1 files changed, 443 insertions, 0 deletions
diff --git a/netfilter/netfilter-slides.mgp b/netfilter/netfilter-slides.mgp
new file mode 100644
index 0000000..c94be25
--- /dev/null
+++ b/netfilter/netfilter-slides.mgp
@@ -0,0 +1,443 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+The netfilter framework in Linux 2.4
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+Contents
+
+	Introduction
+
+	PART I - Netfilter basics / concepts
+
+	Part II - Packet filtering using iptables and netfilter
+
+	Part III - NAT using iptables and netfilter
+
+	Part IV - Packet mangling using iptables and netfilter
+
+	Advanced netfilter concepts
+
+	Current development and Future
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+Introduction
+
+What is netfilter
+
+		More than a firewall subsystem
+
+		Generalized Framework (protocol independend)
+
+		Hooks in the Network stack
+
+		Multiple kernel modules can register with each of the hooks
+
+		Asynchronous packet handling in userspace
+
+		IP Tables, usable for any module
+
+Traditional packet filtering / NAT / ... implemented on top of this framework
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+netfilter in Linux 2.4
+Introduction
+
+Why did we need netfilter
+
+		No infrastructure for passing packets to userspace
+
+		Transparent proxying extremely difficult
+
+		Packet filter rules depend on interface addresses
+
+		Masquerading and packet filtering not implemented seperately
+
+		Code too complex
+
+		Neither modular nor extensible
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+Introduction 
+
+Authors of netfilter 
+		Paul 'Rusty' Russell
+			co-author of ipchains in Linux 2.2
+			was paid by Watchguard for about one Year of development
+			now works for Linuxcare
+
+		James Morris
+			userspace queuing (kernel, library and tools)
+			REJECT target
+
+		Marc Boucher
+			NAT and packet filtering controlled by one comand
+			Mangle table
+
+		Harald Welte 
+			IRC conntrac+NAT helper
+			Userspace packet logging
+			IPv6 stuff
+
+		Non-core team contributors
+			http://netfilter.kernelnotes.org/scoreboard.html
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART I - Netfilter basics
+
+Netfilter architecture in IPv4
+%font "typewriter"
+
+   --->[1]--->[ROUTE]--->[3]--->[4]--->
+                 |            ^
+                 |            |
+                 |         [ROUTE]
+                 v            |
+                [2]          [5]
+                 |            ^
+                 |            |
+                 v            |
+
+%font "standard"
+1=NF_IP_PRE_ROUTING
+2=NF_IP_LOCAL_IN
+3=NF_IP_FORWARD
+4=NF_IP_POST_ROUTING
+5=NF_IP_LOCAL_OUT
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART I - Netfilter basics
+
+Netfilter base
+
+	Any kernel module may register a callback function at any of the hooks
+
+	The module has to return one of the following constants
+
+		NF_ACCEPT	 continue traversal as normal
+		NF_DROP		 drop the packet, do not continue
+		NF_STOLEN	 I've taken over the packet do not continue
+		NF_QUEUE	 enqueue packet to userspace
+		NF_REPEAT	 call this hook again
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART I - Netfilter basics
+
+Packet selection using IP tables
+
+		The kernel provides generic IP tables support
+
+		Each kernel module may create it's own IP table
+
+		The three major parts of 2.4 advanced packet handling are implemented using IP tables
+
+		Packet filtering table 'filter'
+
+		NAT table 'nat'
+
+		Packet mangling table 'mangle'
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+netfilter in Linux 2.4
+PART II - packet filtering
+
+Overview
+
+	Implemented on top of three netfilter hooks
+
+		NF_IP_LOCAL_IN (packets destined for the local host)
+		NF_IP_FORWARD (packets forwarded by local host)
+		NF_IP_LOCAL_OUT (packets from the local host)
+
+%size 4
+On each of the three hooks we register one chain (INPUT, FORWARD, OUTPUT) of the IP Table 'filter'
+
+Each packet passes exactly one of the three chains. Note that this is very different compared to the old 2.2 ipchains behaviour.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART II - packet filtering
+
+Managing chains and tables
+
+Each rule in a chain consists out of
+	match (which packet match this rule)
+	target (what to do if the rule is matched)
+
+%size 4
+matches and targets can either be builtin or implemented as kernel modules
+
+%size 6
+The userspace tool iptables is very flexible
+	handles all different kinds of IP tables 
+	supports a plugin/shlib interface for target / match specific options
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART II - packet filtering
+
+Basic iptables commands
+
+To build a complete iptable command, we must specify
+	which table to work with
+	which chain in this table to use
+	an operation (insert, add, delete, modify)
+	a match
+	a target
+
+The syntax is
+%font "typewriter"
+%size 3
+iptables -t table -Operation chain -j target match(es)
+%font "standard"
+%size 5
+
+Example:
+%font "typewriter"
+%size 3
+iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp
+%font "standard"
+%size 5
+ 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART II - packet filtering
+
+Targets
+
+	Builtin Targets to be used in filter table
+		ACCEPT	accept the packet
+		DROP	silently drop the packet 
+		QUEUE	enqueue packet to userspace
+		RETURN	return to previous (calling) chain
+		foobar	user defined chain
+
+Targets implemented as loadable modules 
+		REJECT	drop the packet but inform sender
+		MIRROR	change source/destination IP and resend
+		LOG  	log via syslog
+		ULOG	log via userspace
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART II - packet filtering
+
+Matches
+
+	Basic matches
+		-p			protocol (tcp/udp/icmp/...)
