Re: [tlug] Re: wither ipchains?

[Josh Glover <jmglov@example.com>]

On Tue, Aug 06, 2002 at 10:54:34PM -0600, Marc Christensen quoth, and most verily thus:
> On Wed, 7 Aug 2002, big0 wrote:
> 
> > >   # rmmod iptables
> > >   # insmod ipchains
> > 
> > This is wroooooooooooong! There is no such thing like iptables or ipchains
> > kernel modules. Both are just user space programs to work with kernel
> > rules (netfilter or chains)
> 
> I can't believe you just wrote that.

I can certainly believe that he wrote it, and here is why:

Stateful firewalling in Linux is pretty complex. IPFilter is the bit
in the kernel that actually does the work. As he says, iptables and
ipchains (and even fwadm) are userland programs that interact with
IPFilter to actually filter packets.

However, as has been the disturbing trend with Linux, more and more is
creeping from userland (where it belongs) to the kernel. iptables is,
IMO, one such example. The fact that you have to compile iptables
"support" into the kernel (or build a module) is a bit ludicrous if
you ask me. (Which no-one, regrettably, ever seems to remember to do.)

IPFilter *should* be implemented in the kernel, since it actually
plays with the TCP/IP stack, which is in the kernel. However, iptables
or whatever you use to write filtering rules should just interact with
IPFilter by way of kernel calls. No special support necessary.

In preparation for this rant, I did some cursory Google searches to
make sure that I was right about the way that I *think* IPFilter is
implemented. I could not find much. If anyone has links to some solid
documentation on the design of Linux IPFilter, please post them here,
as I need some good bedtime reading.


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.