Talk:Netfilter

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing  (Rated Start-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 
WikiProject Computing / Software (Rated Start-class)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Software.
 

no title[edit]

I think the iptables article should be merged into this article. I'm willing to do that (and to rewrite the incomplete iptables information in the process). What do people think? — franl (talk) 01:59, 29 Nov 2004 (UTC)

Agreed. Content of old iptables page has been merged into this article. iptables is now a redirect here. - Dmeranda 18:47, 29 Nov 2004 (UTC)

Should this article be renamed?[edit]

The official netfilter/iptables project page refers to this project as the "netfilter/iptables" project. Now Wikipedia has links that say "iptables" but redirect to an article named "Netfilter". Would it make sense to rename this article to something like "Netfilter/iptables", "Netfilter and iptables", or "Netfilter/iptables Project"? — franl (talk) 21:07, 29 Nov 2004 (UTC)

Due to the absence of any response to my above comment, I've renamed this article to "Netfilter/iptables". — franl (talk) 19:42, Dec 2, 2004 (UTC)
I clarified this confusion for you; hope I didn't mangle things too badly. You're not the first ones to get lost in the nomenclature of netipchaintablefwadmfilter! Rusty. --59.167.60.148 14:21, 27 May 2005 (UTC)

Move guide to wikibooks?[edit]

IMHO, the guide to using iptables section should be moved to wikibooks. Reub2000

I don't know much about Wikibooks, but wouldn't this article be a very small "book"? Is that acceptable on Wikibooks? — franl (talk) 17:50, Dec 26, 2004 (UTC)
My understanding is that Wikipedia is for encyclopedia info, and that Wikibooks is for guides and learning. Reub2000 03:08, 27 Dec 2004 (UTC)

Moving to Wikibooks is probably not warranted, but this article needs a rewrite by someone who is familiar and can summarize it well, and all the detailed documentation needs to be removed. For these reasons I've added a Technical tag to the article. Commander 00:53, Apr 16, 2005 (UTC)

I agree this article has turned into a technical users manual moreso than an encyclopedic article. Having written much of the early revision of this article I'd be happy to assist or review a cleanup. Perhaps much of this excessively technical material is best suited for one of the open Linux documentation projects rather than Wikibooks. Then this article can just reference the more technical offsite material. - Dmeranda 21:05, 19 Apr 2005 (UTC)
I disagree. The collaborative nature of Wikipedia means that these articles are very polished, concise, carefully reviewed and therefore more useful than the how-to's of the original project or other single-author articles or manuals. What is an "encyclopedic article" after all ? Isn't it a complete, well organized and authoritative collection of the knowledge regarding a particular topic ? I think this kind of article needs to be encouraged. It would be a shame to remove any information from this article. In fact, the whole concept of the "too technical tag" is questionable in my mind. If someone is reading the article, it is to learn. 207.67.132.210 02:22, 10 May 2005 (UTC)
It's actually quite a good, in-depth introduction. It doesn't cover all the extensions (there are dozens), but it now covers the basic ones, and gives an idea of how they are used. As long as the more technical parts are well-separated, I think it's a win. As the author of the netfilter documentation, I'm just delighted to have any good doco 8). Thanks! Rusty 04:45, 26 August 2005 (UTC)
I'd also disagree with Dmeranda in this case. I ran across this page in looking up information on netfilter. This is an exceptionally good page. In many ways better than the man page because of the great syntax wikimedia affords. I'd go farther and suggest examples be added or an examples page be made. For instance, Examples of Markov chains is a highly technical page of similar spirit. Jeff Carr 05:06, 18 January 2006 (UTC)

Links to other linux firewall software[edit]

I've removed the link to the Firestarter software [[1]] since that project provides little if any additional insight into Netfilter or iptables for the reader. The website linked to doesn't even mention iptables, per Google search of the site. It is open source and perhaps makes use of iptables in it's internals, so I don't think it blatent advertisement. However I don't think having a link to this product on this article is warranted. Wikipedia is not a link repository. Perhaps it might be okay to reference it on a different article (or write one for it), or put it within the Category:Firewall software. - Dmeranda 15:50, 30 August 2005 (UTC)

netfilter is not a packet filter...[edit]

I went to the trouble of rewriting the intro a few months back because I really want a canonical place to point people, and I like Wikipedia. netfilter is technically the hooks within the core kernel. iptables is technically both the code (module) inside the kernel which walks packets through tables to decide what to do, and the userspace utility which manipulates those tables. Packet filtering (the iptable_filter module) walks the filter table on every packet to decide what to do with it. NAT (the iptable_nat module) walks the nat tables on every packet starting a new connection to decide how to NAT it. There's also a mangle table for special effects.