+		-s			source address (ip/mask)
+		-d			destination address (ip/mask)
+		-i			incoming interface
+		-o			outgoing interface
+
+	Match extensions
+		--dport		destination port
+		--sport	 	source port
+		--mac-source 	source MAC address
+		--mark 		nfmark
+		--tos		TOS field of IP header
+		--ttl		TTL field of IP header
+		--limit	 	rate limiting (n packets per timeframe)
+		--owner	 	owner uid of the socket sending the packet
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART III - NAT
+
+Overview
+
+		Previous Linux Kernels only implemented one special case of NAT: Masquerading
+
+		Netfilter enables Linux to do any kind of NAT.
+
+		All matches from packet filtering are available for the nat tables, too
+
+		We divide NAT into 'source NAT' and 'destination NAT'
+
+			SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
+
+			DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+
+			MASQUERADE is a special case of SNAT
+
+			REDIRECT is a special case of DNAT
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART III - NAT
+
+Source NAT
+
+	SNAT Example:
+%font "typewriter"
+%size 3
+
+iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4 -s 10.0.0.0/8
+%font "standard"
+%size 4
+
+Masquerading does almost the same as SNAT, but if the outgoing interfaces' address changes (in case we have a dialup with dynamic ip), the new address is used.
+
+	MASQUERADE Example:
+%font "typewriter"
+%size 3
+
+iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
+%font "standard"
+%size 5
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART III - NAT
+
+Destination NAT
+
+	DNAT example:
+%font "typewriter"
+%size 3
+
+iptables -t nat -A PREROUTING -j DNAT --to-destination 1.2.3.4:8080 -p tcp --dport 80 -i eth1
+%font "standard"
+%size 4
+
+REDIRECT is a special case of DNAT, which alters the destination to the address of the incoming interface.
+
+	REDIRECT example:
+%font "typewriter"
+%size 3
+
+iptables -t nat -A PREROUTING -j REDIRECT --to-port 3128 -i eth1 -p tcp --dport 80
+%font "standard"
+%size 5
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+PART IV - Packet mangling
+
+	Change certain parts of a packet based on rules in IP tables
+
+	Again all the matches available, as described in packet filtering section.
+
+	Currently, the supported packet mangling targets are:
+		TOS	manipulate the TOS bits 
+		TTL	set / increase / decrease TTL field
+		MARK	change the nfmark field of the skb
+
+Simple example:
+%font "typewriter"
+%size 3
+
+iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -p tcp --dport 80
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+Advanced Netfilter concepts
+
+	Connection tracking
+
+		Implemented seperately from NAT 
+
+		Enables stateful filtering 
+
+		Implementation
+			hooks into NF_IP_PRE_ROUTING to track packets
+			hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to drop information about connections which got filtered out
+			protocol modules (currently TCP/UDP/ICMP)
+			application helpers (currently FTP and IRC-DCC)
+
+		Conntrack divides packets in the following four categories
+			NEW - would establish new connection
+			ESTABLISHED - part of already established connection
+			RELATED - is related to established connection
+			INVALID - (multicast, errors...)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+Advanced Netfilter concepts
+
+%size 4
+	Userspace logging
+		flexible replacement for old syslog-based logging
+		packets to userspace via multicast netlink sockets
+		easy-to-use library (libipulog)
+		plugin-extensible userspace logging daemon already available
+
+	Queuing
+		reliable asynchronous packet handling 
+		packets to userspace via unicast netlink socket
+		easy-to-use library (libipq)
+		experimental queue multiplex daemon (ipqmpd)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+Current Development and Future
+
+Netfilter (although it proved very stable) is still work in progress. 
+
+Areas of current development
+	infrastructure for conntrack/nat helpers in userspace
+	full TCP sequence number tracking
+	multicast support for connection tracking
+	more flexible matches (MAXCONN, ...)
+	more conntrack and NAT modules (RPC, SNMP, SMB, ...)
+	better IPv6 support (conntrack, more matches / targets)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter in Linux 2.4
+Availability of slides / Links
+
+The slides and the an according paper of this presentation are available at 
+	http://www.gnumonks.org
+
+The netfilter homepage is mirrored at:
+	http://netfilter.samba.org
+	http://netfilter.kernelnotes.org
+	http://netfilter.filewatcher.org
+
+More documents / netfilter extensions (ulogd, ipqmpd, ...)
+	http://www.gnumonks.org/projects