= Netfilter's list of ideas for students participanting in GSoC 2017 = This document provides an introduction to the students that are willing to apply to this round of Netfilter's GSoC 2017. Please, take the time to read before you make questions. == Introduction == In this edition, we propose that the students focus again on the nftables [1] project, the successor of the popular iptables [2] firewalling tool. There is a huge ongoing development effort to get nftables into production state. Currently the project implements around 50% of iptables features while providing way more flexible tools and framework to express your ruleset than iptables. We believe that GSoC students will help to boost this development, more specifically on tasks that are relatively simple but time consuming and that really need to be done. == Prerequisites == General requirements for students to participate are: * must know C, writing code fluently. * computer networking at a good level, more specifically, layer 2/3/4 of TCP/IP stack. == Proposed tasks == We propose several tasks for GSoC students in the next sections, this year we provide mostly tasks that range from average to hard in terms of difficulty. All these tasks also involve helping in bug hunting and fixing. == Task 1: Implement missing features in nftables == * Description: As of Linux kernel 4.9, nftables provides around 70-80% of the iptables feature-set [5]. We believe that this is fundamental to help users to migrate to nftables. * Tasks: Help by implementing missing features available in iptables as matches/targets. * Level of difficulty: Average. There is already code that you can use as reference for this task. * Mentors: Pablo Neira Ayuso / Eric Leblond == Task 2: Library improvements for nftables == * Description: We already have the low level libnftnl, but this library is probably too low level for user applications. Its markup language support is still not in good shape, basically it needs more work. * Tasks: Transform nftables to have all active code in a library. And expose this library as higher level user-space library. Extending basic API to handle set will be a really interesting second step. * Level of difficulty: Average. There is code available implementing libnftables but it is not finished. The main problems that may arise are related to the time that the student will need to couple to the existing codebase. * Mentors: Eric Leblond == Task 3: Objects handling in libnftables == * Description: Libnftables work on task 2 will allow users to programatically update ruleset. As nftables is making a big use of sets it would be really nice to handle them in the lib. As these object are typed an abstraction would be interesting. * Tasks: Add functions in libnftables to handle sets. And expose this with an API in the higher level user-space library. * Level of difficulty: Average/Hard. The existing code implementing libnftables will have to be used. There is code available implementing libnftables but it is not finished so student will have to adapt to code done in 2. = More information on nftables = The next Netfilter workshop in June-July 2017 [3] in Amsterdam(Netherlands) will surely focus on nftables ongoing and future development discussions. The kernel components were already merged into mainstream Linux kernel 3.13. Nonetheless, implementation works are still far from complete. All existing code is available under git.netfilter.org. More specifically: * libnftnl: low-level userspace library for nftables (for libmnl) iptables. * which already includes the iptables compatibility layer working over nftables. * nft: the new user-space command line tool, with a new syntax different from iptables. The Linux kernel tree containing the nftables modules is currently available in a different repository [4]. = Contact us / Make us questions = If you are a student willing to participate in GSoC 2017 and you're interested in any of our tasks, please subscribe to this mailing list: https://lists.netfilter.org/mailman/listinfo/gsoc2013 Subscribing to this mailing list requires approval from the administrator, so please be patient, we'll accept it asap. You can use this mailing list to ask your questions regarding Netfilter's task during the GSoC 2017. You can also drop a line to arturo@netfilter.org, please make sure you Cc gsoc2013@lists.netfilter.org in your questions since most likely what you ask and the reply you get will help others in the community too. = Applying to netfilter's GSoC = If you want to be selected, go start getting familiarized with the nftables software asap. Patches for the userspace library libnftnl, the command line utility nft and kernel patches will make you rank higher in the student selection process. No patches at all mean little chances to be selected. = References = [1] http://en.wikipedia.org/wiki/Nftables [2] http://www.netfilter.org/projects/iptables/index.html [3] http://workshop.netfilter.org/2017/ [4] http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git [5] http://wiki.nftables.org Author: Pablo Neira Ayuso Last update: 12:47 +01:00 21/MAR/2017 -EOF-