Chapter 1. Understanding the Linux operating system 29
Draft Document for Review May 4, 2007 11:35 am 4285ch01.fm
Because of this, NAPI was introduced to counter the overhead associated with processing
network traffic. For the first packet, NAPI works just like the traditional implementation as it
issues an interrupt for the first packet. But after the first packet, the interface goes into a
polling mode: As long as there are packets in the DMA ring buffer of the network interface, no
new interrupts will be caused, effectively reducing context switching and the associated
overhead. Should the last packet be processed and the ring buffer be emptied, then the
interface card will again fall back into the interrupt mode we explored earlier. NAPI also has
the advantage of improved multiprocessor scalability by creating soft interrupts that can be
handled by multiple processors. While NAPI would be a vast improvement for most enterprise
class multiprocessor systems, it requires NAPI-enabled drivers. There is significant room for
tuning, as we will explore in the tuning section of this Redpaper.
NetfilterLinux has an advanced firewall capability as a part of the kernel. This capability is provided by
Netfilter modules. You can manipulate and configure Netfilter using iptables utility.
Generally speaking, Netfilter provides the following functions.
Packet filtering: If a packet match a certain rule, Netfilter accept or deny the packets or
take appropriate action based on defined rules
Address translation: If a packet match a certain rule, Netfilter alter the packet itself to meet
the address translation requirements.
Matching filters can be defined with the following properties.
Network interface
IP address, IP address range, subnet
Protocol
ICMP Type
Port
TCP flag
State (refer to “Connection tracking” on page30)
Figure 1-26 give an overview of how packets traverse the Netfilter chains which are the lists of
defined rules applied at each point in sequence.
Figure 1-26 Netfilter packet flow
Netfilter will take appropriate actions if packet matches the rule. The action is called a target.
Some of possible targets are:
PREROUTINGPREROUTING
INPUTINPUT OUTPUTOUTPUT
FORWARDFORWARD POSTROUTINGPOSTROUTING
ROUTING
Local process
originated from
local process
incoming
packets
forwarded
packets
Connection Tracking
Mangle
NAT(DNAT)
Filter
Connection Tracking
Filter
Connection Tracking
Mangle
NAT(DNAT)
Filter
Connection Tracking
NAT(SNAT,MASQUERADE)
incoming packets
outgoing
packets