Hubbry Logo
NetfilterNetfilterMain
Open search
Netfilter
Community hub
Netfilter
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Netfilter
Netfilter
Netfilter
View on Wikipedia
from Wikipedia
Netfilter
Initial release26 August 1999; 26 years ago (1999-08-26) (Linux 2.3.15)
Stable release
6.17.7[1] Edit this on Wikidata / 2 November 2025; 2 days ago (2 November 2025)
Written inC
Operating systemLinux
Type
LicenseGNU GPL
Websitenetfilter.org

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

Netfilter represents a set of hooks inside the Linux kernel, allowing specific kernel modules to register callback functions with the kernel's networking stack. Those functions, usually applied to the traffic in the form of filtering and modification rules, are called for every packet that traverses the respective hook within the networking stack.[2]

History

[edit]
Relation of (some of) the different Netfilter components

Rusty Russell started the netfilter/iptables project in 1998; he had also authored the project's predecessor, ipchains. As the project grew, he founded the Netfilter Core Team (or simply coreteam) in 1999. The software they produced (called netfilter hereafter) uses the GNU General Public License (GPL) license, and on 26 August 1999 it was merged into version 2.3.15 of the Linux kernel mainline and thus was in the 2.4.0 stable version.[3]

In August 2003 Harald Welte became chairman of the coreteam. In April 2004, following a crack-down by the project on those distributing the project's software embedded in routers without complying with the GPL, a German court granted Welte an historic injunction against Sitecom Germany, which refused to follow the GPL's terms (see GPL-related disputes). In September 2007 Patrick McHardy, who led development for past years, was elected as new chairman of the coreteam.

Prior to iptables, the predominant software packages for creating Linux firewalls were ipchains in Linux kernel 2.2.x and ipfwadm in Linux kernel 2.0.x,[3] which in turn was based on BSD's ipfw. Both ipchains and ipfwadm alter the networking code so they can manipulate packets, as Linux kernel lacked a general packets control framework until the introduction of Netfilter.

Whereas ipchains and ipfwadm combine packet filtering and NAT (particularly three specific kinds of NAT, called masquerading, port forwarding, and redirection), Netfilter separates packet operations into multiple parts, described below. Each connects to the Netfilter hooks at different points to access packets. The connection tracking and NAT subsystems are more general and more powerful than the rudimentary versions within ipchains and ipfwadm.

In 2017 IPv4 and IPv6 flow offload infrastructure was added, allowing a speedup of software flow table forwarding and hardware offload support.[4][5]

Userspace utility programs

[edit]
Flow of network packets through Netfilter with legacy iptables packet filtering

iptables

[edit]
Main article: iptables

The kernel modules named ip_tables, ip6_tables, arp_tables (the underscore is part of the name), and ebtables comprise the legacy packet filtering portion of the Netfilter hook system. They provide a table-based system for defining firewall rules that can filter or transform packets. The tables can be administered through the user-space tools iptables, ip6tables, arptables, and ebtables. Notice that although both the kernel modules and userspace utilities have similar names, each of them is a different entity with different functionality.

Each table is actually its own hook, and each table was introduced to serve a specific purpose. As far as Netfilter is concerned, it runs a particular table in a specific order with respect to other tables. Any table can call itself and it also can execute its own rules, which enables possibilities for additional processing and iteration.

Rules are organized into chains, or in other words, "chains of rules". These chains are named with predefined titles, including INPUT, OUTPUT and FORWARD. These chain titles help describe the origin in the Netfilter stack. Packet reception, for example, falls into PREROUTING, while the INPUT represents locally delivered data, and forwarded traffic falls into the FORWARD chain. Locally generated output passes through the OUTPUT chain, and packets to be sent out are in POSTROUTING chain.

Netfilter modules not organized into tables (see below) are capable of checking for the origin to select their mode of operation.

iptable_raw module
When loaded, registers a hook that will be called before any other Netfilter hook. It provides a table called raw that can be used to filter packets before they reach more memory-demanding operations such as Connection Tracking.
iptable_mangle module
Registers a hook and mangle table to run after Connection Tracking (see below) (but still before any other table), so that modifications can be made to the packet. This enables additional modifications by rules that follow, such as NAT or further filtering.
iptable_nat module
Registers two hooks: Destination Network Address Translation-based transformations ("DNAT") are applied before the filter hook, Source Network Address Translation-based transformations ("SNAT") are applied afterwards. The network address translation table (or "nat") that is made available to iptables is merely a "configuration database" for NAT mappings only, and not intended for filtering of any kind.
iptable_filter module
Registers the filter table, used for general-purpose filtering (firewalling).
security_filter module
Used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. (These so-called "targets" refer to Security-Enhanced Linux markers.) Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called following the call of the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before any MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the computer itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the computer).

nftables

[edit]
Main article: nftables

nftables is the new packet-filtering portion of Netfilter. nft is the new userspace utility that replaces iptables, ip6tables, arptables and ebtables.

nftables kernel engine adds a simple virtual machine into the Linux kernel, which is able to execute bytecode to inspect a network packet and make decisions on how that packet should be handled. The operations implemented by this virtual machine are intentionally made basic: it can get data from the packet itself, have a look at the associated metadata (inbound interface, for example), and manage connection tracking data. Arithmetic, bitwise and comparison operators can be used for making decisions based on that data. The virtual machine is also capable of manipulating sets of data (typically IP addresses), allowing multiple comparison operations to be replaced with a single set lookup.[6]

This is in contrast to the legacy Xtables (iptables, etc.) code, which has protocol awareness so deeply built into the code that it has had to be replicated four times‍—‌for IPv4, IPv6, ARP, and Ethernet bridging‍—‌as the firewall engines are too protocol-specific to be used in a generic manner.[6] The main advantages over iptables are simplification of the Linux kernel ABI, reduction of code duplication, improved error reporting, and more efficient execution, storage, and incremental, atomic changes of filtering rules.

Packet defragmentation

[edit]
See also: IP fragmentation

The nf_defrag_ipv4 module will defragment IPv4 packets before they reach Netfilter's connection tracking (nf_conntrack_ipv4 module). This is necessary for the in-kernel connection tracking and NAT helper modules (which are a form of "mini-ALGs") that only work reliably on entire packets, not necessarily on fragments.

The IPv6 defragmenter is not a module in its own right, but is integrated into the nf_conntrack_ipv6 module.

Connection tracking

[edit]
See also: Stateful packet inspection

One of the important features built on top of the Netfilter framework is connection tracking.[7] Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall.

The connection state however is completely independent of any upper-level state, such as TCP's or SCTP's state. Part of the reason for this is that when merely forwarding packets, i.e. no local delivery, the TCP engine may not necessarily be invoked at all. Even connectionless-mode transmissions such as UDP, IPsec (AH/ESP), GRE and other tunneling protocols have, at least, a pseudo connection state. The heuristic for such protocols is often based upon a preset timeout value for inactivity, after whose expiration a Netfilter connection is dropped.

Each Netfilter connection is uniquely identified by a (layer-3 protocol, source address, destination address, layer-4 protocol, layer-4 key) tuple. The layer-4 key depends on the transport protocol; for TCP/UDP it is the port numbers, for tunnels it can be their tunnel ID, but otherwise is just zero, as if it were not part of the tuple. To be able to inspect the TCP port in all cases, packets will be mandatorily defragmented.

