Future directions of linux firewalling

Harald Welte, netfilter core team & Astaro AG

The Linux 2.4.x series provided a fundamental redesign of the packet filtering
and NAT framework, called netfilter/iptables.  This flexible and modular
framwork still had it's limitations.  This BOF will discuss the recent and
upcoming changes during the 2.4.x kernel series, as well as planned and
partially implemented changes/extensions for the 2.5.x kernel series.

Topics covered:

2.4.x stuff:
- The newnat API; supporting connection tracking and NAT for complex protocols
  like H.323
- Accessing connection tracking table entries from userspace: ctnetlink
- Packet filtering and even NAT on a bridge

2.5.x stuff:
- libiptables: Providing a flexible and extensible API towards all iptables
  features
- pkttables: Creating a layer-3-protocol independent layer for rule tables;
  unifying iptables, ip6tables and arptables.
- nfnetlink: Move all netfilter/iptables related kernel/userspace communication
  towards netlink