= Netfilter's list of ideas for students participanting in GSoC 2016 = This document provides an introduction to the students that are willing to apply to this round of Netfilter's GSoC 2016. Please, take the time to read before you make questions. == Introduction == In this edition, we propose that the students focus again on the nftables [1] project, the successor of the popular iptables [2] firewalling tool. There is a huge ongoing development effort to get nftables into production state. Currently the project implements around 50% of iptables features while providing way more flexible tools and framework to express your ruleset than iptables. We believe that GSoC students will help to boost this development, more specifically on tasks that are relatively simple but time consuming and that really need to be done. == Prerequisites == General requirements for students to participate are: * must know C, writing code fluently. * computer networking at a good level, more specifically, layer 2/3/4 of TCP/IP stack. == Proposed tasks == We propose several tasks for GSoC students in the next sections, this year we provide mostly tasks that range from average to hard in terms of difficulty. All these tasks also involve helping in bug hunting and fixing. == Task 1: Implement missing features in nftables == * Description: As of Linux kernel 3.19, nftables provides around 50-60% of the iptables feature-set [5]. We believe that this is fundamental to help users to migrate to nftables. * Tasks: Help by implementing missing features available in iptables as matches/targets. * Level of difficulty: Average. There is already code that you can use as reference for this task. * Mentors: Pablo Neira Ayuso / Eric Leblond == Task 2: Implement glue code to allow nft and iptables-compat interaction == * Description: The iptables-compat utilities allows you to load your ruleset expressed in the iptables syntax. The nft tool provides the new command line interface to nftables. To transition to nftables, we'll allow people to use the existing xtables extensions from nft. * Tasks: Implement the glue code so nft doesn't break when the user manipulates its ruleset with iptables-compat. * Level of difficulty: Average. There is an incomplete patch that was posted to the mailing list already. * Mentors: Pablo Neira Ayuso / Eric Leblond == Task 3: Library improvements for nftables == * Description: We already have the low level libnftnl, but this library is probably too low level for user applications. Its markup language support is still not in good shape, basically it needs more work. * Tasks: Improve the low level library and bootstrap the code to implement a higher level user-space library. * Level of difficulty: Average/hard. There is code already in the nft utility that can be generalized to provide this library, so half of the work is already done. The main problems that may arise are related to the time that the student will need to couple to the existing codebase. * Mentors: Tomasz Bursztyka / Eric Leblond == Task 4: Finish the automatic translation from iptables to nftables == * Description: To ease the migration from iptables to nftables, we have to provide a translation software that will convert the old iptables rule-sets to the new nftables syntax. * Tasks: Complete the utility that will allow translating iptables to nftables rule-set. * Level of difficulty: Average. We already have initial patches and design discussions on how this needs to be done, the mentors should provide useful pointers to the students. There is still imcomplete code available at: http://git.netfilter.org/iptables/log/?h=xlate2 * Mentor: Pablo Neira Ayuso / Tomasz Bursztyka = More information on nftables = The next Netfilter workshop in June-July 2016 [3] in Amsterdam(Netherlands) will surely focus on nftables ongoing and future development discussions. The kernel components were already merged into mainstream Linux kernel 3.13. Nonetheless, implementation works are still far from complete. All existing code is available under git.netfilter.org. More specifically: * libnftnl: low-level userspace library for nftables (for libmnl) iptables. * which already includes the iptables compatibility layer working over nftables. * nft: the new user-space command line tool, with a new syntax different from iptables. The Linux kernel tree containing the nftables modules is currently available in a different repository [4]. = Contact us / Make us questions = If you are a student willing to participate in GSoC 2016 and you're interested in any of our tasks, please subscribe to this mailing list: https://lists.netfilter.org/mailman/listinfo/gsoc2013 Subscribing to this mailing list requires approval from the administrator, so please be patient, we'll accept it asap. You can use this mailing list to ask your questions regarding Netfilter's task during the GSoC 2016. = Applying to netfilter's GSoC = If you want to be selected, go start getting familiarized with the nftables software asap. Patches for the userspace library libnftnl, the command line utility nft and kernel patches will make you rank higher in the student selection process. No patches at all mean little chances to be selected. = References = [1] http://en.wikipedia.org/wiki/Nftables [2] http://www.netfilter.org/projects/iptables/index.html [3] http://workshop.netfilter.org/2016/ [4] http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git [5] http://wiki.nftables.org Author: Pablo Neira Ayuso Last update: 11:12 +01:00 17/FEB/2016 -EOF-