34 lines
1.7 KiB
Plaintext
34 lines
1.7 KiB
Plaintext
Linux packet filtering in the 2.6.x kernel series
|
|
|
|
The Linux 2.4.x provided a complete rewrite of the firewalling subsystem,
|
|
called netfilter/iptables. It was a major improvement about the previous
|
|
ipchains subsystem. The major advantages are it's modularity and flexibility.
|
|
|
|
However, as wity any project, as soon as you are sort-of finished, you become
|
|
aware of potential improvements and extensions.
|
|
|
|
The firewalling subsystem within the Linux kernel will undergo some fundamental design changes during the 2.5.x development kernel series.
|
|
|
|
Some of the changes from 2.4.x are:
|
|
|
|
- Have an independent pkt_tables subsystem, as a layer3 independent replacement
|
|
for iptables, ip6tables and arptables. This will allow adding support for
|
|
other layer 3 protocols very easily
|
|
- Move all kernel/userspace communication to netlink sockets. There will be
|
|
a generic nfnetlink layer, with pkttnetlink (for managing pkt_tables) and
|
|
ctnetlink (for manipulating the connection tracking database from userspace).
|
|
- Change the internal data structure of an ip_table to a linked list of chains,
|
|
which in turn are a linked lists out of rules, which are linked lists out of
|
|
matches + targets. This way it is _way_ more performant in the case of
|
|
dynamic firewalling rulesets.
|
|
- Provide a generic high-level API to userspace applications for manipulation
|
|
of packet filtering rules. This will enable generic GUI's, which need no
|
|
changes in case new matches or targets are added.
|
|
|
|
Optionally, the netfilter core team is planning to have support for connection
|
|
tracking state replication - something necessarry for failover of stateful
|
|
firewalls.
|
|
|
|
The talk assumes prior knowledge about the netfilter/iptables architecture.
|
|
|