Why is netfilter in kernel space?
Posted 04-21-2012 at 03:11 PM by Skaperen
Isn't one of the kernel design intentions to move more things to user space and keep the kernel itself smaller? I think network filtering should be one of those things.
So why haven't they done that? Is it considered too much of a performance issue to use user processes filter packets? I don't think it would be. But maybe there is some functionality missing that can be done in the kernel and not in user space?
The API would not be hard. Just create device nodes or socket names that correspond to each of the possible hooks. The user process with the right credentials can open them for read/write. Each packet (or ethernet frame) would come in to that process by reading. Then it would write the packet (or frame) back out the same descriptor if it passes. If the descriptor closes, it goes back to default behavior (probably to pass everything transparently). Multithread or multiplex I/O could be used to maximize the performance.
This could allow more innovation in filter design strategies since it become readily pluggable, and faulty programs won't take down an entire system.
So why haven't they done that? Is it considered too much of a performance issue to use user processes filter packets? I don't think it would be. But maybe there is some functionality missing that can be done in the kernel and not in user space?
The API would not be hard. Just create device nodes or socket names that correspond to each of the possible hooks. The user process with the right credentials can open them for read/write. Each packet (or ethernet frame) would come in to that process by reading. Then it would write the packet (or frame) back out the same descriptor if it passes. If the descriptor closes, it goes back to default behavior (probably to pass everything transparently). Multithread or multiplex I/O could be used to maximize the performance.
This could allow more innovation in filter design strategies since it become readily pluggable, and faulty programs won't take down an entire system.
Total Comments 0