Rusty (at Linux Beer Hike 2000)
The pre-netfilter days
ipfwadm (Jos Vos et al)
ipchains (Rusty Russell)
Date: 1999-01-29 10:36:34
From: Paul Rusty Russell <Paul.Russell@rustcorp.com.au>
Subject: [ipchains-dev] netfilter v0.1 released.
Hi all,
Just in case people are sick of all this "stable kernel" crap, and want their interesting behaviour back, here's the first alpha-quality cut of my new firewall/NAT/masquerading/ transproxy/redirect/portforward framework, from [...]
This work is a result of the vast amount of user feedback I've had on things such as transparent proxying, masquerading, ipfwadm, ipchains, etc. Includes a 400k patch against 2.2.0. (84 files changed, 2509 insertions, 12097 deletions).
It's all set in slush at this stage, so if you have any comments, please feel free to leap forward and abuse me...In other news of January 1999:
From: Linus Torvalds <torvalds@transmeta.com>
Subject: Linux-2.3.15..
Date: Wed, 25 Aug 1999 16:36:10 -0700 (PDT)
There's a rather huge patch-set out there now, taking the 2.3.x series to 2.3.15. [...]
Other features that don't impact everybody, but are rather major:
* firewalling is gone (again), replaced by an even more generic netfilter facility.
[...]
Have fun,
LinusIn other news:
(sorry, I have no earlier picture of him)
Following James' assimilation into the collective, our efforts were mainly directed towards preparations for the release of Netfilter as part of the upcoming 2.4 kernel.
It was the dawn of the third age of Linux firewalling; a time of great struggle and heroic deeds. It was our last, best hope for peace. Great communities were founded, old civilizations were lost, and new alliances were formed.
James' missions during this period included the continued perversion of the networking code, such that it was now possible to load an ASN.1 parser into the kernel and inflict grave terror upon unsuspecting SNMP packets; and to extend the IP stack into userspace with Perl.
Now peering squarely into the abyss, we noticed the good deeds of a young kernel warrior named Harald Welte, who seemed to actually understand the NAT code. Accordingly, his distinctiveness was added to the collective. With balance restored, the netfilter juggernaut was now free to accelerate into the brave new world of Linux 2.4 and face it’s greatest challenge: users.
Date: Fri, 13 Oct 2000 16:26:06 +1100
From: Rusty Russell <rusty@linuxcare.com.au>
To: netfilter@lists.samba.org, netfilter-devel@lists.samba.org
Subject: [CORE TEAM] New Member Announce
The Netfilter Core Team is proud to welcome Harald Welte into its hallowed botherhood.
Harald Welte has frequently answered user questions on the mailing list, and authored the IRC connection tracking and NAT modules. He even documented what he'd done! And then fixed some of the bugs!
This shocking and revolutionary approach to software development will fill a much-needed void in the Netfilter Team. Assuming he survives the inauguration ceremony.Meanwhile, in other news:
Date: Fri, 7 Dec 2001 21:19:57 +1100 (EST)
From: James Morris <jmorris@intercode.com.au>
Subject: [netfilter-announce] [ANNOUNCE] New Core Team Member - Jozsef Kadlecsik
The Netfilter Core Team is proud to announce the addition Jozsef Kadlecsik as a new member.
Jozsef joins us as a dedicated and talented member of the Netfilter development community.
His demonstrated insight and high coding standards will be highly valuable assets to the project as development focus shifts to the 2.5 kernel series.
Welcome Jozsef!
- James, on behalf of the Netfilter Core Team.
--
James Morris <jmorris@intercode.com.au>
Jozsef joins netfilter core team in December 2001
Prior to Jozsef joining, but note-worthy:
Meanwhile in December 2001:
One key aspect was lots of good, easy to read documentation
Getting into the project as both a user or developer was helped enormously by the HOWTOs.
The original versions of those documents were all created in early 2000.
Remember, this was the pre-git and even pre-bitkeeper days!
Guess these days, people would count this as gamification?
Problem: How to distribute / maintain them?
1) The netfilter core team is maintaining a set of extensions / new·features which are not yet committed to the mainstream kernel tree.
They are a collection of maybe-broken maybe-cool third-party extensions.
