From 65852a879013aaa74501aac288a4e265fea6f54b Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Tue, 7 Nov 2017 23:23:23 +0900 Subject: netfilter keynote semi-final version --- 2017/netfilter-netdev2.2/laforge-hat.jpg | Bin 0 -> 103812 bytes 2017/netfilter-netdev2.2/lbw1.jpg | Bin 0 -> 172071 bytes 2017/netfilter-netdev2.2/lbw2.jpg | Bin 0 -> 174836 bytes 2017/netfilter-netdev2.2/marc-ols2000.jpg | Bin 0 -> 168369 bytes 2017/netfilter-netdev2.2/netfilter-keynote.adoc | 355 ++++++++++++++++-------- 2017/netfilter-netdev2.2/pablo-2009-zoom.jpg | Bin 0 -> 358385 bytes 2017/netfilter-netdev2.2/pablo-finger-zoom.png | Bin 0 -> 469800 bytes 2017/netfilter-netdev2.2/patrick-zoom.png | Bin 0 -> 228589 bytes 2017/netfilter-netdev2.2/patrick.jpg | Bin 0 -> 73309 bytes 2017/netfilter-netdev2.2/rusty2000-zoom.png | Bin 0 -> 253501 bytes 10 files changed, 243 insertions(+), 112 deletions(-) create mode 100644 2017/netfilter-netdev2.2/laforge-hat.jpg create mode 100644 2017/netfilter-netdev2.2/lbw1.jpg create mode 100644 2017/netfilter-netdev2.2/lbw2.jpg create mode 100644 2017/netfilter-netdev2.2/marc-ols2000.jpg create mode 100644 2017/netfilter-netdev2.2/pablo-2009-zoom.jpg create mode 100644 2017/netfilter-netdev2.2/pablo-finger-zoom.png create mode 100644 2017/netfilter-netdev2.2/patrick-zoom.png create mode 100644 2017/netfilter-netdev2.2/patrick.jpg create mode 100644 2017/netfilter-netdev2.2/rusty2000-zoom.png (limited to '2017') diff --git a/2017/netfilter-netdev2.2/laforge-hat.jpg b/2017/netfilter-netdev2.2/laforge-hat.jpg new file mode 100644 index 0000000..b78b399 Binary files /dev/null and b/2017/netfilter-netdev2.2/laforge-hat.jpg differ diff --git a/2017/netfilter-netdev2.2/lbw1.jpg b/2017/netfilter-netdev2.2/lbw1.jpg new file mode 100644 index 0000000..f647dae Binary files /dev/null and b/2017/netfilter-netdev2.2/lbw1.jpg differ diff --git a/2017/netfilter-netdev2.2/lbw2.jpg b/2017/netfilter-netdev2.2/lbw2.jpg new file mode 100644 index 0000000..4118dfb Binary files /dev/null and b/2017/netfilter-netdev2.2/lbw2.jpg differ diff --git a/2017/netfilter-netdev2.2/marc-ols2000.jpg b/2017/netfilter-netdev2.2/marc-ols2000.jpg new file mode 100644 index 0000000..55a8b74 Binary files /dev/null and b/2017/netfilter-netdev2.2/marc-ols2000.jpg differ diff --git a/2017/netfilter-netdev2.2/netfilter-keynote.adoc b/2017/netfilter-netdev2.2/netfilter-keynote.adoc index d75dee2..6902629 100644 --- a/2017/netfilter-netdev2.2/netfilter-keynote.adoc +++ b/2017/netfilter-netdev2.2/netfilter-keynote.adoc @@ -21,11 +21,12 @@ netfilter archeology: 18 years from 2.3 to 4.x * late 1990ies * Internet was still new to many people * Internet Security was still rather new -** think e.g. of the "ping of death" problems.I +** think e.g. of the "ping of death" problems. * no git, not even subversion, but: CVS(!) ** even pre-bitkeeper, so no kernel global revision control -* no virtual machines, testing on physical boxes, long boot cycles +** Linus was applying patches and making "pre" releases as tar-ball every so often * no authorship annotation / commit history +* no virtual machines, testing on physical boxes, long boot cycles == pre-netfilter @@ -33,18 +34,21 @@ The pre-netfilter days [role="incremental"] * Linux 1.2, 1.3 and 2.0 had `ipfwadm` (Jos Vos et al) +** who in the audience has still used that? Raise your hand! +[role="incremental"] * Linux 2.2 had `ipchains` (Rusty Russell) +** who in the audience has still used that? Raise your hand! ** Rusty was doing some sysadmin work at an ISP and was doing his job so well that he had plenty of spare time ** He was _immensely_ inspired by a talk by DaveM on beating the hell out of Solaris on SPARC ** wanted to do more Linux stuff, met WatchGuard -** proposd to do a proper redesign of the Linux firewall if they pay him for 6-12 months +** proposed to do a proper