"We will have quite a lot of changes with regard to
iptables and 2.5/2.6 kernels. At our first netfilter developer
workshop in November 2001 we have discussed our plans. The first
big change is something invisible to the user: The monolithic
structure of an IP Table is going to get split in a linked list of
chains, which are in turn a linked list of entries. This should
increase performance with dynamic rulesets.
In addition, the kernel-userspace interface is going to change.
Right now different parts of netfilter use different facilities.
Especially iptables is still using a very primitive setsockopt()
interface. We will have nfnetlink (netfilter netlink), which
compares to the already existing rtnetlink interface for routing
table manipulation. And as a third big change, there will be
iptables2, the userspace rewrite of the current iptables-1.x
commandline program. iptables2 will be based on libiptables, which
is a library to provide a generic API for all applications who want
to monitor or manipulate firewalling rules. This will make it a lot
easier for intrusion detection systems and firewall configuration
GUI's to interface with the firewalling subsystem of the
Another interesting topic is high availability and firewalls. I
can't promise anything, but currently it looks very promising that
we will have sponsoring for connection tracking state
synchronization, which is needed if you want to do failover between
redundant state-tracking firewalls."