From UnderLinux Wiki

Harald Welte, a.k.a. "LaForge", is member of core team netfilter/iptables project; opensource developer, firewalls, and Linux servers; member of movements GreenPeace, GNUMonks, ATTAC.

Harald Welte, a.k.a. "LaForge", is member of core team netfilter/iptables project; opensource developer, firewalls, and Linux servers; member of movements GreenPeace, GNUMonks, ATTAC.

UnderLinux: Can you tell us something about you, your country, your work and your activities with free software ?

Harald: I'm a 22 years old computer geek from Germany. The beginning of my 'linux career' was the necessity of running a gatway between FIDO, UseNet and ZConnect (some proprietary german message format used in the so-called Z-Netz). I tried using KA9Q on DOS, didn' succeed and had a look at linux. I've never had any experience with unix-like operating systems before. After learning about administration, shell scripts, perl programming and unix C programming, I spent a couple of years installing, configuring and customizing linux-based mail-, news-, web- and fileservers. Later on, I was contracted for custom software development on linux and solaris. During that time I always tried to contribute bugfixes and new features back to the free software projects I've been working with. I am a very religious member of the free software community (see also my gnumonks.org domain name).

My favourite subject within computing has always been firewalling. Considering this, it's not too surprising that I tried the 'new' netfilter/iptables code in is's early development state during 2.3.x linux kernels. There were some features missing, and I started to implement some of them. I got more and more involved with the project, resulting in me becoming the fourth member of the netfilter/iptables core team in October 2000.

To give you some non-IT facts about me: I'm politically interested, a member of the Attac movement against neoliberal globalization (http://www.attac.org) and a member of greenpeace (http://www.greenpeace.org). I was attending demonstrations against the US war in Afghanistan. It's very important not to forget the real world.

UnderLinux: You worked some months in Conectiva in Curitiba/Parana (Brazil), right?What's your impression with tecnology that we have in Brazil? Do you belive that GNU/Linux could help improve this area ?

Harald: Yes, I have been working at Conectiva's development department for about half a year. I very much, and it was very interesting to learn about the way people deal with free software in Brazil. From my point of view, Linux is accepted very well within Brazil. I'm not sure how I would compare the linux-friendlyness between Germany and Brazil - maybe it's equal. But it seems that there is higher acceptance of Linux for professional applications in both countries compared to northern america. My general impression about the IT industry in brazil is that it is suffering because of the high import taxes (60%) on computing equipment. The import tax seems great for protecting domestic markets for conventional goods, since they can be produced within the country - but nobody is going to produce something like Gigabit NIC's inside Brazil. All high-tech electronics tend to come from south-east asia, Brazillian govenment officials are not going to change that fact.

UnderLinux: Considering the grown of knowledge and metodolgy during the iptables/netfilter project. If you go to start a new packet filter, what are the problems that you could avoid to get a better development and whitout waste of time that you occasionally have with iptables ?

Harald: First of all: I'm not the initial author of netfilter/iptables. Rusty Russell is the founder of the project, so maybe you should have asked him ;)

Considering the time during which I've accompanied netfilter/iptables development, I don't think that there was a big waste of time at any point. Some issues, where we could have saved time by going a different way initially:

ipnatctl: Rusty designed two different tools for manipulation filtering tables and nat. Marc proposed to integrate them within one tool. This was still during 2.3.x, so most people don't even know this part of the history.

conntrack/nat helper: The original design had a fixed limitation of one expectation per master connection. This works for FTP, but is not enough for IRC, H.323, RealAudio and others. We are working on the so-called newnat API, which will be submitted to the 2.4.x kernels soon.

monolithic ip tables structure: The current in-memory structure of an ip table is monolithic. It's one big block of memory, containing all matches+targets of all rules of all chains of one table. As stated earlier, this starts to be a problem when you have dynamic rulesets. We will correct this with iptables2.

userspace iptables: Currently iptables has plugins for extensions. Instead ofbeing part of the iptables commandline tool, they should be part of some generic library, independent from the commandline tool. Again, this will be corrected with iptables2.

As a Summary, I'm very happy with the way netfilter/iptables went. I wouldn't go a different way if we were about to start a new firewalling system from scratch.

UnderLinux: How is the development of iptables for 2.5/2.6 kernels ? Too many changes? Do we some big changes in filtering chains ?

Harald: We will have quite a lot of changes with regard to iptables and 2.5/2.6 kernels. At our first netfilter developer workshop in November 2001 we have discussed our plans. The first big change is something invisible to the user: The monolithic structure of an IP Table is going to get split in a linked list of chains, which are in turn a linked list of entries. This should increase performance with dynamic rulesets. In addition, the kernel-userspace interface is going to change. Right now different parts of netfilter use different facilities. Especially iptables is still using a very primitive setsockopt() interface. We will have nfnetlink (netfilter netlink), which compares to the already existing rtnetlink interface for routing table manipulation. And as a third big change, there will be iptables2, the userspace rewrite of the current iptables-1.x commandline program. iptables2 will be based on libiptables, which is a library to provide a generic API for all applications who want to monitor or manipulate firewalling rules. This will make it a lot easier for intrusion detection systems and firewall configuration GUI's to interface with the firewalling subsystem of the kernel. Another interesting topic is high availability and firewalls. I can't promise anything, but currently it looks very promising that we will have sponsoring for connection tracking state synchronization, which is needed if you want to do failover between redundant state-tracking firewalls.

UnderLinux: Do you have heard about GNU/HURD ? Do you think it can help to improve Linux Kernel, or is just another good option, but confronting with Linux Kernel?

Harald: A couple of years ago I had installed the experimental Debian HURD distribution and did some testing. It was mainly curiosity after attending one of Richard Stallman's famous speeches. It looks like a great academic playground for new directions in operating systems but not as something for practical use. Unfortunately there aren't enough developers working on GNU/Hurd. I guess most people are busy improving the more advanced free kernels like Linux and *BSD and have no time for GNU/Hurd.

UnderLinux Team.