Please do not fix this; it's subtle and kinda complicated. The introduction now reflect this balance, while acknowledging that just saying "iptables" tends to encompass the lot for those outside the netfilter development community.

I hope that helps. --Rusty 11:00, 22 October 2005 (UTC)

Thanks for fixing that, Rusty, it was just because of my misconception of what a "packet filter" does. I'll be really happy if you decide to improve also other, more general topics. ~~helix84 14:20, 24 October 2005 (UTC)

On Portal:Free software, Netfilter/iptables is currently the selected article[edit]

(2006-07-31) Just to let you know. The purpose of selecting an article is both to point readers to the article and to highlight it to potential contributors. It will remain on the portal for a week or so. The previous selected article was GNU Compiler Collection. Gronky 21:29, 1 August 2006 (UTC)

Netfilter vs netfilter[edit]

Someone added a "technical restrictions" note, saying that it should be called "netfilter" not "Netfilter".

This is not the case, but it highlights the inconsistency in the article, which I've also fixed. "iptables" is lower case because it is the name of a Linux command: typing "Iptables" won't work. Netfilter is a noun, so there's no problem capitalizing it.

--Rusty 23:31, 9 October 2006 (UTC)

Diagram Priority[edit]

I added a link to a new iptables flow diagram, and I think it is superior to the existing 3. Although I have added the new link at the bottom, would anyone object to my moving it to the top of the list? I think the new one is considerably easier to follow the flow, and better structured. --Pekster 03:06, 10 January 2007 (UTC)

Since no one has objected in several weeks I'll move ahead with this re-ordering. Pekster 01:49, 29 January 2007 (UTC)

Fix Gibberish in ipset Section[edit]

Would someone who understands this sentence care to translate it into English?

"IP set bindings pointing to sets and iptables matches and targets referring to sets creates references, which protects the given sets in the kernel."

That would be nice. Wegesrand 11:42, 29 March 2007 (UTC)


Indeed, thanks! Since I don't understand set binding sufficiently, I simplified it.
--Rusty 07:25, 30 March 2007 (UTC)

Could still use some work in terms of formatting. One, do we really need half the manpage in the article? I don't see how the various command line switches really add anything to the article, considering that they're only there for the one little daughter command. Two, there's a handful of other commands in the ipset section that aren't clearly labaled as something one uses inside of ipset or as seperate commands. If they are seperate commands, then each should be a subsection. Could probably cut all of those sections in half without serious detriment as well, greatly increasing the readability of the article. MrZaiustalk 15:45, 30 March 2007 (UTC)

Cleanup[edit]

Per my prior comment, we could, and, per WP:NOT#INDISCRIMINATE, probably should, drop the bulk of the manpage-like content from this work. In 2005, a similar notion was brought up and shot down, but I believe it was correct, and, as such, wish to point out the following quote from WP:NOT:

"Instruction manuals. While Wikipedia has descriptions of people, places, and things, Wikipedia articles should not include instructions or advice (legal, medical, or otherwise), suggestions, or contain "how-to"s. This includes tutorials, walk-throughs, instruction manuals, video game guides, and recipes. Note that this does not apply to the Wikipedia: namespace, where "how-to"s relevant to editing Wikipedia itself are appropriate, such as Wikipedia:How to draw a diagram with Dia. If you're interested in a how-to style manual, you may want to look at our sister project Wikibooks."