redesign of the Linux firewall if they pay him for 6-12 months ** ... which they did, so mid-1998 to mid-1999, he hacked away on it. == Creation Timeline [quote, Rusty Russell] Who the hell are you, and why are you playing with my kernel? -I want to clear up some people's misconceptions: I am no kernel guru. I know this, because my kernel work has brought me into contact with some of them: David S. Miller, Alexey Kuznetsov, Andi Kleen, Alan Cox. However, they're all busy doing the deep magic, leaving me to wade in the shallow end where it's safe. +I want to clear up some people's misconceptions: I am _no kernel guru_. I know this, because my kernel work has brought me into contact with some of them: David S. Miller, Alexey Kuznetsov, Andi Kleen, Alan Cox. However, they're all busy doing the deep magic, leaving me to wade in the shallow end where it's safe. [role="incremental"] * July 20, 1998: Rusty posts initial netfilter design to netdev list @@ -96,13 +100,21 @@ Have fun, In other news: * East Timor becomes independent of Indonesia -* Vladimir Putin becomes Prime Minister of Russia +* Vladimir Putin becomes Prime Minister of Russia for the first time == Rusty (at Linux Beer Hike 2000) image:rusty2000.jpg[] -== Marc (at OLS 2000) +== Linux Beer Hike 2000 + +image:lbw1.jpg[width="100%"] + +== Linux Beer Hike 2000 + +image:lbw2.jpg[width="100%"] + +== Marc Boucher (at OLS 2000) image:marc-ols2000-zoom.png[] @@ -120,27 +132,26 @@ image:marc-ols2000-zoom.png[] * October 2012: _Eric Leblond_ and _Florian Westphal_ join core team ** Harald, Martin and Yasuyuki enter _emeritus_ status -== James (in 2008) +== James Morris (in 2008) image:james.jpg[width="60%"] -== Humor +(sorry, I have no earlier picture of him) + +== (Rustys) Humor From http://www.netfilter.org/about.html#history Following James' assimilation into the collective, our efforts were mainly directed towards preparations for -the release of Netfilter as part of the upcoming 2.4 kernel. _It was the dawn of the third age of Linux -firewalling; a time of great struggle and heroic deeds. It was our last, best hope for peace. Great -communities were founded, old civilizations were lost, and new alliances were formed._ James' missions during -this period included the _continued perversion of the networking code_, such that it was now possible to load -an ASN.1 parser into the kernel and _inflict grave terror upon unsuspecting SNMP packets_; and to extend the -IP stack into userspace with Perl. _Now peering squarely into the abyss, we noticed the good deeds of a young -kernel warrior_ named Harald Welte, who seemed to actually understand the NAT code. Accordingly, his -distinctiveness was added to the collective. _With balance restored, the netfilter juggernaut was now free to -accelerate into the brave new world of Linux 2.4 and face it's greatest challenge: users._ +the release of Netfilter as part of the upcoming 2.4 kernel. + +_It was the dawn of the third age of Linux firewalling; a time of great struggle and heroic deeds. It was our last, best hope for peace. Great communities were founded, old civilizations were lost, and new alliances were formed._ +James' missions during this period included the _continued perversion of the networking code_, such that it was now possible to load an ASN.1 parser into the kernel and _inflict grave terror upon unsuspecting SNMP packets_; and to extend the IP stack into userspace with Perl. -== Humor +_Now peering squarely into the abyss, we noticed the good deeds of a young kernel warrior_ named Harald Welte, who seemed to actually understand the NAT code. Accordingly, his distinctiveness was added to the collective. _With balance restored, the netfilter juggernaut was now free to accelerate into the brave new world of Linux 2.4 and face it's greatest challenge: users._ + +== (Rustys) Humor ---- Date: