Get news? 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 | 1998 | 1997 | About | Contact Want to help?

Linux-Kongress 2002
9th International Linux System Technology Conference
September 4-6, 2002 in Cologne, Germany

Home | Events | Program | Abstracts | Tutorials | BoFs | Fees | Exhibition | Location | Accommodations | Keysigning Party | Sponsors | Supporters | Reports and Photos | Papers and Slides | Call for Papers

See the list of all papers
Author Harald Welte
Title The Future of Linux Packet Filtering
Postscript: (869872 Bytes)

The Linux 2.4.x provided a complete rewrite of the firewalling subsystem, called netfilter/iptables. It was a major improvement about the previous ipchains subsystem. The major advantages are it's modularity and flexibility.

However, as wity any project, as soon as you are sort-of finished, you become aware of potential improvements and extensions.

The firewalling subsystem within the Linux kernel will undergo some fundamental design changes during the 2.5.x development kernel series.

Some of the changes from 2.4.x which are currently being developed:

    Have an independent pkt_tables subsystem, as a layer3 independent replacement for iptables, ip6tables and arptables. This will allow adding support for other layer 3 protocols very easily Move all kernel/userspace communication to netlink sockets. There will be a generic nfnetlink layer, with pkttnetlink (for managing pkt_tables) and ctnetlink (for manipulating the connection tracking database from userspace). Change the internal data structure of an ip_table to a linked list of chains, which in turn are a linked lists out of rules, which are linked lists out of matches + targets. This way it is way more performant in the case of dynamic firewalling rulesets. Provide a generic high-level API to userspace applications for manipulation of packet filtering rules. This will enable generic GUI's, which need no changes in case new matches or targets are added.

Optionally, the netfilter core team is planning to have support for connection tracking state replication - something necessarry for failover of stateful firewalls.

The talk assumes prior knowledge about the netfilter/iptables architecture.

About the Author

Harald Welte is one of the five netfilter core team members, and the current Linux 2.4.x firewalling maintainer.

His main interest in computing has always been networking. In the few time left besides netfilter/iptables related work, he's writing obscure documents like the UUCP over SSL HOWTO. Other kernel-related projects he has been contributing to are user mode linux and the international (crypto) kernel patch.

In the past he has been working as an independent IT Consultant working on closed-source projects for various companies ranging from banks to manufacturers of networking gear. During the year 2001 he was living in Curitiba (Brazil), where he got sponsored for his Linux related work by Conectiva Inc.

Starting with February 2002, Harald has been contracted part-time by Astaro AG, who are sponsoring him for parts of his current netfilter/iptables work.

Harald is living in Erlangen, Germany.

Comments or Questions? Mail to Last change: 2005-09-17