blob: 177d4361f1dabc33856ab7d36db1cd0f7dc2d2c5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
Linux packet filtering in the 2.6.x kernel series
The Linux 2.4.x provided a complete rewrite of the firewalling subsystem,
called netfilter/iptables. It was a major improvement about the previous
ipchains subsystem. The major advantages are it's modularity and flexibility.
However, as wity any project, as soon as you are sort-of finished, you become
aware of potential improvements and extensions.
The firewalling subsystem within the Linux kernel will undergo some fundamental design changes during the 2.5.x development kernel series.
Some of the changes from 2.4.x are:
- Have an independent pkt_tables subsystem, as a layer3 independent replacement
for iptables, ip6tables and arptables. This will allow adding support for
other layer 3 protocols very easily
- Move all kernel/userspace communication to netlink sockets. There will be
a generic nfnetlink layer, with pkttnetlink (for managing pkt_tables) and
ctnetlink (for manipulating the connection tracking database from userspace).
- Change the internal data structure of an ip_table to a linked list of chains,
which in turn are a linked lists out of rules, which are linked lists out of
matches + targets. This way it is _way_ more performant in the case of
dynamic firewalling rulesets.
- Provide a generic high-level API to userspace applications for manipulation
of packet filtering rules. This will enable generic GUI's, which need no
changes in case new matches or targets are added.
Optionally, the netfilter core team is planning to have support for connection
tracking state replication - something necessarry for failover of stateful
firewalls.
The talk assumes prior knowledge about the netfilter/iptables architecture.
|