Fri, 13 Oct 2000 16:26:06 +1100 @@ -155,16 +166,21 @@ Harald Welte has frequently answered user questions on the mailing list, and aut This shocking and revolutionary approach to software development will fill a much-needed void in the Netfilter Team. Assuming he survives the inauguration ceremony. ---- -In other news: +Meanwhile, in other news: [role="incremental"] -* Bill Gatest steps down as CEO of Microsoft +* Bill Gates steps down as CEO of Microsoft -== Harald +== 2000: Harald Welte image:laforge-hat.jpg[] -== Jozsef +* active in German BBS community and pre-internet offline e-mail networking +* sysadmin work at first German _online bistro_ later turning into first _internet cafe_ +* volunteer sysadmin at volunteer-based non-profit ISP from 1994 onwards +* interest: packet filtering and IT security in general + +== 2001: Jozsef Kadlecsik ---- Date: Fri, 7 Dec 2001 21:19:57 +1100 (EST) @@ -181,19 +197,33 @@ Welcome Jozsef! - James, on behalf of the Netfilter Core Team. -- -James Morris - +James Morris ---- -== Jozsef +== 2001: Jozsef Kadlecsik + +image:jozsef.jpg[width="30%"] + +Jozsef joins netfilter core team in December 2001 -image:jozsef.jpg[width="40%"] +* Physicist at Hungarian Physics Research Institute KFKI +** does lots of sysadmin work there, including firewalling +** btw: what's it with physicists and Linux networking, just like Alexey Kuznetsov? +* focus on connection tracking (he added TCP window tracking) +* still active in the project ever since (longest standing core team member) -== Martin +== 2001: Jozsef Kadlecsik -image:video-not-available-youtube-error.png[] +Prior to Jozsef joining, but note-worthy: +* Kernel 2.4.0 is released in January 2001 (with netfilter/iptables) +Meanwhile in December 2001: + +[role="incremental"] +* Enron files for Chapter 11 bankruptcy +* UN authorizes ISAF in Afghanistan (post 9'11 attacks) +* President Karzai is selected to lead Afghan Interim Administration == Documentation @@ -209,7 +239,6 @@ Getting into the project as both a user or developer was helped enormously by th The original versions of those documents were all created in early 2000. - == The netfilter scoreboard * a _scoreboard_ was established @@ -225,7 +254,7 @@ Guess these days, people would count this as _gamification_? == The netfilter scoreboard (April 2002) -image:netfilter-scoreboard-20020408.png[] +image:netfilter-scoreboard-20020408.png[width="100%"] == The netfilter scoreboard (April 2002) @@ -285,7 +314,7 @@ Hacking time. == Early Success -What contributed to the early success with lots of devlopers wriing netfilter/iptables code: +What contributed to the early success with lots of developers writing netfilter/iptables code: * loads of good documentation * modular framework with @@ -296,35 +325,23 @@ What contributed to the early success with lots of devlopers wriing netfilter/ip => Everyone could easily write his favorite match/target/plugin -== core team emeritus members +== 2003: Martin Josefsson ----- -Date: Fri, 09 Jan 2004 15:17:19 +1100 -From: Rusty Russell -Subject: [ANNOUNCE] Core Team Announces Emeritus Members - -The Netfilter Core Team has long discussed the issue of Core Team members who are no longer active. Dismissing them from the Core Team would deny them the benefits of such a prestigious title, should any become apparent. - -Hence the conclusion is that Marc Boucher, James Morris and Rusty Russell are now "emeritus"[1] members of the Netfilter Core Team. - -[...] - -[1] Latin for "burnt-out freeriding slacker", I believe. ----- +image:video-not-available-youtube-error.png[width="50%"] -== the story behind +Martin Josefsson joins core team in August 2003 -[role="incremental"] -* Until recently, I thought -** Rusty simply had too many other tempting distracting projects (kernel module loader, qemu, ...) +* mainly optimizations e.g. on