody...
First of all: This is not really going to be a prepared presentation with slides and / or script
I assume most of you have already attened my presentation about traditional ipv4 firewalling with iptables/netfilter two days ago on this channel here
So I will just blindly assume that most of you are already sort-of familiar with iptables (for IPv4)
most of this presentation will have a discussion / q&a chracter, so I'm going to drop the modreated-status of the channel soon
so let me first ask, who of you does not know the iptables/netfilter for IPv4 ?
(this way it's easier to see on which level I can talk...)
so please raise hands, if you haven't heared anything about iptables for IPv4 yet, and have no idea what it is
César Pérez Turrado humm, people is shy. I know a bit about iptables for IPv4
Harald Welte ok.
Harald Welte it is important to tell me now, before the talk, if somebody doesn't know anything about it
* giantux raise one hand, knows just a bit...
Harald Welte we have plenty of time, so i could easily give some basic introduction
Pablo Chico I raise one hand too, I don´t know what is an iptable for IPv4
Harald Welte ok. i see.
* cron is using 2.4.5 with iptables/netfilter now
Harald Welte oroz: could you post the url of my presentation two days ago?
César Pérez Turrado yes, one second
Harald Welte ok, so i'm going to talk about some basics first
César Pérez Turrado http://6fevu.uninet.edu/text/laforge1.html
Harald Welte on this URL above you will find the paper to my iptables presentation.
iptables/netfilter is the firewalling / packet filtering / NAT / mangling framework of the Linux kernel
César Pérez Turrado also http://6fevu.uninet.edu/text/laforge.html (sorry)
Pablo Chico Ok thank you very much.
Harald Welte the presentation from two days ago was only about IPv4 (traditional IP) firewalling
but most of it also applies for ipv6.
So what we have in linux 2.4 is a set of hooks in the networking code (netfilter hooks)
those hooks are at well-defined points in the linux network stack.
IPv6 has 5 of these hooks, exactly the same as IPv4
those hooks are nothing else, than that any linux kernel module can register at those hooks.
A registered kernel module is called for every packet passing this hook.
Please have a look at the diagram, the diagram in section 1.4 of the paper
the hooks are assigned numbers from 1 to 5
packets come in from the network on the left side
and go out to the network on the right side
packets to or from the local host (the firewall itself) are at the bottom.
so if a packet comes in from the network, and is forwarded to another interface, it will go the following path:
coming in from the left, it first traverses hook 1 (PRE_ROUTING)
then the routing code makes the routing decision
after the routing decision the FORWARD (3) hook is traversed
and finally the POST_ROUTING hook (4) is passed.
After that, the packet is sent to the outgoing interface.
So if anybody registers for any of the hooks 1,3,4 he will see all the packets, anybody means 'any kernel module'
so if a kernel module registers to one of the hooks, it will be called for each packet passing by
what really happens is, that a callback function within this kernel module is called
this callback function has to return something to the network stack:
possible obvious values are NF_ACCEPT, NF_DROP
if the module returns NF_ACCEPT, the packet will go on to the next hook,etc.
if the module returns NF_DROP, the packet will be dropped an nobody else (no other hook, not the outgoing interface) will see it
this is just the very basics.
Of course nobody wants to write kernel modules to do firewalling
but the netfilter hooks are some generic framework, where packet filtering and other stuff can be implemented.
On top of this (as a kernel module) we have implemented iptables.
Iptables is the direct sucessor of ipchains (the old linux 2.2.x firewalling framework)
ip tables are tables of rules which are traversed for a packet.
So, for example, iptables registeres with hook number 3, and attaches a list of rules to that hook.
So any packet coming to netfilter hook number 3 will be passed on to iptables, and iptables will check this packet against a set of rules.
Those rules are traversed from top (first rule) to the bottom (last rule)
for more basics about the rules, please see part 2 of the presentation
the only basic differencee between ipv4 iptables and ipv6 iptables is:
the command for configuring the rules is called 'ip6tables' instead of 'iptables'
The functionality you have available is much smaller than for ipv4 basically every rule can have the following actions (targets):
ACCEPT
DROP
LOG
the ip6table_filter kernel module has three chains
(chains == list of rules)
INPUT
FORWARD
OUTPUT
the INPUT chain is connected to the NF_IP_LOCAL_IN hook
the FORWARD chain is connected to the NF_IP_FORWARD hook
the OUTPUT chain is connected to the NF_IP_LOCAL_OUT hook
the INPUT chain only applies to packets for the local host
the FORWARD chain applies for all packets forwarded by th local host
the OUTPUT chain applies for all packets sent by the local host
using ip6tables, you can now add rules to each of those chains
for example:
ip6tables -A FORWARD -j DROP -s fe80::240:c7ff::/10
will drop all packets coming from the specified ipv6 network.
as matches you have:
-s source address / mask
-d destination address / mask
-p tcp --sport (tcp source port)
-p udp --dport (udp destination port)
(and some other, more advanced features)
so we can now create a list of rules, specifying which packets (from xxxx / to xxxx / with source port yyyy) should be accepted or dropped
this is very, very basic functionality
a stateless packet filter, with very basic functions.
any questions up to now?
feel free to ask
rapid yes, one here :)
Juan Pedro Paredes why ipv4 functionality you have available is much smaller than for ipv6?