Netfilter connections can be manipulated with the user-space tool conntrack.

iptables can make use of checking the connection's information such as states, statuses and more to make packet filtering rules more powerful and easier to manage. The most common states are:

NEW
trying to create a new connection
ESTABLISHED
part of an already-existing connection
RELATED
assigned to a packet that is initiating a new connection and which has been "expected"; the aforementioned mini-ALGs set up these expectations, for example, when the nf_conntrack_ftp module sees an FTP "PASV" command
INVALID
the packet was found to be invalid, e.g. it would not adhere to the TCP state diagram
UNTRACKED
a special state that can be assigned by the administrator to bypass connection tracking for a particular packet (see raw table, above).

A normal example would be that the first packet the conntrack subsystem sees will be classified "new", the reply would be classified "established" and an ICMP error would be "related". An ICMP error packet which did not match any known connection would be "invalid".

Connection tracking helpers

[edit]

Through the use of plugin modules, connection tracking can be given knowledge of application-layer protocols and thus understand that two or more distinct connections are "related". For example, consider the FTP protocol. A control connection is established, but whenever data is transferred, a separate connection is established to transfer it. When the nf_conntrack_ftp module is loaded, the first packet of an FTP data connection will be classified as "related" instead of "new", as it is logically part of an existing connection.

The helpers only inspect one packet at a time, so if vital information for connection tracking is split across two packets, either due to IP fragmentation or TCP segmentation, the helper will not necessarily recognize patterns and therefore not perform its operation. IP fragmentation is dealt with the connection tracking subsystem requiring defragmentation, though TCP segmentation is not handled. In case of FTP, segmentation is deemed not to happen "near" a command like PASV with standard segment sizes, so is not dealt with in Netfilter either.

Network address translation

[edit]
Main article: Network address translation

Each connection has a set of original addresses and reply addresses, which initially start out the same. NAT in Netfilter is implemented by simply changing the reply address, and where desired, port. When packets are received, their connection tuple will also be compared against the reply address pair (and ports). Being fragment-free is also a requirement for NAT. (If need be, IPv4 packets may be refragmented by the normal, non-Netfilter, IPv4 stack.)

NAT helpers

[edit]

Similar to connection tracking helpers, NAT helpers will do a packet inspection and substitute original addresses by reply addresses in the payload.

Further Netfilter projects

[edit]

Though not being kernel modules that make use of Netfilter code directly, the Netfilter project hosts a few more noteworthy software.

conntrack-tools

[edit]

conntrack-tools is a set of user-space tools for Linux that allow system administrators to interact with the Connection Tracking entries and tables. The package includes the conntrackd daemon and the command line interface conntrack. The userspace daemon conntrackd can be used to enable high availability cluster-based stateful firewalls and collect statistics of the stateful firewall use. The command line interface conntrack provides a more flexible interface to the connection tracking system than the obsolete /proc/net/nf_conntrack.

ipset

[edit]

Unlike other extensions such as Connection Tracking, ipset[8] is more related to iptables than it is to the core Netfilter code. ipset does not make use of Netfilter hooks for instance, but actually provides an iptables module to match and do minimal modifications (set/clear) to IP sets.

The user-space tool called ipset is used to set up, maintain and inspect so called "IP sets" in the Linux kernel. An IP set usually contains a set of IP addresses, but can also contain sets of other network numbers, depending on its "type". These sets are much more lookup-efficient than bare iptables rules, but of course may come with a greater memory footprint. Different storage algorithms (for the data structures in memory) are provided in ipset for the user to select an optimum solution.

Any entry in one set can be bound to another set, allowing for sophisticated matching operations. A set can only be removed (destroyed) if there are no iptables rules or other sets referring to it.

SYN proxy

[edit]

SYNPROXY target makes handling of large SYN floods possible without the large performance penalties imposed by the connection tracking in such cases. By redirecting initial SYN requests to the SYNPROXY target, connections are not registered within the connection tracking until they reach a validated final ACK state, freeing up connection tracking from accounting large numbers of potentially invalid connections. This way, huge SYN floods can be handled in an effective way.[9]

On 3 November 2013, SYN proxy functionality was merged into the Netfilter, with the release of version 3.12 of the Linux kernel mainline.[10][11]

ulogd

[edit]

ulogd is a user-space daemon to receive and log packets and event notifications from the Netfilter subsystems. ip_tables can deliver packets via the userspace queueing mechanism to it, and connection tracking can interact with ulogd to exchange further information about packets or events (such as connection teardown, NAT setup).

Userspace libraries

[edit]

Netfilter also provides a set of libraries having libnetfilter as a prefix of their names, that can be used to perform different tasks from the userspace. These libraries are released under the GNU GPL version 2. Specifically, they are the following:

libnetfilter_queue
allows to perform userspace packet queueing in conjunction with iptables; based on libnfnetlink
libnetfilter_conntrack
allows manipulation of connection tracking entries from the userspace; based on libnfnetlink
libnetfilter_log
allows collection of log messages generated by iptables; based on libnfnetlink
libnl-3-netfilter
allows operations on queues, connection tracking and logs; part of the libnl project[12]
libiptc
allows changes to be performed to the iptables firewall rulesets; it is not based on any netlink library, and its API is internally used by the iptables utilities
libipset
allows operations on IP sets; based on libmnl.

Netfilter workshops

[edit]

The Netfilter project organizes an annual meeting for developers, which is used to discuss ongoing research and development efforts. The 2018 Netfilter workshop took place in Berlin, Germany, in June 2018.[13]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Netfilter

View on Grokipedia
from Grokipedia
Netfilter is a modular framework integrated into the that enables the interception and manipulation of network packets through a system of predefined hooks in the , primarily supporting IPv4, , and DECnet protocols. It facilitates core networking functions such as packet filtering, (NAT), packet logging, (QoS) marking, and transparent proxying, allowing administrators to implement firewalls, routers, and other mechanisms directly at the kernel level. Introduced as part of the 2.4 kernel series in 2001, Netfilter replaced earlier, less flexible firewalling tools like ipfwadm and ipchains, providing a more extensible and performant architecture for packet processing. At its core, Netfilter operates via five key hooks positioned at strategic points in the network stack: NF_INET_PRE_ROUTING (early inbound processing), NF_INET_LOCAL_IN (locally destined packets), NF_INET_FORWARD (routed packets), NF_INET_LOCAL_OUT (outbound from local processes), and NF_INET_POST_ROUTING (final outbound adjustments). Kernel modules can register callback functions at these hooks with specified priorities, enabling them to inspect, modify, or decide the fate of packets—such as accepting (NF_ACCEPT), dropping (NF_DROP), queuing for userspace handling (NF_QUEUE), or repeating processing (NF_REPEAT). This hook-based design supports both stateless and stateful operations, with connection tracking enhancing features like NAT and dynamic filtering by maintaining state information for TCP, UDP, and other protocols. Netfilter's functionality is organized into specialized tables that define processing chains: the filter table for (using INPUT, FORWARD, and OUTPUT chains), the nat table for address translation (PREROUTING, POSTROUTING, and OUTPUT chains), and the mangle table for packet header modifications (all hooks). Users interact with Netfilter through userspace utilities, initially (introduced alongside Netfilter for IPv4 and ip6tables for ), which allows rule configuration via command-line or scripts. In 2014, with Linux kernel 3.13, emerged as a more efficient successor, offering a virtual machine-based classification system for simplified rule management across multiple protocols and reducing kernel-userspace context switches. The project, maintained by the Netfilter Core Team under the GNU General Public License version 2, remains actively developed as a cornerstone of Linux networking security.