Thoughts? MrZaiustalk 17:54, 4 May 2007 (UTC)

I agree; the "iptables" and "ipset" sections can be dropped without question IMO — they might even be copies from the man pages, but it doesn't matter. -- intgr 19:57, 4 May 2007 (UTC)
Went ahead and did that, leaving the intros in place. Cut the article size by 2/3rds, but it's still over 10k, and reads a great deal more like an encyclopedia article. Think it worked pretty well. Should review and make sure there's nothing in the article that still references the deleted content. If so, can expand the ref to be a more complete explanation and resolve those issues as they are found. MrZaiustalk 05:42, 5 May 2007 (UTC)

Netfilter or netfilter[edit]

On the website, "netfilter" seems to be used instead of "Netfilter", but I have found instances of "Netfilter" being used on the site as well. How should the article display the name? Toad King 17:12, 14 July 2007 (UTC)

It's on this Talk page — please read it: http://en.wikipedia.org/wiki/Talk:Netfilter#Netfilter_vs_netfilter . I also agree that “Netfilter” is a “name” (like “Linux”) (and not just a noun/command), hence with capital N. Artistic freedom or lazyness allow for a small n though ;-) j.engelh (talk) 10:51, 25 November 2008 (UTC)

Ask user module[edit]

Does anyone know a module for netfilter that creates a new policy for the default chains, which in case of packets that don't match any rule pops-up a window and asks the user what to do (a behavior similar to most Windows personal firewall products)? NegativeIQ (talk) 10:44, 18 April 2008 (UTC)

See http://www.synack.fr/project/cn_net/cn_net.html j.engelh (talk) 10:49, 25 November 2008 (UTC)

Rusty Russel and Oskar Andreasson[edit]

After viewing the discussion page I had the impression that other contributors to the page did not know who Rusty Russel is. He has contributed to the discussion page using the name "Rusty" (no last name) but his comments may not have registered as those coming from an expert on this subject.

Around 2001 I had an idea about writing documentation to support iptables, then came across work from Oskar Andreasson. This work was organized, detailed, thorough and well-maintained in my opinion -- leaving me with next-to-nothing to improve upon. To date version 24 of his documentation remains as the best documentation on iptables I've found, although (by now) much has been added to the Netfilter project.

Sections 2 and 3 should be removed. Wikipedia isn't the place for much detail about NetFilter since so much functionality is now part of it. (Adding an equivalent level of detail, at a given level, would introduce too much information for this venue). A personal blog is a better place for detail, in my opinion. Perhaps a writer can also point to a blog for additional information -- I don't know about this.

The NetFilter home page does have some information useful for inclusion here but not all of it is as well-written as it might be if it were a well-written Wikipedia article (based on how good some Wikipedia articles have become).

In my opinion, Rusty Russel is too modest to emphasize the value of his NetFilter work and this is one reason I've written this. I do not know him, he does not know me. I've researched him on the web and followed both of these guys for almost 9 years. All that remains clear is that their contribution to this toolset has been watered-down by the many who would seek to profit in places neither of them seem to have done so. We'd really benefit as a community if we could persuade either of them to contribute to this article.

This link goes to a document that was originally written by Oskar: http://www.control.aau.dk/~jdn/edu/litt/ip-tables/iptables/iptables-tutorial.frozentux.net/chunkyhtml/index.html. As I recall his docs were accessible from the frozentux website.

This link goes to Paul "Rusty" Russell's home page: [2].

--Kernel.package (talk) 06:57, 21 June 2009 (UTC)

Accuracy[edit]

The idea of "user-space" does not apply to NetFilter, if for no other reason than the fact it requires kernel-mode code. The term is too ambiguous anyway. ulogd, for example, provides kernel-mode code that supports a user-mode log application. iptables is a root-only admin tool which isn't precisely referred to as "user-mode" because a non-root user cannot run it (out-of-the-box -- they may be able to on a poorly configured or misconfigured box).

--Kernel.package (talk) 07:02, 21 June 2009 (UTC)

Still, many components have a kernel<->userspace counterpart mapping, including iptables and conntrack. I therefore disagree with your edit entitled “corrections - removed reference to "tool"s that were actually kernel modules”. Besides, I am now fixing the whole article to make sure Netfilter is portrayed from a developer side, i.e. without all those iptables-interrelated confusions. —j.eng (talk) 17:47, 22 June 2009 (UTC)