Netfilter - Harald

* systems with everything enabled
  - so many table lookups per packet 
  - grand unified flow cache 
    problems:
    	bigger key
	sychronization and locking
	generation number?
	tcp state connectionn tracking
	DoS flushing issues
    alternatives:
        functptr if cache fails

* pkt tables
  genralizations of arp tables, ip tables, ...
  abstraction of iteration, other functions
  arch independent;  updates two table model
  API versioning

* performance
  dual opteron benchmark - packets/sec (linux 2nd place behind Clavister?)
  linear lookup
  NFI pack - gave up on GPL version went to $$ (400k module)
  primitive setup firewall, 250 rules (20 rules/pkt)
  need caching -- proposing interim flow cache for netfilter

* cluster firewall
  checkpoint has it.
  ctsync - almost working (single master multiple slave) at OLS
   just connection tracking info, same rules
  udp multicast based - in kernel
  slaves have networking turned off

* selinux relation
  selinux wants to be only source of security policy
  correlated to process

* layer 2 netfilter hooks
  turn off packet processing 
  better alternative would be to  tc_action generic

* netlink
  RTnetlink need to be able to watch connection state.
  Processes interested only want some small subset, no way today to filter.
  Groups were an option but not big enough.  could use connect() facility
  with info in sockaddr.

* running out of numbers for numbers in netlink.
  how many do you need? 3. Can reclaim some.