UnderLinux: Interview with Harald Welte (netfilter/iptables Developer)

[ Thanks to scorpion for this link. ]

"We will have quite a lot of changes with regard to iptables and 2.5/2.6 kernels. At our first netfilter developer workshop in November 2001 we have discussed our plans. The first big change is something invisible to the user: The monolithic structure of an IP Table is going to get split in a linked list of chains, which are in turn a linked list of entries. This should increase performance with dynamic rulesets.

In addition, the kernel-userspace interface is going to change. Right now different parts of netfilter use different facilities. Especially iptables is still using a very primitive setsockopt() interface. We will have nfnetlink (netfilter netlink), which compares to the already existing rtnetlink interface for routing table manipulation. And as a third big change, there will be iptables2, the userspace rewrite of the current iptables-1.x commandline program. iptables2 will be based on libiptables, which is a library to provide a generic API for all applications who want to monitor or manipulate firewalling rules. This will make it a lot easier for intrusion detection systems and firewall configuration GUI's to interface with the firewalling subsystem of the kernel.

Another interesting topic is high availability and firewalls. I can't promise anything, but currently it looks very promising that we will have sponsoring for connection tracking state synchronization, which is needed if you want to do failover between redundant state-tracking firewalls."

Complete Story