1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
First steps towards the next generation netfilter subsystem
Until 2.6, every new kernel version came with its own incarnation of a packet
filter: ipfw, ipfwadm, ipchains, iptables. 2.6.x still had iptables. What was
wrong? Or was iptables good enough to last even two generations?
In reality the netfilter project is working on gradually transforming the
existing framework into something new. Some of those changes are transparent
to the user, so they slip into a kernel release almost unnoticed. However,
for expert users and developers those changes are noteworthy anyway.
Some other changes just extend the existing framework, so most users again
won't even notice them - they just don't take advantage of those new features.
The 2.6.14 kernel release will mark a milestone, since it is scheduled to
contain nfnetlink, ctnetlink, nfnetlink_queue and nfnetlink_log - basically a
totally new netlink-based kernel/userspace interface for most parts of the
netfilter subsystem.
nf_conntrack, a generic layer-3 independent connection tracking subsystem,
initially supporting IPv4 and IPv6, is also in the queue of pending patches.
Chances are high that it will be included in the mainline kernel at the time
this paper is presented at Linux Kongress.
Another new subsystem within the framework is the "ipset" filter, basically an
alternative to using iptables in certain areas.
The presentation will cover a timeline of recent advances in the netfilter
world, and describe each of the new features in detail. It will also summarize
the results of the annual netfilter development workshop, which is scheduled
just the week before Linux Kongress.
|
