Register a domain and help support LQ
Go Back > Blogs > Skaperen
User Name


Rate this Entry

Why is netfilter in kernel space?

Posted 04-21-2012 at 04:11 PM by Skaperen

Isn't one of the kernel design intentions to move more things to user space and keep the kernel itself smaller? I think network filtering should be one of those things.

So why haven't they done that? Is it considered too much of a performance issue to use user processes filter packets? I don't think it would be. But maybe there is some functionality missing that can be done in the kernel and not in user space?

The API would not be hard. Just create device nodes or socket names that correspond to each of the possible hooks. The user process with the right credentials can open them for read/write. Each packet (or ethernet frame) would come in to that process by reading. Then it would write the packet (or frame) back out the same descriptor if it passes. If the descriptor closes, it goes back to default behavior (probably to pass everything transparently). Multithread or multiplex I/O could be used to maximize the performance.

This could allow more innovation in filter design strategies since it become readily pluggable, and faulty programs won't take down an entire system.
Posted in Uncategorized
Views 468 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 09:13 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration