diff options
Diffstat (limited to '2002/netfilter-future-lk2002/abstract')
-rw-r--r-- | 2002/netfilter-future-lk2002/abstract | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/2002/netfilter-future-lk2002/abstract b/2002/netfilter-future-lk2002/abstract new file mode 100644 index 0000000..177d436 --- /dev/null +++ b/2002/netfilter-future-lk2002/abstract @@ -0,0 +1,33 @@ +Linux packet filtering in the 2.6.x kernel series + +The Linux 2.4.x provided a complete rewrite of the firewalling subsystem, +called netfilter/iptables. It was a major improvement about the previous +ipchains subsystem. The major advantages are it's modularity and flexibility. + +However, as wity any project, as soon as you are sort-of finished, you become +aware of potential improvements and extensions. + +The firewalling subsystem within the Linux kernel will undergo some fundamental design changes during the 2.5.x development kernel series. + +Some of the changes from 2.4.x are: + +- Have an independent pkt_tables subsystem, as a layer3 independent replacement + for iptables, ip6tables and arptables. This will allow adding support for + other layer 3 protocols very easily +- Move all kernel/userspace communication to netlink sockets. There will be + a generic nfnetlink layer, with pkttnetlink (for managing pkt_tables) and + ctnetlink (for manipulating the connection tracking database from userspace). +- Change the internal data structure of an ip_table to a linked list of chains, + which in turn are a linked lists out of rules, which are linked lists out of + matches + targets. This way it is _way_ more performant in the case of + dynamic firewalling rulesets. +- Provide a generic high-level API to userspace applications for manipulation + of packet filtering rules. This will enable generic GUI's, which need no + changes in case new matches or targets are added. + +Optionally, the netfilter core team is planning to have support for connection +tracking state replication - something necessarry for failover of stateful +firewalls. + +The talk assumes prior knowledge about the netfilter/iptables architecture. + |