Overview

Purpose and Scope

Netfilter is a community-driven collaborative (FOSS) project that provides a framework for packet filtering in the , starting from version 2.4.x and continuing in subsequent releases. It enables kernel-level processing of network packets, supporting both stateless and stateful filtering for protocols including IPv4, , and DECnet. The framework's primary functions include packet filtering to allow or block traffic based on predefined rules, (NAT) and network address and port translation (NAPT) for address mapping and port , packet mangling to modify packet headers such as (TOS), Code Point (DSCP), or (ECN) bits, and logging of packets for auditing and debugging purposes. The scope of Netfilter extends beyond basic filtering, offering an extensible architecture that integrates with kernel modules for custom extensions and userspace tools for rule management. It supports advanced networking features, such as integration with the traffic control (tc) subsystem and utilities for (QoS) and , allowing fine-grained control over network traffic prioritization and paths. This modularity enables developers to build specialized modules for tasks like or custom protocol handling without altering the core kernel. Netfilter enhances the security, performance, and flexibility of Linux-based systems, particularly in roles as routers, firewalls, and servers, by providing efficient in-kernel packet processing that minimizes overhead compared to userspace alternatives. As a community-driven project, it is developed and maintained by contributors worldwide under the GNU General Public License version 2.0 (GPL-2.0), ensuring open access to its source code and promoting widespread adoption and innovation. The project remains actively maintained, with nftables version 1.1.5 released on August 27, 2025.

Kernel Architecture

Netfilter serves as a core subsystem within the kernel's networking stack, providing a framework for packet processing and manipulation at strategic points during network protocol handling. It is implemented as loadable kernel modules, such as nf_tables.ko for the modern interface or the legacy ip_tables.ko for compatibility, which are dynamically loaded to enable functionality without requiring a full kernel rebuild. The architecture emphasizes extensibility through well-defined APIs that allow developers to integrate custom logic. Netfilter hooks provide entry points where kernel modules can register callback functions to inspect or modify packets, enabling the creation of custom handlers with configurable priorities to determine invocation order. Additionally, match and target extensions permit the definition of rule-based actions, registered via functions like ipt_register_match() and ipt_register_target(), which support protocol-specific filtering and transformation without altering the core kernel code. Kernel modules form the modular backbone of Netfilter, categorized into core, protocol-specific, and extension types. The core module, netfilter.ko, establishes the foundational framework for hook registration and packet traversal management. Protocol-specific modules, such as nf_conntrack.ko for connection state tracking and nf_nat.ko for , handle operations tailored to IPv4, IPv6, or other protocols. Extension modules, including those for compatibility like iptable_filter.ko, provide backward-compatible interfaces and additional match/target plugins to extend rule evaluation capabilities. Netfilter interacts seamlessly with other kernel subsystems to ensure comprehensive network processing. It integrates directly with the IPv4 and protocol stacks by embedding hooks in their input and output paths, allowing interception before or after decisions. Connections to the socket layer occur through local input and output hooks, facilitating application-level packet handling. For bridged or firewall devices, Netfilter supports extensions like the bridge netfilter module, which applies filtering rules to traffic crossing network bridges without disrupting device-level operations. The programming interface for Netfilter spans kernel-space and userspace, promoting flexible development and configuration. In kernel-space, APIs such as nf_register_hook() enable modules to attach callbacks to specific hooks, while nf_register_queue_handler() allows queuing packets for deferred processing. Userspace access is facilitated through netlink sockets, a bidirectional communication channel that tools like nft leverage to configure rules, query states, and receive notifications from the kernel via the nftables Netlink API.

Historical Development

Origins in Linux 2.4

Netfilter's development began in 1999, initiated by Paul "Rusty" Russell as a comprehensive redesign to replace the limitations of earlier Linux firewalling tools such as ipchains (introduced in 2.2) and ipfwadm (from 2.0). Russell, who had previously authored ipchains, collaborated with Marc Boucher and later James Morris to form the core team, starting with a foundational meeting in in November 1999. The primary motivations included enabling stateful packet inspection to track connection states beyond simple rule-based filtering, providing a modular framework for extensible kernel modules, and improving performance through efficient packet processing in the network stack. These goals addressed the scalability issues of prior systems, which lacked native support for advanced features like (NAT) and were increasingly inadequate for growing network security needs. Netfilter was first implemented in the 2.4 kernel, released on January 4, 2001, marking a significant advancement in kernel-level networking. This introduction featured the innovative hook mechanism, which allowed modules to intercept and manipulate packets at key points in the protocol stack—such as prerouting, forwarding, and postrouting—for both filtering and NAT operations. Core initial components included the ip_tables module, which handled IPv4 packet filtering through configurable tables and chains, and the early ip_conntrack module for stateful connection tracking, enabling the kernel to maintain awareness of ongoing network sessions. These elements provided a unified, extensible architecture that generalized previous ad-hoc solutions, allowing for protocol-agnostic extensions while focusing initially on IPv4. Early adoption of Netfilter occurred rapidly following its kernel integration, with major distributions like 7.2 (released in October 2001) incorporating —the userspace interface to Netfilter—for basic firewall configurations in enterprise and server environments. Its modular design and comprehensive documentation facilitated contributions from developers, who extended it with custom matches and targets for specialized filtering. To further the project's growth, the first Netfilter workshops were organized starting in 2001, with a notable event in in that brought together developers to discuss design principles and future enhancements.

Evolution and nftables Transition

Following its debut in Linux kernel 2.4, Netfilter underwent significant enhancements to broaden its applicability and performance. In 2003, IPv6 support was advanced through efforts to stabilize and improve the IPv6 Netfilter implementation, including connection tracking capabilities, as outlined in presentations at the Ottawa Linux Symposium. By 2004, NAT functionality received key upgrades, such as refined handling for state synchronization and IPv6 NAT extensions, discussed during the Netfilter Developer Workshop. Additionally, connection tracking (conntrack) saw optimizations for high-load environments, including better table overflow management and eviction policies to maintain efficiency under heavy traffic, with contributions integrated into the Linux 2.6 kernel series. The push toward a more modern framework culminated in the development of , initiated by Patrick McHardy around 2008 as a successor to . First publicly released in 2009, the project stalled but was revived by Neira Ayuso in 2013, who led its evolution through community contributions for better scalability and unified handling of IPv4, , ARP, and Ethernet frames. The transition to nftables progressed steadily in the kernel. Core nftables support landed in 3.13, released in January 2014, introducing a virtual machine-based bytecode engine for packet classification. At the 2018 , legacy iptables was declared a "legacy tool," signaling the shift toward nftables as the preferred backend in distributions like 8. By 2020, major distributions such as 10, , and 20.04 adopted nftables as the default firewall framework, leveraging its improved rule management for production environments. Ongoing integrations in the Linux 6.x series, extending through version 6.17 (stable as of November 2025), have further bolstered Netfilter's capabilities. These include enhanced hardware offload support via flowtables for IPv4 and IPv6 traffic acceleration on compatible NICs, introduced progressively from kernel 5.7 onward. Security patches, such as the fix for CVE-2024-1086—a use-after-free vulnerability in nf_tables—were applied in early 2024 releases like kernel 6.8, mitigating local privilege escalation risks. To ease adoption, incorporates a compatibility layer that emulates behavior, allowing legacy rules and commands (via iptables-nft) to operate on the backend without immediate reconfiguration. This layer, developed since 2012, ensures while encouraging migration to native syntax.

