- rule loadtime performance
	- loading 10k rules in 1k chains takes 4'30min on P3-733
	- 27seconds in kernelspace: mark_source_chains()
		- reimplementation finished, needs more testing
	- 4 minutes in userspace: Two n^2 complexity functions
		- one of them could be removed in old chain_cache framework
		- other function needs reimplementation (underway)
- ctnetlink still under development, used by a couple of large sites
- pkt_tables to be merged later in 2.6.x
	- change to liked lists of rules in linked lists of chains
	- use netlink-based kernel/userspace interface
- iptables2/pkttables userspace
	- libnfentlink / libpkttnetlink as low-layer interface
	- move all iptables functionality into libpkttables
	- libpkttables provides query-interface
		- what matches/targets does this system support?
		- what parameters does match 'foo' support?
		- what values are acceptable for param 'bar' of match 'foo'?
		- what is the help message for param 'bar' of match 'foo'?
- nf-hipac as high-performance alternative to iptables
	- very complex multi-dimensional tree structure
	- 530kilobyte patch, 180k kernel module
	- algorithm well-proven and regression-tested in userspace
	- scales really good even with 100k rules 
	- now supports all iptables matches/targets
	- cannot replace iptables because
		- large footprint
		- high memory usage
	- most likely to be integrated after pkt_tables / pkttnetlink merge
- Session logging
	- different implementations (SLOG one of them)
	- best solution: ctnetlink event API
	- problem: per-connection byte/packet counters in conntrack are
	  performance hit
- ipv6 connection tracking
	- usagi people are working on this
- non-linear skb support (removal of skb_linearize())
	- thanks to rusty, 2.5.x/2.6.x now has support
	- changes in almost any netfilter/iptables API :(
- stateful failover / state synchronization
	- no sponsor yet, but most likely in Q4/2003
- conntrack optimization
	- new hashing algorithm in 2.4.21, should improve significantly
	- locking optimization
	- don't use timer per conntrack, but an expiration kernel thread
- TRACE target / raw table
	- experimental patch in patch-o-matic
	- enables tracing of packet through ruleset
- netfilter workshop, August 2003, Budapest, Hungary
	- about 20 people will attend
	- sponsored by Astaro Inc and KFKI Research Institute
	- open to the public, registration needed
- we need more community 
	- developer diaries on netfilter homepage?
	- wiki or similar tool ?
	- announcement of IRC channel(s) on website
- patch-o-matic 2.6.x future?
	- I will only maintain patch-o-matic for 2.6.x
	- maybe somebody wants to backport patches?
	- maybe an official 2.4.x maintainer?
- development of testing tools
	- simple packet generator not suitable for stateful filtering
	- even simple packet generators are very expensive
	- connection generator
		- user can specify profile of a connection
			- e.g. HTTP: TCP, 500 bytes one direction, 10k other
		- user can specify quantity and distribution
			- i.e. 10k 'HTTP', from random source to single dest.
		- first implementation will be userspace-only, may change later
	- work will start in September/October, I'll post an RFC
- deprecate ipfwadm