LinuxQuestions.org

Review your favorite Linux distribution.

		LinuxQuestions.org > Blogs > Skaperen
Why is netfilter in kernel space?

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

Are you new to LinuxQuestions.org? Visit the following links:
Site Howto | Site FAQ | Sitemap | Register Now

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.

Exclusive for LQ members, get up to 45% off per month. Click here for more info.

Rate this Entry

Why is netfilter in kernel space?

Posted 04-21-2012 at 03:11 PM by Skaperen

Isn't one of the kernel design intentions to move more things to user space and keep the kernel itself smaller? I think network filtering should be one of those things.

So why haven't they done that? Is it considered too much of a performance issue to use user processes filter packets? I don't think it would be. But maybe there is some functionality missing that can be done in the kernel and not in user space?

The API would not be hard. Just create device nodes or socket names that correspond to each of the possible hooks. The user process with the right credentials can open them for read/write. Each packet (or ethernet frame) would come in to that process by reading. Then it would write the packet (or frame) back out the same descriptor if it passes. If the descriptor closes, it goes back to default behavior (probably to pass everything transparently). Multithread or multiplex I/O could be used to maximize the performance.

This could allow more innovation in filter design strategies since it become readily pluggable, and faulty programs won't take down an entire system.

Posted in Uncategorized

Views 838 Comments 0

« Prev Main Next »

Total Comments 0

Comments

Skaperen is offline

Registered May 2009
Location center of singularity
Posts 2,684
Blog Entries 31

Find Blog Entries by Skaperen

Containing Text: Search Titles Only

Advanced Search
Blog Categories
Local Categories
- Uncategorized
Recent Comments
Recent Entries
Recent Visitors

All times are GMT -5. The time now is 02:47 PM.

Main Menu

Advertisement

Advertisement

My LQ

Write for LQ

LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.

Main Menu

Syndicate

Latest Threads

LQ News

Twitter: @linuxquestions

Open Source Consulting | Domain Registration