Harald Welte because it is two different implementations
basically people implement features for ipv4
and then (maybe) later somebody ports them to ipv6
the problem is, that the whole network stack for ipv4 and ipv6 is different
so we cannot have a shared system for both network protocols
iptables / ip6tables don't even know about each others
and for most people ipv4 is important, and ipv6 is regarded as some nice toy....
Juan Pedro Paredes actually there aren't implemeted for ipv6?
Harald Welte ... so there are lots of features where nobody finds time to port them to ipv6
the whole ipv6 stack in linux is still considered experimental
the ip6tables system for ipv6 is also considered experimental.
let's call it work-in-progress
Juan Pedro Paredes ok thanks a lot
rapid what did you mean with of course nobody wants to write kernel modules to do firewalling
Harald Welte rapid: well. we have two parts:
netfilter
and iptabels
rapid what else is needed besides drop/deny?
Harald Welte rapid: wait a second
Harald Welte if we would have only netfilter
then everybody would have to write a kernel module which does the actual filtering
but instead of doing this, there is a highly-configurable module, called ip6tables: )
rapid: in ipv4 we have at least REJECT for filtering
rapid: and in ipv4 we have NAT, statefull firewalling, connection tracking, NAT, ...
so the summary is: the core functionality is there, and everything else needs to be filled in
we are happy to any contributions
rapid understood :)
rapid thxs :)
Harald Welte the problem is, that the core developers
have a lot of work for the ipv4 stuff, and most of the time nobody gets around doing somethign for ipv6
so there are some people contributing / porting things for ipv6, but it isn't enough.
this is pretty much the same situation than with the linux ipv6 stack in general
people add functions to ipv4 (policy routing, etc.) - and even within years nobody ports them to ipv6, which is a pity :(
but anyway, i think the current ip6tables i
s usuable...
Harald Welte further questions?
rapid are there any plans to join the development of
ipv4/6? that would save efforts...
rapid: this is not really possible, the problem is, as i pointed out, that the underlying network stackes (ipv4 / ipv6) are seperate
so the core network layer already divides ipv4 and ipv6 packets in two parts
- ipv4 packets to the ipv4 part
- ipv6 packets to the ipv6 part
and on top of each of those parts (stacks) there is netfilter and ip(6)tables
an then there are so many differences between the individual protocols
like in ipv4 we have a TOS target to set the type of service
or a TTL target for the ttl.
but in ipv6 you have HOPLIMIT
and sometimes the semantics are a little bit different
so I really see no way for an efficient implementation which would cover both protocols
i know, it's very unfortunate - but we see no way how to change that
linux 2.5.x might (in some parts) bring a change about this
but iptables / ip6tables will keep being seperate
we are thinking about implementing connection tracking in a generic way.
so connection tracking could work independently of ipv4 / ipv6 / ipx / ...
but this increases (again) the layer of complexity, and it would be another big thing to work on
you have to see, that in netfilter+iptables (for ipv4 only) are multiple full-time years of development
Harald Welte more questions?
rapid (i see. thanks. great job :)
Harald Welte if anybody wants to give ip6tables a
try, just get the package from the homepage, and compile your kernel with the respective configuration options
we are more than happy to receive any positive/negative feedback
and of course, there is lot of work to do for any ipv6 enthusiast who wants to help us out
Harald Welte further questions?
Harald Welte feel free to go ahead
Harald Welte i'm not going to bite :) netlag uff, a mi me sobrepsa el tema :)
Harald Welte unfortunately i don't understand spanish
Juan Pedro Paredes netlag says it's too hard for me
David Román Esteban
Juan A. Campo uff, a mi me sobrepsa el tema :) this is much effort to me
Harald Welte :) hm. well.
Harald Welte it's certainly hard if you don't know iptables for ipv4 first
Juan A. Campo i known iptables
Harald Welte so once you have managed to get the ipv4 firewalling running, read all the documentation for iptables (there is plenty)
Juan Pedro Paredes well i use ipchains
Harald Welte and once you have the knowledge / familiarity with iptables, the step to ip6tables is very easy
Juan A. Campo i do a shell script with iptables, but i don't feel wheel with ipv6
rapid how is fragmentation support on ipv6? i've seen...mm... ¿brad? doing some realeases, but nothing on the csv...
Harald Welte what do you mean with 'fragmentation support'
rapid when a packet is bigger then the mtu...
Harald Welte rapid: yes, but where is the relation to iptables / ip6tables
I mean, the ipv6 stack has to care about fragmentation
like the ipv4 stack cares about ipv4 fragmentation
Russ|werk LaForge: how difficult would it be to implement a completely transparent iptables firewall, maybe one that only allowed established connections back though
Harald Welte russ: you are talking about iptables or ip6tables?
