The Official Unofficial Zorp project
 
Overview| Examples| Bugs| FAQ | White papers | Download | Help wanted | SourceForge Project page | Filltable utility  
 
 
SourceForge.net: SF.net Project News: Zorp unofficial
  • zorp 2.0.9-6 has been released
  • iptables-utils zorp-unoff version has been released
  • New whitepaper, even more FAQs
  • Zorp whitepapers released, new FAQs
  • New tproxy versions
  • New Zorp version: get the DN
  • The best bughunter
  • Bughunting contest extended
  • Valentine day bughunting contest!
  • Site updates: FAQ, design
  • SourceForge.net: Project File Releases: Zorp unofficial
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:49:58 GMT)
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:40:56 GMT)
  • iptables-utils 1.21-1 released (Mon, 01 Nov 2004 21:19:42 GMT)
  • zorp 2.0.9-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorplibll 2.0.26.24-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorp zorp_2.0.8-1 released (Thu, 11 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-2 released (Wed, 03 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-1 released (Tue, 11 Nov 2003 00:00:00 GMT)
  • zorplibll zorplibll_2.0.26.23-1 released (Mon, 10 Nov 2003 00:00:00 GMT)
  • download
    
    Accepting incoming connections
    
    Introduction
    ------------
    
    This paper is part of the "Zorp Anatomy" series of articles and as such it
    gives some background information about the Dispatch subsystem of Zorp. It
    is intended for advanced Zorp users, those interested in what behind the
    scene is.
    
    What is 'dispatch'?
    -------------------
    
    As Zorp is a proxy based firewall it processes traffic in connections. Each
    session is usually one or more pairs of connections (one for the client and
    one for the server) and a session starts as soon as a new client side
    connection is detected.
    
    In fact each new incoming connection starts a new proxy instance, provided
    the incoming connection is destined to an opened port and when the use of
    the service bound to that port is permitted.
    
    A dispatch is a general entity encapsulating a TCP or UDP listener, e.g.
    initializing a dispatch object yields the opening of a new port. The stock
    Zorp objects Listener and Receiver (and their derivates) both use dispatch
    objects behind the scenes.
    
    However the dispatch framework allows more than simply opening a new port,
    as several dispatch entries might open the same port. Strange? There is an
    explanation.
    
    Dispatch priorities
    -------------------
    
    As introduced in the previous section, several dispatch objects can be
    initialized with the same IP/port combination. When there are more 
    dispatches on the same port, registered entries are processed in priority
    order. This priority is a simple 32 bit, signed integer (smaller value means
    greater priority). Default "Listener" and "Receiver" objects are registered
    with priority 100.
    
    The interesting part comes in when new entries are registered with higher
    priorities, this way anything in Zorp (this anything is a proxy in most
    cases) can conditionally 'steal' connections from the standard proxy startup.
    
    Dispatch uses
    -------------
    
    The use of the dispatch framework within Zorp is twofold:
    
    1) it is used to implement related connections
    
      A related connection is something like the DATA channel for FTP, where
      protocol commands are transferred using a main channel (usually called
      control channel) while larger data transfers (file up- and downloads) are
      transmitted in a separate connection. This separate connection is handled
      by the same proxy as the control channel but as this is a new connection
      per definition, it needs a new listener to start up.
      
      When opening the listener for the data transfer, the FTP proxy registers a
      new dispatch entry with high priority (numerically equal to -100) to make
      sure no other dispatch entries will steal the data connection.
    
    2) it is used to implement secondary sessions
    
      In traditional proxy based firewalls a single proxy instance handles a
      single session only (e.g. one connection pair). As a proxy instance
      usually requires a separate process or thread (Zorp is thread based) to
      run, this might become a problem in high performance environments as the
      maximum number of processes/threads are limited.
        
      When a proxy supports secondary sessions, it is able to process several
      protocol flows in a single instance (e.g. single process or thread). By
      registering a dispatch entry to the same IP/port which triggered the proxy
      to start at a moderate priority (which is between RELATED and LISTEN
      priorities and equals to 0 numerically) the proxy will be able to steal
      'similar' connections to its original connection.
    
      When a new connection is accepted, it is offered to the proxy for
      processing. The proxy in turn decides whether the connection is similar
      enough to its master session (this decision is usually made based on the
      administrator's settings).  When the connection is not similar enough
      (e.g. it doesn't match the requirements of the administrator), the
      connection is rejected by the proxy and processing continues as normal,
      the lower priority Listener will accept the connection and start a new,
      separate proxy instance. When the connection is good enough the proxy will
      be able to start a new, internal session, thus without the need to start
      new threads. Currently the RADIUS and PLUG proxies support this feature
      and their behaviour can be controlled by their 'secondary_mask' and
      'secondary_limit' attributes.