Rusty's Netfilter Playground
Fri Jan 29 20:15:23 CST 1999
- Modular framework for mangling packets (NAT, transparent proxying,
TOS mangling, packet filtering) at various stages; there are 6 of
these for IP: immediately on entering, pre-routing, pre-local-delivery,
forwarding, local-pre-routing, and pre-output.
- The ability to hand packets to userspace at any of these points (an
example userspace packet device is included, and a port of the
ipchains kernel code to userspace was achieved with an earlier
version). I probably broke alot of locking doing this.
- Beginning of a netfilter caching infrastructure; each hook ORs
into a bitmask indicating what fields of the packet was examined.
This will allow intelligent bypassing of these hooks in certain
- Mainly working implementation of NAT/masquerading/RNAT/transparent
- New firewall tool `iptables'; the in-kernel code has been enhanced
and modularized, while shedding 1k (2.0.35: 9520 bytes, 2.2.0:
11352 bytes, 2.2.0+netfilter: 10520 bytes).
Many things, but here are the highlights:
- Get rid of many nf_drop calls; come up with policy on when
it should be called; it's designed to allow logging of
packets dropped by routing code, etc.
- Create framework for userspace control of NAT, for
transparent proxying, and NAT in userspace.
- Port special-case masq code to new structure, where possible
implementing in userspace.
- Port ipchains and ipfwadm as kernel modules: they should
then be usable by the old ipfwadm and ipchain binaries.
- More documentation, code cleanup.
- Do something with caching info.