Componentization of IP and Netfilter Architecture in Linux Kernel

Lin, Jiun-nan

25 July 2007

In this thesis, we exercised the componentization technique to componentize the Netfilter architecture in Linux network system. Netfilter is a software architecture for filtering packets. System administrator can register packet-matching rules and target handling function into the system. Netfilter matches packets according to the rules and processes them by the corresponding target functions. By componentizing the architecture, we can improve the elasticity and the reusability of Netfilter. Hot-swapping is an important procedure in componentized software system. In this study, we implemented hot-swapping based on the work developed by Fan[1]. It stores the relocation information of exporting symbols into the module symbol table. With this information, we are able to dynamically change the caller-callee relationship of modular components at run time. In addition, we extend their work to allow the same modular component to be loaded into Linux kernel for more than once so that the same component can be replicated in the system. We started with decomposing all the ¡§hook¡¨ functions into smaller and simpler components and then for each component, we added in-ports and out-ports and registered its own iptables, and we fixed the limitation of only one instance of a module allowed in kernel and broke the hard rule in iptables. As a result, after Netfilter componentization, we are able to illustrate new configurations that cannot be done in the original architecture, and the system becomes further compact with only necessary components loaded in the system. This reflects in slight performance improvement in our experiments, which is not usually seen in other frameworks due to componentization overhead.

hot-swapping

software component

componentization

Linux

IP Tables

Netfilter