= Netfilter's list of ideas for students participanting in GSoC 2014 = This document provides an introduction to the students that are willing to apply to this round of Netfilter's GSoC 2014. Please, take the time to read before you make questions. == Introduction == In this edition, we propose that the students focus again on the nftables [1] project, which aims to be the successor of the popular iptables [2] firewalling tool. There is a huge ongoing development effort to push nftables mainstream, more specifically in the userland. We believe that GSoC students will help to boost this development, more specifically on tasks that are relatively simple but time consuming and that really need to be done. Three students successfully participated in the previous edition, their help was fundamental to push nftables into Linux kernel mainstream (first version available since Linux kernel 3.13). == Prerequisites == General requirements for students to participate are: * must know C, writing code fluently. * computer networking at a good level, more specifically, layer 2/3/4 of TCP/IP stack. == Proposed tasks == We propose several tasks for GSoC students in the next sections, this year we provide mostly tasks that range from average to hard in terms of difficulty. All these tasks also involve helping in bug hunting and fixing. == Task 1: Automatic translation from iptables to nftables = * Description: To ease the migration from iptables to nftables, we have to provide a translation software that will convert the old iptables rule-sets to the new nftables syntax. * Tasks: Implement an utility that will allow translating iptables to nftables rule-set. * Level of difficulty: Average/hard. We already have initial patches and design discussions on how this needs to be done, the mentors should provide useful pointers to the students. * Mentor: Pablo Neira Ayuso / Tomasz Bursztyka == Task 2: High level library for nftables == * Description: One of the main weak aspects of iptables was the lack of libraries for third party userspace applications. This has been a major problem for developing firewall applications for embedded devices such as smartphones and routers since the main interface that was provided consist on piping commands to the iptables-restore utility. * Tasks: Implementing a user-space library that should allow the proliferation of third party applications. It should be suitable for small embedded devices and large scale clusters. * Level of difficulty: Average/hard. There is code already in the nft utility that can be generalized to provide this library, so half of the work is already done. The main problems that may arise are related to the time that the student will need to couple to the existing codebase. * Mentors: Pablo Neira Ayuso / Eric Leblond == Task 3: Missing features in nftables == * Description: As of Linux kernel 3.13, nftables provides around 30-35% of the iptables feature-set [5]. We believe that this is fundamental to help users to migrate to nftables. * Tasks: Help by implementing missing features available in iptables as matches/targets. * Level of difficulty: Average. There is already many code that you can use as reference for this task. * Mentors: Eric Leblond / Pablo Neira Ayuso == Task 4: Implement ebtables compatibility layer == * Description: While transitioning to nftables, it is very important to provide a compatibility layer for existing bridge firewalls. ebtables is particularly being used extensively in virtual machine environments. * Tasks: Implementing a user-space utility that accepts the ebtables syntax but that uses the new framework to avoid breaking existing firewall scripts. * Level of difficulty: Average. The student can use the existing compatibility layer for iptables/ip6tables as reference, the code will be similar but there will be dragons in some corners of the implementation. Last year one of the GSoC students finished the arptables compatibility layer, so the ebtables compatibility layer is the last lacking brick. * Mentor: Tomasz Bursztyka / Pablo Neira Ayuso = More information on nftables = The next Netfilter workshop in July 2014 [3] in Montpellier (France) will surely focus on nftables ongoing and future development discussions. The kernel components were already merged into mainstream Linux kernel 3.13. Nonetheless, implementation works are still far from complete. All existing code is available under git.netfilter.org. More specifically: * libnftnl: low-level userspace library for nftables (for libmnl) iptables. * which already includes the iptables compatibility layer working over nftables. * nft: the new user-space command line tool, with a new syntax different from iptables. The Linux kernel tree containing the nftables modules is currently available in a different repository [4]. = Contact us / Make us questions = If you are a student willing to participate in GSoC 2014 and you're interested in any of our tasks, please subscribe to this mailing list: https://lists.netfilter.org/mailman/listinfo/gsoc2013 Subscribing to this mailing list requires approval from the administrator, so please be patient, we'll accept it asap. You can use this mailing list to ask your questions regarding Netfilter's task during the GSoC 2014. = Applying to netfilter's GSoC = If you want to be selected, go start getting familiarized with the nftables software asap. Patches for the userspace library libnftnl, the command line utility nft and kernel patches will make you rank higher in the student selection process. No patches at all mean little chances to be selected. = References = [1] http://en.wikipedia.org/wiki/Nftables [2] http://www.netfilter.org/projects/iptables/index.html [3] http://workshop.netfilter.org/2014/ [4] http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git [5] http://people.netfilter.org/pablo/map-pending-work.txt Author: Pablo Neira Ayuso Last update: 11:12 +01:00 26/FEB/2014 -EOF-