connection tracking hash tables +* he worked at large ISP where that performance actually mattered -[role="incremental"] -* Recently, Rustyy told me -** it was a deliberate decision to leave netfilter -** the new core team and maintainers should run the project without interference from the project father +Historical Context: +* kernel 2.6.x released in December 2003 +* DPRK withdraws from nuclear non-proliferation treaty +* The US space shuttle Columbia crahes +* US launches war on Iraq; Saddam Hussein is captured -== Pablos first messages +== 2003: Pablos first messages ---- Date: Wed, 12 Nov 2003 00:06:11 +0100 @@ -370,7 +387,63 @@ P.S: thanks for this *great piece of code*!! ---- -== Pablo (fast forward four years) +== 2004: Patrick McHardy + +image:patrick-zoom.png[width="40%"] + +Patrick joins core team in January 2004 + +* lots of good work in many areas; moved beyond netfilter and even entered the iproute2/tc lands ;) +* most recently suspended from core team due to questionable practises in copyright/license enforcement + +Historical Context: + +* Facebook was born +* Bluetooth 2.0 EDR spec released +* Skype becomes really popular + +== core team emeritus members + +---- +Date: Fri, 09 Jan 2004 15:17:19 +1100 +From: Rusty Russell +Subject: [ANNOUNCE] Core Team Announces Emeritus Members + +The Netfilter Core Team has long discussed the issue of Core Team members who are no longer active. Dismissing them from the Core Team would deny them the benefits of such a prestigious title, should any become apparent. + +Hence the conclusion is that Marc Boucher, James Morris and Rusty Russell are now "emeritus"[1] members of the Netfilter Core Team. + +[...] + +[1] Latin for "burnt-out freeriding slacker", I believe. +---- + +== the story behind Rustys departure + +[role="incremental"] +* Until recently, I thought +** Rusty simply had too many other tempting distracting projects (kernel module loader, qemu, +paravirtualization, ...) + +[role="incremental"] +* Recently, Rusty told me +** it was a deliberate decision to leave netfilter +** the new core team and maintainers should run the project without interference from the project father +** kids have to stand on their own feet + + +== 2005: Yasuyuki Kozakai joins core team + +Yasuyuki Kozakai joins netfilter core team + +* member of Japanese USAGI project for Linux IPv6 +* Main contribution: IPv6 connection tracking, including +** nf_conntrack generalization +** conntrack estensions +** nf_nat for IPv6 + + +== 2007: Pablo Neira Ayuso joins core team ---- Date: Thu, 15 Feb 2007 14:02:03 +0900 (JST) @@ -391,13 +464,76 @@ on behalf of the Netfilter Core Team. == Pablo (2009) -image:pablo-2009.jpg[width="60%"] +image:pablo-2009-zoom.jpg[width="40%"] -== Harald (2006) +* initially known for work on ctnetlink and conntrackd +* later known for a jack of all [netfilter] trades +* official head of core team since 2013, already more or less de-facto before + +== Harald (2009) As I'm showing various old pictures of other people, for fairness' sake... -image:harald-2006.jpg[width="30%"] +Historical Context: + +* President Obama is inaugurated +* Conficker virus infects 9.5 million PCs +* Michael Jackson died +* Google starts ChromeOS + + +== nftables (2009) + +---- +Date: Wed, 18 Mar 2009 05:29:42 +0100 +From: Patrick McHardy +To: Netfilter Development Mailinglist +CC: Linux Netdev List +Subject: [ANNOUNCE]: First release of nftables + +Finally, with a lot of delay, I've just released the first full public +version of my nftables code (including userspace), which is intended to +become a successor to iptables. Its written from scratch and there are +numerous differences to iptables in both features and design, so I'll +start with a brief overview. + +There are three main components: + +- the kernel implementation +- libnl netlink communication +- nftables