Please note that you cannot apply any combination of any of those patches. Some of them are incompatible...·
If you want to try some extensions, and be sure that they don't break each other, you can do the following:
% ./runme base KERNEL_DIR=<<where-you-built-your-kernel>>
It will modify you kernel source (so back it up first!). You will have to recompile / rebuild your kernel and modules.
Alternatively, if you really know what your are doing, you can use the following command in order to offer you the full list of choices. Be aware that we don't prevent you from shooting yourself in the foot.
% ./runme extra KERNEL_DIR=<<where-you-built-your-kernel>>Date: Mon, 30 Oct 2000 14:28:30 +1100
From: Rusty Russell <rusty@linuxcare.com.au>
To: Netfilter Development Mailinglist <netfilter-devel@us4.samba.org>
On Mon, Oct 23, 2000 at 09:15:23PM -1100, Daniel Stone wrote:
> This, to me, reflects a problem. Basically, I can only see two things causing this:
> a) no testing at all, or
> b) a mis-paste. Please tell me it was the latter.
Completely untested. I looked at the patch as I threw it into patch-o-matic.
That's what patch-o-matic is for: to get stuff out there without waiting for the Rusty Linus planet alignment thing...
Rusty.
--
Hacking time.What contributed to the early success with lots of developers writing netfilter/iptables code:
⇒ Everyone could easily write his favorite match/target/plugin
Martin Josefsson joins core team in August 2003
Historical Context:
Date: Wed, 12 Nov 2003 00:06:11 +0100
From: pablo neira <pablo@eurodev.net>
To: netfilter-devel@lists.netfilter.org
Subject: ip_conntrack_get
Hi everyone,
I've been for almost two weeks trying to understand netfilter code, at this point I'm trying to understand conntrack table code.
I have a problem with how conntrack manages the ip_conntrack_info stuff.
[...]
Don't blame me if it's obvious for you, I'm just a guy trying to understand a *really really nice piece of code*. Thanks!
cheers,
PabloDate: Wed, 03 Dec 2003 15:23:39 +0100
From: pablo neira <pablo@eurodev.net>
To: netfilter-devel@lists.netfilter.org
Subject: sending event to user space
Hi list!
I programmed a dummy module for netfilter which tries to match a packet and if it does, it will do nothing (NF_ACCEPT) but I would want it to send an event to a program in user space to do something, how can I do that?
So something like:
a) packet gets my hook and do NF_ACCEPT.
b) modules sends an event to user space.
c) program in user space does something.
Thanks!
Pablo
P.S: thanks for this *great piece of code*!!
Patrick joins core team in January 2004
Historical Context:
Date: Fri, 09 Jan 2004 15:17:19 +1100
From: Rusty Russell <rusty@rustcorp.com.au>
Subject: [ANNOUNCE] Core Team Announces Emeritus Members
The Netfilter Core Team has long discussed the issue of Core Team members who are no longer active. Dismissing them from the Core Team would deny them the benefits of such a prestigious title, should any become apparent.
Hence the conclusion is that Marc Boucher, James Morris and Rusty Russell are now "emeritus"[1] members of the Netfilter Core Team.
[...]
[1] Latin for "burnt-out freeriding slacker", I believe.Yasuyuki Kozakai joins netfilter core team
Date: Thu, 15 Feb 2007 14:02:03 +0900 (JST)
From: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Subject: [ANNOUNCE]: New Coreteam Member Pablo Neira Ayuso
The Netfilter Core Team is proud to announce the addition of Pablo Neira Ayuso as a new member.
He has repeatedly demonstrated high insight and coding standards, and has already been responsible for several parts of the codebase, especially ctnetlink, conntrack and conntrackd.
By joining the Core Team, Pablo will definitely help advance the development of the Netfilter project to a higher level.
Welcome Pablo!
Yasuyuki,
on behalf of the Netfilter Core Team.
As I’m showing various old pictures of other people, for fairness' sake…
Historical Context:
Date: Wed, 18 Mar 2009 05:29:42 +0100
From: Patrick McHardy <kaber@trash.net>
To: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>
CC: Linux Netdev List <netdev@vger.kernel.org>
Subject: [ANNOUNCE]: First release of nftables
Finally, with a lot of delay, I've just released the first full public
version of my nftables code (including userspace), which is intended to
become a successor to iptables. Its written from scratch and there are
numerous differences to iptables in both features and design, so I'll
start with a brief overview.