Core Mechanisms

Hooks and Packet Flow

Netfilter's system provides a framework for intercepting and processing network packets at designated points within the kernel's networking stack, allowing modules to inspect, modify, or drop packets as they traverse the system. There are five primary points for IPv4 , each corresponding to a specific stage in packet processing: PREROUTING, which occurs immediately upon packet ingress before any routing decisions are made; INPUT, which handles packets destined for local delivery after routing; FORWARD, which processes packets being routed to other hosts; OUTPUT, which manages locally generated packets before routing; and POSTROUTING, which applies final modifications to packets just before they exit the system. These points ensure that packet manipulation can occur at appropriate junctures without disrupting the core networking logic. The packet flow through these hooks follows a structured path depending on whether the traffic is ingress or egress. For an incoming packet, it first encounters the PREROUTING hook, followed by a decision that directs it to either the INPUT hook for local consumption or the FORWARD hook for routing to another interface; in both cases, the packet then passes through the POSTROUTING hook before egress. Egress traffic from locally generated packets reverses this pattern, starting at the OUTPUT hook, proceeding through , and concluding at POSTROUTING. This bidirectional flow allows comprehensive control over packet lifecycle, with hooks serving as interception opportunities for operations like filtering or address translation. To manage the order of execution when multiple modules register at the same hook point, Netfilter uses priorities, where lower numerical values indicate higher precedence and are invoked first. For instance, the RAW table priority is defined as NF_IP_PRI_RAW = -300, ensuring it processes packets before lower-priority modules like those for connection tracking at -200. These priorities enable layered processing, such as placing security checks early in the chain. Kernel modules register their callback functions to these using the nf_register_net_hook() , which attaches the hook to a specific and point with an associated priority. During packet traversal, the kernel invokes registered callbacks sequentially via the nf_hook_slow() function on the slow path, allowing each to return verdicts like NF_ACCEPT, NF_DROP, or NF_QUEUE to continue, discard, or enqueue the packet. In modern kernels, performance is enhanced through fast-path optimizations, such as offloading verified flows to bypass unnecessary hook invocations when no modifications are needed, reducing overhead for high-throughput scenarios.

Chains and Targets

In Netfilter, chains refer to the ordered lists of rules that organize packet processing within the kernel's networking stack. These chains function as lists where packets are evaluated sequentially against each rule until a matching target is encountered or the end of the chain is reached. Built-in chains include INPUT, which handles packets destined for the local system; OUTPUT, for locally generated packets; FORWARD, for packets routed through the system; and PREROUTING and POSTROUTING, which apply before and after decisions, respectively. This structure allows for modular and efficient rule evaluation at specific points in the packet flow. Each rule in a Netfilter chain comprises match specifications—conditions such as source or destination IP addresses, protocol types, or numbers—followed by a target that determines the packet's fate. Matches filter packets based on header fields or extensions, while targets execute actions like acceptance or modification. If no rule matches, the chain's policy (typically ACCEPT or DROP) applies as a default . This match-target paradigm enables flexible, condition-based processing without requiring kernel recompilation for common use cases. Netfilter provides several built-in targets for standard operations: ACCEPT passes the packet to the next stage in the network stack; DROP discards it silently; REJECT drops the packet and generates an ICMP error response to inform the sender; RETURN exits the current chain and resumes evaluation in the parent chain; LOG records packet details to the kernel log for auditing; and QUEUE enqueues the packet for userspace handling via libraries like libnetfilter_queue. These targets correspond to kernel verdicts such as NF_ACCEPT, NF_DROP, and NF_QUEUE, ensuring consistent behavior across the framework. Custom targets extend Netfilter's capabilities through kernel modules registered via the xtables framework or verdicts, allowing developers to implement specialized actions. For instance, the MASQUERADE target performs dynamic source translation by substituting the interface's IP, useful in scenarios with changing outbound addresses. Other examples include extensions for header manipulation or alterations, loaded as modules to integrate seamlessly with core processing. These extensions maintain the modularity of Netfilter while supporting advanced functionality without altering the base . The rules within chains are grouped into tables, each optimized for particular packet handling: the filter table manages decisions; the nat table handles address rewriting; the mangle table enables packet header modifications, such as TTL adjustments; and the raw table processes packets early, before connection tracking, for marking or prerouting. Tables register with Netfilter hooks to intercept packets at appropriate points, ensuring that chain evaluation occurs in the correct context for the table's purpose.

Fundamental Features

Packet Defragmentation

Netfilter's packet defragmentation ensures that fragmented IP packets are reassembled early in the processing pipeline, allowing subsequent modules like connection tracking and filtering to operate on complete packets for consistent rule application. The nf_defrag_ipv4 module for IPv4 and nf_defrag_ipv6 for perform this reassembly within the PREROUTING hook (NF_INET_PRE_ROUTING) and the local output hook (NF_INET_LOCAL_OUT), registering callbacks with priority NF_IP_PRI_CONNTRACK_DEFRAG to intercept fragments before routing decisions. The reassembly process involves collecting incoming fragments into a kernel memory cache based on shared IP identification values, source addresses, and protocol details. Fragments are buffered until a complete packet can be reconstructed using the ip_defrag function, which sets the skb->ignore_df on success to bypass don't-fragment checks during output. If fragments remain incomplete after a configurable timeout—defaulting to 30 seconds—the queue is dropped to free resources, preventing indefinite retention of partial data. This reassembly occurs prior to connection tracking or filtering stages, ensuring that transport-layer information in later fragments is available for inspection. Configuration of the defragmentation cache is managed through IPv4-specific sysctls under /proc/sys/net/ipv4/ipfrag_*. The ipfrag_high_thresh (default 262144 bytes) sets the maximum memory allocation for fragments, beyond which new fragments are dropped until sufficient memory is freed (e.g., via timeouts). The ipfrag_time sysctl controls the retention period at 30 seconds by default, while ipfrag_max_dist (default 64) limits the allowable disorder in fragment arrival order from a single source, dropping incomplete queues to mitigate resource exhaustion. These parameters tune memory usage and resilience without affecting core reassembly logic. For IPv6, equivalent parameters are available as ip6frag_high_thresh (default 262144 bytes), ip6frag_low_thresh (default 196608 bytes), and ip6frag_time (default 60 seconds), allowing similar tuning for IPv6 fragment reassembly. For , the nf_defrag_ipv6 module integrates with the protocol's extension header framework, specifically targeting the Fragment Header (type 44) to reassemble datagrams before subsequent headers like authentication or hop-by-hop options are processed. This handles IPv6's and fragmentation rules, ensuring compatibility with extension header chaining while applying similar caching and timeout mechanisms as IPv4, using similar sysctls prefixed with ip6frag_ under /proc/sys/net/ipv6. To address denial-of-service risks from fragmented traffic, Netfilter enforces limits on fragment queues, such as ipfrag_max_dist, which drops queues exceeding 64 fragments in disorder from a host, preventing attackers from overwhelming with overlapping or malicious partial packets that share identification values. This parameter balances legitimate reassembly tolerance against potential abuse, as excessive disorder may indicate lost or adversarial fragments. For , similar protections apply via the ip6frag_* sysctls.

Connection Tracking

Netfilter's connection tracking system enables stateful packet inspection by maintaining information about active network connections, allowing firewalls to make decisions based on the context of packet flows rather than individual packets. This is implemented primarily through the nf_conntrack kernel module, which tracks sessions for protocols such as TCP, UDP, and ICMP. The nf_conntrack module stores connection details in a hash table, where each entry represents a tracked connection identified by a 5-tuple consisting of source and destination IP addresses, source and destination ports, and the protocol. Connections are assigned states such as NEW for initial packets starting a connection, ESTABLISHED for bidirectional communication, RELATED for packets associated with an existing connection (e.g., ICMP errors), and INVALID for packets that cannot be identified or violate rules like checksum failures if enabled. Additional TCP-specific states include SYN_SENT for the initial SYN packet in a handshake and ASSURED for connections that have been confirmed as stable after sufficient activity, preventing premature eviction under memory pressure. Connection tracking begins in the PREROUTING or OUTPUT hooks, where the 5-tuple is extracted from incoming or locally generated packets, and the state is updated as the packet traverses subsequent Netfilter hooks. This process operates on defragmented packets to ensure accurate session awareness. The module uses slab caches for efficient memory allocation, with IPv4 tuples requiring 32 bytes and tuples 80 bytes per entry. Memory management is handled through configurable parameters: the hash table size (nf_conntrack_buckets) defaults to a value based on total system memory divided by 16384 (minimum , maximum 262144), while the maximum number of entries (nf_conntrack_max) defaults to the value of nf_conntrack_buckets and is tunable via . Each connection consumes space for bidirectional tracking, effectively doubling the footprint. Expiration timers remove idle entries, such as 432,000 seconds (5 days) for established TCP connections, to prevent table overflow. For high-availability setups, the system supports , a mechanism that allows connection state to be exported and imported between nodes for . Userspace integration is provided via sockets, enabling tools to query, list, and receive notifications about tracked connections through the ctnetlink interface.

Network Address Translation

Network Address Translation (NAT) in Netfilter enables the modification of IP addresses and port numbers in packet headers, facilitating connectivity to the and load balancing. This functionality is implemented via a specialized NAT table that operates at specific points in the packet processing pipeline, ensuring efficient handling of incoming and outgoing traffic. NAT is crucial for conserving public IP addresses by allowing multiple internal devices to share a single external address. The NAT table includes two primary chains: PREROUTING and POSTROUTING. The PREROUTING chain handles Destination NAT (DNAT) for incoming packets, altering the destination and optionally the before the decision is made, which is essential for redirecting to internal servers. In contrast, the POSTROUTING chain manages Source NAT (SNAT) and Masquerade for outgoing packets, rewriting the source and after to enable return to reach the original sender. These chains ensure that NAT operations occur at optimal stages to avoid disrupting the kernel's logic. Netfilter supports two main types of NAT: Source NAT (SNAT), which rewrites the source and of outgoing packets to a specified public address, and Destination NAT (DNAT), which modifies the destination and of incoming packets to route them to private hosts. SNAT can use static mappings for fixed translations or dynamic mappings that select from a pool of addresses based on availability. DNAT similarly supports static or dynamic allocation within ranges, enabling and Port Translation (NAPT) for multiple connections. These mechanisms allow for both one-to-one address translations and many-to-one sharing, depending on the configuration. NAT in Netfilter is tightly integrated with the connection tracking subsystem, which maintains state information for each connection in a table of tuples comprising source and destination IP addresses and ports. When a packet undergoes NAT, the modified tuples are updated in the connection tracking table to reflect the translated addresses. For reply packets, the system performs un-NAT by reversing the mappings stored in the connection state, ensuring bidirectional communication without additional rule evaluations. This dependency on connection tracking optimizes performance by applying NAT decisions only to the initial packet of a connection. Configuration of NAT is achieved through specific in the or frameworks. The SNAT target uses the --to-source option to specify the replacement and optional range, such as --to-source 192.168.1.100, enabling precise control over outgoing translations. For dynamic environments like DHCP-assigned interfaces, the MASQUERADE target automatically uses the current interface IP without specifying a fixed address. DNAT employs the --to-destination option similarly for incoming traffic, with ranges supporting NAPT, for example, to forward a range of external ports to a single internal service. These allow flexible static or dynamic mappings tailored to network requirements. Advanced NAT features leverage connection tracking for protocol-specific helpers, such as modules that handle embedded addresses in protocols like FTP, ensuring proper translation without manual intervention. Hairpin NAT addresses scenarios where internal hosts communicate via the external IP, requiring SNAT in the POSTROUTING to rewrite the source address to the NAT device's IP, preventing routing loops and enabling seamless internal access to NATed services.

Userspace Tools

iptables

iptables is the original userspace utility for configuring the framework in the , introduced with version 2.4 to manage packet filtering rules, (NAT), and packet mangling. It allows system administrators to define rules that inspect and control network based on criteria such as source and destination addresses, protocols, and connection states. While still widely used for its straightforward syntax in legacy environments, iptables operates on a table-and-chain model that can become verbose for complex rule sets. The core command structure of iptables follows the format iptables -t <table> -A <chain> -s <source> -d <destination> -j <target>, where -t specifies the table (defaulting to filter if omitted), -A appends a rule to the chain, -s and -d match source and destination IP addresses or hostnames, and -j jumps to a target action such as ACCEPT, DROP, or RETURN. Other commands include -I for inserting rules at a specific position, -D for deletion by specification or number, -L for listing rules, -F for flushing chains, and -P for setting default policies. Rules can include options like -i for input interface and -o for output interface to further refine matching. Netfilter organizes rules into tables, each dedicated to a specific function, with predefined chains that correspond to packet processing stages. The filter table handles standard packet filtering and includes chains INPUT (for locally destined packets), FORWARD (for packets passing through the host), and OUTPUT (for locally generated packets). The nat table manages address translation with chains PREROUTING (before routing decisions), POSTROUTING (after routing), and OUTPUT. The mangle table alters packet headers and supports chains PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. User-defined chains can be created with -N for modular rule organization. Matches and extensions enhance rule specificity by allowing conditions beyond basic IP headers. Protocol matching uses -p tcp or -p udp, combined with port specifications like --dport 80 for destination port 80 on TCP traffic. The stateful connection tracking extension, invoked with -m state, matches packets using --state ESTABLISHED for ongoing connections or --state RELATED for associated traffic, enabling efficient handling of bidirectional flows. Other extensions include multiport for non-contiguous port ranges and connlimit for connection limits per IP. To ensure persistence across reboots, rules are saved using iptables-save, which outputs the current configuration to standard output in a portable format, often redirected to a file like /etc/iptables/rules.v4. Restoration occurs with iptables-restore reading from standard input, typically integrated into init scripts or service managers like for automatic loading on boot. This mechanism allows scripted management but requires careful handling to avoid conflicts during updates. Although maintained for backward compatibility in modern Linux distributions, iptables is considered verbose for large configurations due to its rule-by-rule approach, prompting its gradual replacement by nftables. For a basic firewall setup, administrators might append rules to the INPUT chain to drop invalid packets (iptables -A INPUT -m state --state INVALID -j DROP), accept established connections (iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT), allow loopback traffic (iptables -A INPUT -i lo -j ACCEPT), and permit specific incoming TCP ports like SSH (iptables -A INPUT -p tcp --dport 22 -j ACCEPT), followed by a default DROP policy (iptables -P INPUT DROP). Such examples illustrate iptables' role in simple, stateful firewalls for servers or gateways.

