'ipfw' IOCTLS available as python module?

Tue Oct 5 21:51:34 EDT 1999

My attempt at an explanation of what is going on with regards to
ipchains in the Linux 2.4 kernels... (for non-Linux users, this is
likely to be a little bit boring and very non-Python orientated. My
apologies.)

On Tue, Oct 05, 1999 at 08:42:25PM -0400, François Pinard wrote:
> Bill Anderson <banderson at boi.hp.com> écrit:
> 
> > it is worth making the comment that ipchains is gone in 2.3.x, and
> > hence 2.4.
> 
> Are you serious?  If this is true, it is worth telling indeed, before we
> invest too much Python work in that direction.  Could you tell me/us more?
> What is happening exactly?  If you happen to know, _why_ is it happening?

For a start, there is both good news and bad news. At least for the
forseeable future, you will still be able to use ipchains. However, it
is not compatible with iptables and ipnatctl (the new tools), so you
can choose to stay with what you know or upgrade -- but you can't go
halfway.

The new package, as a whole, is called Netfilter and as of October 4
was at version 0.1.10 and required a kernel version of 2.3.18 or
higher. I have no personal experience with using it, since I am
staying clear of the 2.3.x kernels for the moment. I have tried to
keep up with the discussions on what is going on and there are
pointers later on to the documentation.

As I mentioned, the old ipchains package has been split into two.
Firstly, we have ipnatctl, which handle Network Address Translation
(NAT), masquerading and transparent proxying. In short, it does any
work that requires mangling the source and/or destination addresses of
your packages. (Anybody wondering why you would want to do this, etc,
should probably contact me via e-mail for more information. I'll
assume networking knowledge for the present.)

The other half of the package is iptables which is concerned with the
packet filtering side of things. Once you get used to the fact that
you have to deal with two programs, the split kind of make sense.

As to the "why", apart from manageability, Rusty Russell, the guy who
is the major contributor to the Netfilter package explains it by
saying that he felt he has done a better job on the filtering side of
things this time than he did with the ipchains package (to be honest
and fair, he has been saying for a long time that there are some
problems with ipchains - mostly efficiency-wise from what I
understand).

The interfaces to the new programs (at least from the command line)
are not amazingly different from ipchains, but I'm not sure how it
looks from a lower-level perspective. There is a netfilter hacking
HOWTO at the web sites below that may be of some use.

For more information on the Netfilter package, look at 
http://antartica.penguincomputing.com/~netfilter
http://www.samba.org/netfilter
http://netfilter.kernelnotes.org

Hope this helps,
Malcolm Tredinnick