Tux-UKUUG logo
Linux 2003
Conference and Tutorials
---------------------------------------------------
Thurs 31st July - Sun 3rd August 2003
Edinburgh, Scotland

Harald Welte - Netfilter core team

Linux Packet Filtering: The Future

Paper (PDF) and Paper (Postscript) and Paper (MagicPoint).

The core netfilter/iptables architecture is already more than three years old and 2.4 kernels which include this 'new' packet filter system have been widely deployed during the last two years. netfilter/iptables is without doubt a huge improvement over ipchains in linux 2.2.x, but now after two years of deployment we have received lots of feedback pointing out the weaknesses and problems with the current implementation. So it is time for yet another packet filtering subsystem, or can the problems be solved within the existing architecture?

Problems with current netfilter/iptables:

  • code replication
  • atomic table-replacement doesn't suit dynamic rulesets
  • no APIs for 3rd party applications
  • has been copy+paste 'ported' to ipv6, arp, bridging
  • connection tracking performance problematic at high (gbit) speeds
  • connection tracking hash function
Solutions to these problems will be proposed.


Feedback Form Timetable Programme Call for Papers
Edinburgh Accommodation Social Events Exhibition


S  P O N S O R S
IBM
IBM
Positive Internet
The Positive Internet Company
Perforce
Perforce
  uklinux.net
UKlinux.net
 
Astaro Internet Security
Astaro Internet Security
SGI
SGI
Clockwork Software
Clockwork Software

M  E D I A   S  P O N S O R S
Linux Magazine
Linux Magazine
Need To Know
NTK
Linux User
Linux User & Developer
Linux Format
Linux Format

For more information please contact UKUUG Problems? e-mail webmaster
© Copyright 2003 UKUUG Ltd