Rusty's Netfilter Playground

Fri Jan 29 20:15:23 CST 1999

  1. Modular framework for mangling packets (NAT, transparent proxying, TOS mangling, packet filtering) at various stages; there are 6 of these for IP: immediately on entering, pre-routing, pre-local-delivery, forwarding, local-pre-routing, and pre-output.

  2. The ability to hand packets to userspace at any of these points (an example userspace packet device is included, and a port of the ipchains kernel code to userspace was achieved with an earlier version). I probably broke alot of locking doing this.

  3. Beginning of a netfilter caching infrastructure; each hook ORs into a bitmask indicating what fields of the packet was examined. This will allow intelligent bypassing of these hooks in certain cases.

  4. Mainly working implementation of NAT/masquerading/RNAT/transparent proxying.

  5. New firewall tool `iptables'; the in-kernel code has been enhanced and modularized, while shedding 1k (2.0.35: 9520 bytes, 2.2.0: 11352 bytes, 2.2.0+netfilter: 10520 bytes).


Many things, but here are the highlights: