summaryrefslogtreecommitdiff
path: root/2002/netfilter-future-lk2002/abstract
diff options
context:
space:
mode:
Diffstat (limited to '2002/netfilter-future-lk2002/abstract')
-rw-r--r--2002/netfilter-future-lk2002/abstract33
1 files changed, 33 insertions, 0 deletions
diff --git a/2002/netfilter-future-lk2002/abstract b/2002/netfilter-future-lk2002/abstract
new file mode 100644
index 0000000..177d436
--- /dev/null
+++ b/2002/netfilter-future-lk2002/abstract
@@ -0,0 +1,33 @@
+Linux packet filtering in the 2.6.x kernel series
+
+The Linux 2.4.x provided a complete rewrite of the firewalling subsystem,
+called netfilter/iptables. It was a major improvement about the previous
+ipchains subsystem. The major advantages are it's modularity and flexibility.
+
+However, as wity any project, as soon as you are sort-of finished, you become
+aware of potential improvements and extensions.
+
+The firewalling subsystem within the Linux kernel will undergo some fundamental design changes during the 2.5.x development kernel series.
+
+Some of the changes from 2.4.x are:
+
+- Have an independent pkt_tables subsystem, as a layer3 independent replacement
+ for iptables, ip6tables and arptables. This will allow adding support for
+ other layer 3 protocols very easily
+- Move all kernel/userspace communication to netlink sockets. There will be
+ a generic nfnetlink layer, with pkttnetlink (for managing pkt_tables) and
+ ctnetlink (for manipulating the connection tracking database from userspace).
+- Change the internal data structure of an ip_table to a linked list of chains,
+ which in turn are a linked lists out of rules, which are linked lists out of
+ matches + targets. This way it is _way_ more performant in the case of
+ dynamic firewalling rulesets.
+- Provide a generic high-level API to userspace applications for manipulation
+ of packet filtering rules. This will enable generic GUI's, which need no
+ changes in case new matches or targets are added.
+
+Optionally, the netfilter core team is planning to have support for connection
+tracking state replication - something necessarry for failover of stateful
+firewalls.
+
+The talk assumes prior knowledge about the netfilter/iptables architecture.
+
personal git repositories of Harald Welte. Your mileage may vary