NFShunt is an OpenFlow controller integrated with Linux’s Netfilter connection tracking. It allows L2 bridged TCP connections to be accelerated (bypass switched) mid-connection via a hardware data-plane, based on policy expressed as part of a stateful iptables firewall rule-set.

This code is the proof-of-concept for a project I worked on at SANReN and was the research topic for my MSc dissertation at WITS University. The idea is to enhance the Science DMZ design without abandoning stateful filtering entirely. In some ways it is similar to SciPass (with a focus on tight integration with a firewall, instead of an intrusion detection system).

Note: this code is distributed without warranties of any kind. It has been tested in our lab with a Pica8 P-3290 switch, and on Mininet with OVS, but YMMV.

For questions or comments, please drop me an email at simeon.miteff@gmail.com

I presented a paper on NFShunt at the IEEE NFV-SDN 2015 conference. You can download the IEEE published version here or get the accepted version from included in the repository here.

Please use the following BibTeX entry to cite NFShunt:

@INPROCEEDINGS{
  Mite1511:NFShunt,
  AUTHOR="Simeon Miteff and Scott HazelHurst",
  TITLE="{NFShunt:} a Linux firewall with {OpenFlow-enabled} hardware bypass",
  BOOKTITLE="2015 IEEE Conference on Network Function Virtualization and
  Software Defined Network (NFV-SDN) (NFV-SDN'15)",
  ADDRESS="San Francisco, USA",
  PAGES="102-108",
  DAYS=18,
  MONTH=nov,
  YEAR=2015,
  KEYWORDS="Firewall;OpenFlow;Fast Data Transfer",
  ABSTRACT="Data-intensive research computing requires the capability to
  transfer files over long distances at high throughput. Stateful firewalls
  introduce sufficient packet loss to prevent researchers from fully exploiting
  high bandwidth-delay network links [ESNet 2015]. To work around this
  challenge, the Science DMZ design [E. Dart et al. 2014] trades off stateful
  packet filtering capability for loss-free forwarding via an ordinary Ethernet
  switch. We propose a novel extension to the Science DMZ design, which uses an
  SDN-based firewall. This paper introduces NFShunt: a firewall based on Linux's
  Netfilter combined with OpenFlow switching. Implemented as an OpenFlow 1.0
  controller coupled to Netfilter's connection tracking, NFShunt allows the
  bypass-switching policy to be expressed as part of an iptables firewall
  rule-set. Our implementation is described in detail, and latency of the
  control-plane mechanism is reported. TCP throughput and packet loss is shown
  at various round-trip latencies, with comparisons to pure switching, as well
  as to a high-end Cisco firewall. The results support reported observations
  regarding firewall introduced packet-loss, and indicate that the SDN design of
  NFShunt is a viable approach to enhancing a traditional firewall to meet the
  performance needs of data-intensive researchers."
}

Run:

wget -O carp.tgz https://github.com/noxrepo/pox/tarball/carp?_=pox.tgz
mkdir pox
tar -xzf carp.tgz -C pox --strip-components=1

Then, from this repo, copy nfshunt.py into pox/ext/ and copy nfshunt.json into pox/

For Debian/Ubuntu, run: sudo apt-get install conntrack

For Debian/Ubuntu, add a section to /etc/network/interfaces:

auto br0
iface br0 inet manual
        bridge_ports eth1 eth2
        bridge_stp off       # disable Spanning Tree Protocol
        bridge_waitport 0    # no delay before a port becomes available
        bridge_fd 0          # no forwarding delay

You may need to change the bridge interface name, depending on your system. This example assumes eth1 and eth2 are being used for the firewall. Remember to adjust the MTU of the bridge and bridge ports as required, and (depending on the Linux distribution used) enable IP forwarding and netfilter processing for bridged traffic (not needed by default on Debian/Ubuntu). Finally, remember to bring the interface up with: ifup br0

Set up an OpenFlow switch instance with the slow path host as controller (TCP port 6633). Two external switch ports are fast, and two ports connected to the host are those configured in the kernel bridge above, are the slow ports.

• Edit nfshunt.json, pair up the external (fast) OpenFlow switch ports with slow path ports. The physdevin numbers match the OpenFlow port connected to the host to the Netfilter bridge physical ports.

• Edit setup_iptables.sh, set the interface names (change eth1 and eth2 if required), and also interfaces that need to be ignored (such as eth0).

The run.sh scripts starts up pox with the nfshunt module, and debug.sh does the same, but is more verbose. You should see the OpenFlow switch connect, and the code fork an instance of conntrack to monitor Netflow connection tracking events. Now TCP connections matching your policy (configured via setup_iptables.sh) will trigger the controller to bypass (or blackhole).

This code is copyright 2014-2015 the CSIR, and released under the Apache 2.0 license.