Network devices often apply firewall filters and/or rules on incoming and/or outgoing traffic. In some examples, an administrator may want to have the network device apply certain firewall filters and/or rules on only select interfaces. In such examples, the network device may be programmed to enforce those firewall filters and/or rules on some interfaces but not others. Unfortunately, the enforcement of those firewall filters and/or rules on only select interfaces may present certain challenges and/or difficulties.
As an example, in some network devices (such as LINUX-based routers), the operating system kernels may be unable to access information that identifies the external interfaces on which packets ingress and/or egress. For example, a network device may include a routing engine that implements a LINUX kernel. In this example, the LINUX kernel may be unable to access information that identifies the interface corresponding to an incoming or outgoing packet. That interface information may be available only in user space, not kernel space. As a result, the LINUX kernel may be unable to apply relevant firewall filters and/or rules on that packet based on the corresponding interface.
In another example, a network device may be able to apply certain firewall filters and/or rules in user space, as opposed to kernel space. However, this scenario may enable unwanted incoming packets to actually reach user space even in the event that such firewall filters and/or rules are intended to prevent such packets from doing so.
In a further example, a network device may be able to apply certain firewall filters and/or rules at a packet forwarding engine rather than the routing engine. For example, a network device may include a routing engine and a packet forwarding engine that are communicatively connected to one another. In this example, the packet forwarding engine may include various interfaces that are external to the routing engine. The packet forwarding engine may be programmed to enforce certain firewall filters and/or rules. However, the packet forwarding engine may have difficulty applying certain firewall filters and/or rules on packets and/or packet fragments that require reassembly.
The instant disclosure, therefore, identifies and addresses a need for additional and improved apparatuses, systems, and methods for applying firewall rules on packets in kernel space on network devices.