Russ|werk for now, just iptables rapid (thought that ipv6 stack/iptables6 development was... side by side) Tv If you don't care about _perfect_ transparency, just proxy arp, have correct routes, and firewall.. BTDT.
Harald Welte ip6tables doesn't have connection tracking and thus you don't have the term 'connection' at all ip6tables development has no relation to ipv6 stack development it's a totally different group of people.
Russ|werk the REJECT or DROP target would need to now allow the packets to bridge, instead of not allowing them to route
Harald Welte and we don't really need too much communication between each other
Harald Welte russ: iptables (ipv4) questions are a bit off-topic today and bridging firewalling is not officially part of iptables there is a unofficial patch for bridging firewalling, and it seems to reach a certain stability recently Lennert Buytenheck is working on that (the linux bridging code maintainer)
Harald Welte no more questions?
Harald Welte well, i guess i have to excuse myself again.
Harald Welte ip6tables is not really a cutting-edge full-fledged firewall implementations but at least we have some firwalling for ipv6, and people can continue working on that :) well, if there are no more questions, i gues this talk is over then
David Román Esteban one question i can just recommend everybody giving the current code a try.
Harald Welte http://netfilter.gnumonks.org/
Harald Welte dre: yes, go ahead :)
David Román Esteban when there will be a "final" version of ipv6 ?
Harald Welte you mean of ip6tables ?
David Román Esteban yes sorry
Harald Welte well, I don't know.
David Román Esteban and when do you think all the net will change to ipv6 ?
Harald Welte as I said, we are more than busy with the ipv4 code, and there is not somebody approaching us who wants to spend more time improving it hm, i don't think that a transition of the internet to ipv6 will happen in a feasible amount of time maybe in 10 years or something ;)
David Román Esteban do you think that ipv6 is simply an experiment ? or it will be the future ? in the net ?
Harald Welte i know, it's a pity. but looking at it from a pragmatic perspective, it will take ages.
No, I really think ipv6 is the future. just not right now.
Everybody (including us) is just too lazy and then you have to think about thousands of isp's who have clueless administrators
and all the hardware (like dial-up-routers and stuff)
proprietary hardware, where t
he vendors don't provide ipv6-enabled firmware etc.
David Román Esteban yes.. but as some like
Harald Welte so there are a lot of practical
real-world limitations preventing this from happening right now (or in the next few years)
yes, I know some.
But look at it from the perspective from a commercial, profitable ISP:
why should you buy new hardware from a different vendor, if the old one works?
why should you train your technical staff for something new, if they can do it right now?
David Román Esteban because I don't have more ip's to sell
Harald Welte look what happened to multicasting :(
technology is complex, hardware expensive, no killer-application requires multicasting, so why should any commercial isp offer it?
well, then you raise the price for ip adresses
David Román Esteban yes thats happen right now
Harald Welte and believe me, they would rather give
all their dialup customers dynamically assigned 192.168'er adresses and do NAT than switch to ipv6
so we can reduce the problem to: commercialisation has made the net evil.
But what i could see happening is more and more research facilities / universities / ... moving to ipv6
and creating some kind of alternative internet, based on ipv6 (like the 6bone currently is).
And you basically have the same situation (now in ipv6) than you had 10 years ago with the 'real' (ipv4 based) internet
David Román Esteban yes but the number of ip's must be exponential to get in 10 years from now the same situation with ipv6 than with ipv4 right now
Harald Welte well. any more questions which are somewhat more on-topic ? ;)
Harald Welte dre: no. have you actually calculated how many ipv6 addresses we have for every square meter of earth-surface? And the global aggregatable address format is actually reducing wasted address ranges
rapid (time to take a look at ipv9 rfc :)
Harald Welte ;)
David Román Esteban ipv9? why not ipv12 ? ;P
Harald Welte ok.
David Román Esteban thx for the answers
Harald Welte if nobody else has a on-topic question, i will declare this talk for ended now :)
César Pérez Turrado Thank you very much, Harald.
Harald Welte dre: no problem, thanks for the questions
clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap
Ricardo J. Cárdenes Medina Thank you LaForge :-)
rapid LaForge : thanks for ulog :)
Pablo Chico i say the same as you MJeus
Harald Welte you're welcome. as i said, i have to excuse that there is not too much else to present
Harald Welte btw: does anybody know of any other software which does ipv6 firewalling?
César Pérez Turrado nop
David Román Esteban no, netbsd can work with ipv6 no ?
Harald Welte dre: don't know. i mean, of course they have ipv6 - but do they have packet filtering for ipv6?
Harald Welte ok, well... i guess i will be leaving then...
César Pérez Turrado ok LaForge, thx again :)
César Pérez Turrado Thx to the translators dre, juampe and gigantux :) clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap clap