nftables

nftables serves as the contemporary userspace utility for configuring and managing the Netfilter framework in the , replacing the older suite with a more streamlined and versatile approach. Introduced in Linux kernel 3.13, it employs a for defining packet filtering, NAT, and classification rules, leveraging Netfilter's core hooks and subsystems while introducing a virtual machine-based evaluation engine in the kernel for efficient rule processing. This design shifts much of the complexity to userspace, enabling declarative rule definitions that are easier to maintain and extend compared to ' procedural style. At its core, nftables organizes rules into tables and chains, with a unified address family such as inet that handles both IPv4 and IPv6 traffic seamlessly, eliminating the need for separate tools like iptables and ip6tables. Basic commands include creating a table with nft add table inet filter to establish a container for rules, followed by adding a chain like nft add chain inet filter input { type filter hook input priority 0; } to attach it to a specific Netfilter hook point. Rules within chains specify match conditions and actions, or verdicts, such as accept to allow packets or drop to silently discard them; for instance, a simple rule might read nft add rule inet filter input tcp dport 22 accept to permit SSH access. Syntax features enhance expressiveness through declarative rulesets, where entire configurations can be loaded atomically via transactions using nft -f /path/to/ruleset.nft, ensuring consistent updates without partial failures. Variables allow reuse of values, as in define ssh_port = 22 followed by references like tcp dport $ssh_port, while sets and maps support dynamic data structures—for example, nft add set inet filter allowed_ips { type ipv4_addr; elements = { 192.168.1.0/24 }; } for IP whitelisting or verdict maps like tcp dport vmap { 80 : accept, 22 : accept } for port-based decisions. Monitoring and maintenance are facilitated through commands like nft list ruleset to display the active configuration across families, tables, and chains, with options for JSON output (-j) or handle visibility (-a) for scripting. integrates with the socket protocol for bidirectional communication between userspace and kernel, allowing real-time dynamic updates such as adding elements to sets without reloading entire rulesets. For complex scenarios like , rules can employ the limit statement, e.g., nft add rule inet filter input limit rate 5/second burst 10 packets accept to cap incoming connections and prevent floods. Performance-wise, nftables offers advantages through reduced kernel-userspace data copies via efficient structures like sets and maps, which minimize overhead in rule evaluation and updates. Benchmarks demonstrate that nftables maintains consistent throughput even with growing rule complexity, such as multiple custom chains, where iptables experiences linear degradation— for example, nftables sustains near-peak packets-per-second rates across thousands of rules, while iptables drops significantly. This scalability stems from its VM-based classifier, which optimizes generation and execution in the kernel, making it suitable for high-traffic environments.

Connection Tracking Utilities

The connection tracking utilities provide userspace interfaces for interacting with Netfilter's in-kernel connection tracking system, enabling administrators to monitor, manage, and synchronize connection states without direct kernel modifications. These tools are essential for , high-availability setups, and programmatic access, building on the core connection tracking mechanics to handle dynamic network flows. The conntrack tool serves as a command-line interface for dumping, listing, deleting, and manipulating entries in the connection tracking table. It replaces the older /proc/net/nf_conntrack interface, offering improved performance under high load by avoiding repeated kernel reads. Key commands include conntrack -L to list all active connections or expectations, which displays details such as source/destination IP, ports, protocol, and state; conntrack -D --orig-src 192.168.1.1 to delete specific entries matching the original source IP; and conntrack -F to flush the entire table. Additional options allow filtering by protocol (--proto tcp), updating marks (-U --mark 1), or monitoring real-time events (-E). In use cases like debugging connection floods, administrators can list entries to identify excessive traffic sources and selectively delete them to mitigate denial-of-service attempts. conntrackd is a daemon designed for synchronizing connection tracking tables across multiple firewalls in high-availability (HA) clusters, ensuring seamless failover and state continuity. It operates in modes such as NOTIFY for event-driven, best-effort replication using kernel notifications; FTFW (FTFW) for reliable full-table synchronization with message tracking to handle losses; and ALARM for periodic resends in unreliable environments, though at higher bandwidth cost. Configuration occurs via /etc/conntrackd/conntrackd.conf, where sections define event filters (e.g., using iptables CT target rules like -j CT --ctevents assured,destroy for kernel 2.6.38+), synchronization protocols, and backup modes such as active-backup (one primary node syncing to passive backups) or active-active (multi-node load sharing). For HA failover, conntrackd syncs the table across active and passive nodes over dedicated links, allowing rapid takeover without dropping established connections, often integrated with scripts like primary-backup.sh for role switching. The libnetfilter_conntrack library offers a userspace for programmatic access to the connection tracking and expectation tables via the interface, serving as the foundation for tools like conntrack. It supports operations such as querying and retrieving entries, inserting new flows, modifying attributes like marks or timeouts, and deleting specific tuples. Developers can use functions to build messages for kernel interactions, with support for filtering dumps and handling both IPv4 and IPv6. This library is particularly useful in custom applications for automated , such as integrating connection into monitoring systems. It requires libnfnetlink and a compatible kernel (version 2.6.14 or later, with 2.6.18 recommended).

IP Sets and SYN Proxy

IP sets provide an efficient mechanism within Netfilter for managing collections of IP addresses, networks, ports, MAC addresses, or interface names, enabling fast matching in firewall rules. The ipset userspace utility allows administrators to create and maintain these sets, while the corresponding kernel module handles storage and lookups. For instance, a set can be created with the command ipset create [whitelist](/page/Whitelist) hash:ip, which establishes a hash-based set for IPv4 addresses. Supported set types include hash:ip for individual IP addresses, hash:net for network prefixes, and hash:mac for MAC addresses, among others, allowing flexible storage based on matching needs. Updates to sets are performed dynamically via the interface, permitting additions or deletions without disrupting ongoing operations or incurring performance overhead. Entries can also include timeout options, such as timeout 300 for temporary storage, which is useful for implementing short-term bans on suspicious sources. Integration with Netfilter tools occurs through match extensions in both and . In , rules can reference sets using the -m set --match-set whitelist src syntax to check source addresses against the whitelist. Similarly, supports set matching with expressions like ip saddr @whitelist, facilitating efficient rule evaluation. These hash-based structures ensure O(1) average-time lookups even for large sets containing millions of entries, making ipset particularly effective for blacklisting attackers in high-traffic environments. The SYNPROXY target serves as a Netfilter module designed to mitigate denial-of-service attacks by acting as a TCP proxy during the three-way . It intercepts incoming SYN packets, responds with a SYN/ACK on behalf of the destination, and only forwards the connection upon receiving a valid ACK from the client, thereby validating the without consuming server resources. This requires connection tracking to be enabled for proper sequence number handling. An example rule is iptables -A INPUT -p tcp --syn -j SYNPROXY, which applies the proxy to new TCP SYN packets in the INPUT chain of the filter table. In , the synproxy statement offers similar functionality with configurable options for TCP parameters. For example, add rule filter input tcp flags syn ct state new synproxy { mss 1460 wscale 7 sack timestamp [ecn](/page/Explicit_Congestion_Notification) } enables proxying with specified , window scaling, selective acknowledgment, timestamps, and to match backend server capabilities. The module is optimized for high , capable of millions of packets per second across multiple CPUs while utilizing syncookies to avoid state exhaustion.