userspace frontend +---- + +== 2012: Eric Leblond and Florian Westphal + +In October 2012, Eric Leblond and Florian Westphal join core team + +* Eric: nf_nat port randomization, lots of nfnetlink* fixes, later also nftables +* Florian: NFQUEUE load balancing, NFQUEUE fixes and improvements, later pretty much every area + +Also in October 2012: Harald, Martin and Yasuyuki finally enter emeritus state + +Historical Context: + +* US begins retaliation action against embassy attack in Libya +* Turkey retaliates against Syria +* Windows 8 makes its debut +* Great Patent war Apple vs. Samsung +* Megaupload gets shut down + +== nftables (2013) + +Pablo picked up a lot of the loose ends left by Patrick after some time +and in 2013, nftables finally goes mainline! + +---- +commit 96518518cc417bb0a8c80b9fb736202e28acdf96 +Author: Patrick McHardy +Date: Mon Oct 14 11:00:02 2013 +0200 +---- + +image:pablo-iptables-bye-zoom.png[] + @@ -454,14 +590,11 @@ From: Rusty Russell To: Patrick McHardy On Tue, 2005-05-31 at 15:02 +0200, Patrick McHardy wrote: -> Second of all, I spent like 10 hours to verify the -> proposed fixes, and I am still convinced that it is correct. +> Second of all, I spent like 10 hours to verify the proposed fixes, and I am still convinced that it is correct. -Which shows exactly *why* we have a testsuite. Dammit, I didn't spend -all those hours on it for fun. +Which shows exactly *why* we have a testsuite. Dammit, I didn't spend all those hours on it for fun. -You spent *10* hours, and the testsuite runs in 5 seconds (60 seconds -counting build time the first time). +You spent *10* hours, and the testsuite runs in 5 seconds (60 seconds counting build time the first time). ---- @@ -521,11 +654,9 @@ Subject: [netfilter-core] Re: conntrack patches > Hi Rusty, > -> Last year I started to go trough all of your unpublished conntrack related -> patches. [...] +> Last year I started to go trough all of your unpublished conntrack related patches. [...] -> Are you working on the patches or plan to finish them? -> Or can I go back and complete the half-done job on the patches? +> Are you working on the patches or plan to finish them? Or can I go back and complete the half-done job on the patches? Jozsef, Let me put it this way: take over those patches and I will name my first child after you. @@ -544,11 +675,9 @@ Cc: netfilter-devel@lists.netfilter.org Subject: Re: NAT for IPv6 On Wed, Nov 19, 2003 at 01:38:47PM +0100, Maciej Soltysiak wrote: -> out of curiousity - are there plans to incorporate NAT into ip6tables -> or future pkttables ? +> out of curiousity - are there plans to incorporate NAT into ip6tables or future pkttables ? -over my dead body. NAT is what broke ipv4 end-to-end. Let's not do the -same with ipv6. +over my dead body. NAT is what broke ipv4 end-to-end. Let's not do the same with ipv6. The only reasonable application is ipv4-to-ipv6 transition-nat. @@ -562,44 +691,6 @@ The only reasonable application is ipv4-to-ipv6 transition-nat. -== nftables (2009) - ----- -Date: Wed, 18 Mar 2009 05:29:42 +0100 -From: Patrick McHardy -To: Netfilter Development Mailinglist -CC: Linux Netdev List -Subject: [ANNOUNCE]: First release of nftables - -Finally, with a lot of delay, I've just released the first full public -version of my nftables code (including userspace), which is intended to -become a successor to iptables. Its written from scratch and there are -numerous differences to iptables in both features and design, so I'll -start with a brief overview. - -There are three main components: - -- the kernel implementation -- libnl netlink communication -- nftables userspace frontend ----- - -== nftables (2013) - -In 2013, nftables goes mainline! - ----- -commit 96518518cc417bb0a8c80b9fb736202e28acdf96 -Author: Patrick McHardy -Date: Mon Oct 14 11:00:02 2013 +0200 ----- - -image:pablo-iptables-bye-zoom.png[] - - - - - == netfilter Workshops * 1998/1999/2000: Informal meetings of some of the people involved @@ -630,7 +721,7 @@ image:pablo-iptables-bye-zoom.png[] == Workshop 2003: Group Picture -image:nfws2003_group.png[] +image:nfws2003_group.png[width="100%"] == Workshop 2005: Fun fact @@ -640,6 +731,8 @@ image:unix-extinguisher-2005.jpg[] image:nfws2013.jpg[width="100%"] +* 2011: Kernel 3.0 is released, with netfilter/iptables + == Workshop 2014 image:nfws2014.jpg[width="100%"] @@ -648,13 +741,51 @@ image:nfws2014.jpg[width="100%"] image:nfws2015.jpg[width="100%"] +* Kernel 4.0 is relesaed, with netfilter/iptables and nftables + == Workshop 2016 image:nfws2016.jpg[width="100%"] +== Interesting Challenges +* iptables kernel code used to never verify ruleset integrity +** you could crash kernel using malicious ruleset +** believed to be non-issue due to NET_CAP_ADMIN requirement +** assumption broke horribly when unprivileged containers appeared +image:pablo-finger-zoom.png[width="50%"] + + +== netfilter.org infrastructure + +* self-hosted physical servers for web/svn/bugzilla/git (and even lists) for long time +** lists moved to vger.kernel.org eventually +* firewall machine in front of netfilter.org for many years: iptables on UltraSPARC +** because we can, and because script kiddies don't do SPARC assembly +* netfilter.org servers for many years Linux on PPC (G5 Clusternode) +** because we can, and because script kiddies don't do PPC assembly + +== Summary: Why sucessful? + +[role="incremental"] +* smart people got funded to implement things the way they want +* extensible architecture from day one +* good documentation for developers and users from day one +* passionate developers who picked netfilter as their own topic of interest + + +== Regrets? + +[role="incremental"] +* not having time for netfilter work anymore :/ +* not officially stepping down sooner, giving Pablo + Patrick more credit +* conntrack/nat helpers are still in kernel space +* people think they need dynamic IPv6-to-IPv6 NA(P)T +* nfsim without replacement; netfilter kernel code remains largely without tests +* with the size and relevance of the Linux industry in 2017, why don't people invest in automatic testsuites for netfilter (and other kernel networking code)? +* not having pushed for more ulogd adoption. Lots of people still use LOG, 17 years after ULOG and ulogd @@ -665,7 +796,7 @@ image:nfws2016.jpg[width="100%"] * to Rusty, for being my hero * to Pablo, for picking up the pieces when I left * to Dave, for being everyone's hero -* to regit, for group (and other) pictures +* to Jesper, for group (and other) pictures * to every single netfilter contributor out there == EOF diff --git a/2017/netfilter-netdev2.2/pablo-2009-zoom.jpg b/2017/netfilter-netdev2.2/pablo-2009-zoom.jpg new file mode 100644 index 0000000..db60305 Binary files /dev/null and b/2017/netfilter-netdev2.2/pablo-2009-zoom.jpg differ diff --git a/2017/netfilter-netdev2.2/pablo-finger-zoom.png b/2017/netfilter-netdev2.2/pablo-finger-zoom.png new file mode 100644 index 0000000..ba9e8c0 Binary files /dev/null and b/2017/netfilter-netdev2.2/pablo-finger-zoom.png differ diff --git a/2017/netfilter-netdev2.2/patrick-zoom.png b/2017/netfilter-netdev2.2/patrick-zoom.png new file mode 100644 index 0000000..b165f1e Binary files /dev/null and b/2017/netfilter-netdev2.2/patrick-zoom.png differ diff --git a/2017/netfilter-netdev2.2/patrick.jpg b/2017/netfilter-netdev2.2/patrick.jpg new file mode 100644 index 0000000..f27b8f4 Binary files /dev/null and b/2017/netfilter-netdev2.2/patrick.jpg differ diff --git a/2017/netfilter-netdev2.2/rusty2000-zoom.png b/2017/netfilter-netdev2.2/rusty2000-zoom.png new file mode 100644 index 0000000..7392064 Binary files /dev/null and b/2017/netfilter-netdev2.2/rusty2000-zoom.png differ -- cgit v1.2.3