There are three main components:
- the kernel implementation
- libnl netlink communication
- nftables userspace frontendIn October 2012, Eric Leblond and Florian Westphal join core team
Also in October 2012: Harald, Martin and Yasuyuki finally enter emeritus state
Historical Context:
Pablo picked up a lot of the loose ends left by Patrick after some time and in 2013, nftables finally goes mainline!
commit 96518518cc417bb0a8c80b9fb736202e28acdf96
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Oct 14 11:00:02 2013 +0200
Date: Mon, 14 Jan 2002 22:33:16 +1100
From: Rusty Russell <rusty@rustcorp.com.au>
To: "David S. Miller" <davem@redhat.com>
Subject: Re: Kernel 2.4.16: NetFilter Bug Report
In message <20020113.231425.73653921.davem@redhat.com> you write:
> Any ideas on that NAT timer one from cat@zip.com.au? I've for now asked Marcelo to revert that 2.4.17 change until a different fix is obtained.
I am a fucking retard.
I was looking at what was wrong with the code, and came up with *five* separate problems. I know the compat layer was a hack, but what the *fuck* was I doing?
Read and weep,
Rusty.
--
Anyone who quotes me in their sig is an idiot. -- Rusty Russell.Big problem with lots of code, including netfilter: Lack of automatic testing.
Rusty returns to netfilter with nfsim, a netfilter simulator, co-authored with Jeremy Kerr.
⇒ Great Idea, and lots of useful work
Reality sucks:
Date: Tue, 31 May 2005 23:48:24 +1000
From: Rusty Russell <rusty@rustcorp.com.au>
To: Patrick McHardy <kaber@trash.net>
On Tue, 2005-05-31 at 15:02 +0200, Patrick McHardy wrote:
> Second of all, I spent like 10 hours to verify the proposed fixes, and I am still convinced that it is correct.
Which shows exactly *why* we have a testsuite. Dammit, I didn't spend all those hours on it for fun.
You spent *10* hours, and the testsuite runs in 5 seconds (60 seconds counting build time the first time).
<sigh>Reality sucks:
Date: Sun, 23 Jan 2005 20:15:17 -0800
From: "David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 3/2] Fix compile with NAT but without modules
On Mon, 24 Jan 2005 01:33:47 +0100 Patrick McHardy <kaber@trash.net> wrote:
> I'll apply your patches and push them to Dave tomorrow, bkbkits.com
> is unreachable currently so I can't resync my tree.
To be frank, this is one of several severe fallouts from Rusty's patches. I really think they were not ready for submission when he sent them to me. It even broke the build if you had modules enabled in any
way.
I'm only mentioning this because it appears that nfsim is becomming partially a crutch, because I know this is what Rusty and others use heavily for testing. Which is fine, but if your patches break the build in many ways in the real kernel tree you're relying too heavily on the userland simulator IMHO.Reality sucks:
⇒ no replacement / successor, till today :(
So all we can do is join DaveM and pray for code correctness
Date: Wed, 26 Feb 2003 11:54:59 +1100
From: Rusty Russell <rusty@rustcorp.com.au>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Subject: [netfilter-core] Re: conntrack patches
> Hi Rusty,
>
> Last year I started to go trough all of your unpublished conntrack related patches. [...]
> Are you working on the patches or plan to finish them? Or can I go back and complete the half-done job on the patches?
Jozsef,
Let me put it this way: take over those patches and I will name my first child after you.
How many beers did I owe you now?
Rusty.Date: Thu, 20 Nov 2003 14:40:42 +0100
From: Harald Welte <laforge@netfilter.org>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: NAT for IPv6
On Wed, Nov 19, 2003 at 01:38:47PM +0100, Maciej Soltysiak wrote:
> out of curiousity - are there plans to incorporate NAT into ip6tables or future pkttables ?
over my dead body. NAT is what broke ipv4 end-to-end. Let's not do the same with ipv6.
The only reasonable application is ipv4-to-ipv6 transition-nat.
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
End of File.
No packets were harmed in the making of this presentation.