Rusty's Netfilter Playground

Fri Jan 29 20:15:23 CST 1999

1. Modular framework for mangling packets (NAT, transparent proxying, TOS mangling, packet filtering) at various stages; there are 6 of these for IP: immediately on entering, pre-routing, pre-local-delivery, forwarding, local-pre-routing, and pre-output.

2. The ability to hand packets to userspace at any of these points (an example userspace packet device is included, and a port of the ipchains kernel code to userspace was achieved with an earlier version). I probably broke alot of locking doing this.

3. Beginning of a netfilter caching infrastructure; each hook ORs into a bitmask indicating what fields of the packet was examined. This will allow intelligent bypassing of these hooks in certain cases.

4. Mainly working implementation of NAT/masquerading/RNAT/transparent proxying.

5. New firewall tool `iptables'; the in-kernel code has been enhanced and modularized, while shedding 1k (2.0.35: 9520 bytes, 2.2.0: 11352 bytes, 2.2.0+netfilter: 10520 bytes).

TODO:

• Get rid of many nf_drop calls; come up with policy on when it should be called; it's designed to allow logging of packets dropped by routing code, etc.
• Create framework for userspace control of NAT, for transparent proxying, and NAT in userspace.
• Port special-case masq code to new structure, where possible implementing in userspace.
• Port ipchains and ipfwadm as kernel modules: they should then be usable by the old ipfwadm and ipchain binaries.
• More documentation, code cleanup.
• Do something with caching info.

Enjoy,