Logging Tools

ulogd is a userspace logging daemon designed for handling logs generated by Netfilter subsystems, including packet via NFLOG and NFQUEUE, as well as connection tracking and accounting events. The ulogd-2.x series is the current stable version recommended for production systems, with ulogd-1.x end-of-life since 2012. It processes these logs through a plugin-based , supporting various output formats such as , , CSV, XML, and database storage options like , , and . The daemon pre-allocates resources at startup to minimize runtime overhead, making it suitable for high-throughput environments. Netfilter provides several logging targets to direct packets or events to logs. The LOG target sends matching packets to the kernel's syslog with a configurable prefix (up to 32 characters) and log level (e.g., warning, info), often combined with the limit match module to enforce rate limits, such as 5 logs per second to prevent log flooding. ULOG, an older IPv4-only target from kernel 2.4, queues packets via to userspace but is deprecated in favor of NFLOG, introduced in kernel 2.6.14 for layer-3 independent . NFLOG extends this by allowing configurable groups (0-65535), prefixes (up to 64 characters), buffer sizes, and thresholds for batching packets to userspace without dropping under load. Configuration of ulogd occurs primarily through the /etc/ulogd.conf file, where plugin stacks define inputs like NFLOG or NFQUEUE, filters for (e.g., IP to string conversion), and outputs such as CSV files or databases. For example, a stack might process NFLOG input through base parsing and IP filtering before outputting to :

stack=log1:NFLOG,base1:BASE,ip2str1:IP2STR,pgsql1:PGSQL

stack=log1:NFLOG,base1:BASE,ip2str1:IP2STR,pgsql1:PGSQL

Integration with tools like is possible via ulogd's Syslog output plugin, enabling centralized . The daemon runs in daemon mode with configurable log levels (1-8) and supports libraries like libnetfilter_log for communication. Alternatives to ulogd include direct kernel logging via the LOG target or debug printks, though these lack userspace flexibility. In nftables, the log statement provides similar functionality with options for prefix and level, such as:

nft add rule inet filter input log prefix "DROP: " level warn

nft add rule inet filter input log prefix "DROP: " level warn

This logs matching packets to syslog without terminating rule evaluation. These tools support use cases like digital forensics, regulatory compliance auditing, and traffic analysis, particularly in handling high-volume logs by queuing packets to userspace daemons like ulogd, which prevents kernel buffer overflows and packet drops during bursts.

Userspace Libraries

Userspace libraries for Netfilter provide developers with programmatic interfaces to interact with kernel-level components, enabling the creation of custom applications that manage packet processing, rule configuration, and netlink communications without relying on command-line tools. These libraries abstract the complexities of the Netlink protocol, which is used for bidirectional communication between user space and the Linux kernel, allowing for efficient handling of network events and data. libnfnetlink serves as the foundational for Netfilter-related kernel/user-space communication, offering a generic messaging infrastructure for subsystems such as nfnetlink_log, nfnetlink_queue, and nfnetlink_conntrack. It provides low-level functions for processing nfnetlink messages but is primarily intended as a building block for higher-level libraries rather than direct application development. Developers use it indirectly through dependent libraries to handle event notifications and data exchange with the kernel's Netfilter hooks. libnetfilter_queue offers an for accessing packets queued by the kernel's NFQUEUE target, which diverts matching packets from the normal path to user space for inspection or modification. Key functions include nfq_get_payload(), which retrieves the packet data from the queue , and nfq_set_verdict(), which issues decisions like accept, drop, or reinject to the kernel. This is essential for building applications that perform deep packet analysis, such as intrusion detection systems, where packets can be examined and altered before returning a . Example usage involves opening a queue with nfq_open(), binding it to a specific queue number via nfq_bind_pf(), and callbacks for incoming packets, as demonstrated in the library's official examples. libxtables facilitates the development of extensions for the iptables framework, including parsing and manipulation of match and target modules that extend the core filtering capabilities. It provides structures and functions for loading, validating, and executing extension logic, such as custom match criteria for packet headers or user-defined targets for actions like logging or rate limiting. This library is integral for creating modular iptables enhancements, allowing developers to register new extensions that integrate seamlessly with existing rulesets. Complementing these, libmnl is a minimalistic user-space library designed for developers, handling common tasks like parsing, validating, and constructing Netlink headers and type-length-value (TLV) attributes with a compact footprint of approximately 30KB on x86 systems. It simplifies socket management, message sequencing, and error handling, serving as a dependency for more specialized Netfilter libraries. libnftnl builds on libmnl to provide a low-level specifically for the nf_tables subsystem, enabling operations such as listing, retrieving, inserting, modifying, or deleting rules and sets in the kernel. It supports nftables-specific message parsing and construction, making it suitable for applications that dynamically manage firewall policies. These libraries support the development of custom applications, such as tools for injecting rules into via libnftnl or rendering packet verdicts in user space using libnetfilter_queue. Bindings exist for higher-level languages, including Python wrappers like python-netfilterqueue for queue handling and pynetfilter_conntrack for connection tracking interactions, which allow scripting dynamic network controls without C programming. For instance, a Python application might use these bindings to monitor queued packets and apply custom logic before reinjecting them, enhancing flexibility in security or monitoring scenarios.

Community and Developments

Netfilter Workshops

The Netfilter workshops have been held regularly since 2001, with occasional interruptions such as the skip in 2021 due to the , serving as key gatherings for the project's core developers and contributors to discuss ongoing development and technical challenges. These events originated with the inaugural workshop in , , in November 2001, followed by the second in , , in 2003, and have continued most years, adapting to circumstances such as the virtual format in 2020 due to global events. Notable recent locations include Mairena del Aljarafe near , , in 2022, and , , in 2023, where sessions focused on advancing the framework's capabilities within the . No main workshop was held in 2024. The workshops follow an invitational format, typically spanning 2 to 3 days, and emphasize collaborative discussions among a small group of experts rather than large public presentations. Topics commonly addressed include enhancements to , such as ruleset optimizations and performance improvements under security mitigations like RETPOLINE, as well as debugging kernel-related bugs in connection tracking and packet processing. For instance, the 2022 event in covered inner matching mechanisms for tunnel protocols and strategies to mitigate performance overheads in . Similarly, the 2020 virtual workshop, held over two sessions on November 13 and 20, explored project status updates and emerging ideas for Netfilter's evolution. Recent events have extended the workshop model through affiliated sessions, such as the Netfilter Mini-Workshop at NetDev 0x19 in , , from March 10 to 13, 2025, which provided a concise overview of subsystem updates since the prior conference. Additionally, the 2025 Linux IPsec workshop in , , on July 17 and 18, featured overlaps with Netfilter topics, building on prior joint events like the 2023 Dresden workshop that combined and Netfilter discussions on areas such as replay window management and kernel integration. Outcomes from these workshops have directly influenced Netfilter's roadmap, leading to bug fixes and new features. Public reports and summaries are made available through the Netfilter workshop site and contributor blogs, documenting key decisions and action items. Participation is primarily limited to the Netfilter core team, led by maintainer Neira Ayuso, along with active contributors from the broader networking community. Follow-up occurs via dedicated mailing lists, such as netfilter-devel, where workshop discussions inform patch submissions and further collaboration.

Integrations with eBPF

eBPF programs of type BPF_PROG_TYPE_NETFILTER enable attachment directly to Netfilter hooks, allowing users to execute custom packet processing and filtering logic within the without requiring kernel recompilation or module loading. This integration leverages 's in-kernel to inspect, modify, or redirect packets at predefined Netfilter points such as PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING, providing a flexible extension mechanism for network observability and security. In 2024, key developments included kernel modifications that facilitate redirection to custom Netfilter hooks, enhancing packet handling capabilities. For instance, implementations for transparent packet inspection attach programs to traffic control hooks, redirecting selected packets—such as those establishing or closing connections—to a custom Netfilter hook for userspace forwarding and analysis, with packets subsequently reinjected or dropped based on inspection results. This approach supports IPv4 traffic on physical and bridged interfaces with minimal performance overhead, avoiding the need for virtual interfaces or extensive configuration changes. Advancements continued into 2025, with a publication detailing -based tracing to attribute packet drops specifically to Netfilter rules, utilizing tools like bpftrace for dynamic probing. This method employs maps to maintain counters for rules, enabling precise identification of drop causes in firewall configurations without invasive logging. Additionally, a 2025 research paper introduced an -based extension for hosts in virtual network functions, featuring INT-enabled caching that operates on a per-packet basis to aggregate telemetry data within service function chains managed by Netfilter. This proxy caches In-band Network (INT) metadata to reduce overhead in chained processing, improving efficiency in programmable data planes. Tools such as bpftool facilitate loading and attaching these eBPF programs to Netfilter hooks, with commands like bpftool prog load and bpftool net attach simplifying deployment. Practical examples include eBPF maps for rule-specific counters in drop attribution, as demonstrated in observability use cases like Polar Signals' monitoring of cross-zone traffic via Netfilter postrouting hooks, which aggregates packet data over intervals to cut operational costs by 50%. These integrations offer benefits like data transfer through maps and helpers, achieving high-throughput packet processing comparable to native kernel paths. However, challenges arise from the verifier's strict safety constraints, which can limit program complexity and require careful optimization to avoid rejection. Looking ahead, 6.17 and subsequent releases expand capabilities with ARM64 improvements and broader networking support, paving the way for wider Netfilter-eBPF adoption in production environments.

References

  1. https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html
  2. https://www.netfilter.org/
  3. https://www.netfilter.org/about.html
  4. https://www.netfilter.org/projects/iptables/index.html
  5. https://www.netfilter.org/projects/nftables/index.html
  6. https://www.netfilter.org/licensing.html
  7. https://www.netfilter.org/projects/nftables/downloads.html
  8. https://www.kernelconfig.io/config_ip_nf_iptables
  9. https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.txt
  10. https://www.kernelconfig.io/config_netfilter
  11. https://docs.kernel.org/networking/nf_conntrack-sysctl.html
  12. https://docs.kernel.org/networking/bridge.html
  13. https://docs.kernel.org/userspace-api/netlink/intro.html
  14. https://www.netdevconf.info/2.2/slides/welte-netfilterhistory-keynote.pdf
  15. https://www.theregister.com/2001/01/05/linux_2_4_kernel_released/
  16. https://www.netfilter.org/documentation/nf_conntrack-whitepaper.sgml
  17. https://linuxsecurity.com/advisories/red-hat/redhat-iptables-minor-security-issues-RHSA-2001-144-04
  18. https://www.kernel.org/doc/ols/2003/ols2003-pages-507-523.pdf
  19. https://workshop.netfilter.org/2004/
  20. https://netdevconf.info/2.1/papers/conntrack.pdf
  21. https://lwn.net/Articles/867185/
  22. https://www.phoronix.com/news/MTQ5MDU
  23. https://www.kernel.org/doc/html/v5.18/networking/nf_flowtable.html
  24. https://nvd.nist.gov/vuln/detail/CVE-2024-1086
  25. https://docs.kernel.org/networking/nf_flowtable.html
  26. https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-4.html
  27. https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html
  28. https://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html
  29. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter/nf_defrag_ipv4.c
  30. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter/nf_defrag_ipv6.c
  31. https://docs.kernel.org/networking/ip-sysctl.html
  32. https://docs.kernel.org/networking/ipv6.html
  33. https://conntrack-tools.netfilter.org/manual.html
  34. https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt
  35. https://ipset.netfilter.org/iptables.man.html
  36. https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables
  37. https://www.netfilter.org/projects/nftables/manpage.html
  38. https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
  39. https://conntrack-tools.netfilter.org/about.html
  40. https://conntrack-tools.netfilter.org/conntrack.html
  41. https://www.netfilter.org/projects/conntrack-tools/conntrack-manpage.html
  42. https://www.netfilter.org/projects/libnetfilter_conntrack/index.html
  43. https://ipset.netfilter.org/
  44. https://ipset.netfilter.org/ipset.man.html
  45. https://ipset.netfilter.org/iptables-extensions.man.html
  46. https://www.netfilter.org/projects/ulogd/index.html
  47. https://man.archlinux.org/man/extra/ulogd/ulogd.8.en
  48. https://workshop.netfilter.org/2013/wiki/images/8/8b/Eric_Leblond_ulogd2.pdf
  49. https://workshop.netfilter.org/2015/wiki/images/5/51/Netfilter-logging.pdf
  50. https://www.netfilter.org/projects/libmnl/index.html
  51. https://www.netfilter.org/projects/libnfnetlink/index.html
  52. https://www.netfilter.org/projects/libnetfilter_queue/index.html
  53. https://www.netfilter.org/projects/libnetfilter_queue/doxygen/html/group__nfq__verd.html
  54. https://git.netfilter.org/iptables/tree/configure.ac
  55. https://www.netfilter.org/projects/libnftnl/index.html
  56. https://www.netfilter.org/projects/libnetfilter_queue/doxygen/html/
  57. https://workshop.netfilter.org/
  58. https://workshop.netfilter.org/2022/
  59. https://workshop.netfilter.org/2023/
  60. https://workshop.netfilter.org/2020/
  61. https://ral-arturo.org/2022/10/25/nfws2022.html
  62. https://ral-arturo.org/2020/11/27/netfilter-virtual-workshop.html
  63. https://netdevconf.info/0x19/sessions/workshop/netfilter-mini-workshop.html
  64. https://linux-ipsec.org/2025-linux-ipsec-workshop-madrid-17-18-july.html
  65. https://linux-ipsec.org/2023-linux-ipsecnetfilter-workshop-dresden-11-14-september.html
  66. https://www.netfilter.org/mailinglists.html
  67. https://docs.ebpf.io/linux/program-type/BPF_PROG_TYPE_NETFILTER/
  68. https://www.threater.com/blog/transparent-packet-inspection-with-netfilter-and-ebpf/
  69. https://developers.redhat.com/articles/2025/11/03/using-ebpf-attribute-packet-drops-netfilter-rules
  70. https://www.sciencedirect.com/science/article/pii/S138912862500739X
  71. https://manpages.debian.org/unstable/bpftool/bpftool-net.8.en.html
  72. https://ebpf.foundation/case-study-polar-signals-uses-ebpf-to-monitor-internal-cross-zone-network-traffic-on-kubernetes-reducing-these-operating-costs-by-50/
  73. https://bootlin.com/blog/linux-6-17-released-bootlin-contributions-inside/
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.