netfilter project logo

About the netfilter/iptables project

Who's behind netfilter?

The initial author of and head behind netfilter/iptables was Paul "Rusty" Russell. Later he was joined by other people, who together build the Netfilter core team and maintain the netfilter/iptables project as a joint effort.

But netfilter/iptables wouldn't be what it is today if it wasn't for the numerous contributions by independent software developers, whom we call contributors. We used to keep a scoreboard as a reward for people who helped us a lot - but lately it became too much effort to maintain this scoreboard. It has thus been deactivated until further notice.

If you are interested in more information, there is also a small page about the history of the netfilter project.

The netfilter core team

What Is the Core Team?

The Netfilter Core Team are the people who make the decisions, have commit access to the master Source Control Management (SCM) tree, and do Official Sounding Stuff. To be on the core team implies excellent judgement and some dedication; after all, anyone in the core can do releases. The core team elects one of it's members to be the Head of the netfilter core team. Members of the core team who are no longer actively developing code are called emeritus members of the core team.

How Do I Get on the Core Team?

To get on the core team is fairly simple. Impress us so someone proposes you and no one vetoes. Suggested methods include:

  • Submit enough great patches over a long time.
  • Read the three HOWTOs, and submit extensions or corrections.
  • Keep your Emails short and to the point. Don't flame; inform.
  • Look at what's happening in GIT, the netfilter-devel and the netdev list (at vger.kernel.org).
  • Implement what's on the projects TODO list.
  • Show an ongoing interest in supporting netfilter/iptables, not only in one specific area of interest, but as a whole.

What Are the Perks of the Core Team?

So far, there are two:

  • If you're ever in Australia, you get a free beer (or alternative beverage) on Rusty. Harald now also offers this for Germany. So it does Pablo in Sevilla, Spain ;)
  • You may get to meet some very cool people in associated projects (most of all other Linux kernel hackers). Of course, you may not.

Contributors

There are numerous people contributing to the project. In the early development period we used to keep a scoreboard and list the contributions of every single developer. However, the scoreboard is closed now.

Webmaster

Web site layout and logo design by Daniel García. The current Webmaster is Pablo Neira Ayuso. Harald Welte, the former webmaster, made the XML/XSLT Docbook-website conversion of the page.

Listmaster

The listmaster takes care of the moderation and administration of our mailinglists.

The current Listmaster is Pablo Neira Ayuso.

FAQ-Master

The faqmaster takes care of the FAQ collection.

The current faqmaster is Tarek W. Said.

Project history

Early in the development, a few people contributed some code, but none of them had become long term contributors. After considering the problem, Rusty decided to try keeping a scoreboard of people who contributed patches and bug reports. It was this process of quantizing the contributions which brought to attention the quantity and quality of work coming out of the passionate French Canadian Marc Boucher, and Rusty decided that it was time to start a Core Team, of which Marc would become the second member.

The core team was actually started shortly after Rusty, while on a trip to SF in November 1999, made a detour to Montreal (despite the lack of warm clothing) to meet and discuss some big design issues.. Rusty and Marc spent a whole night in Marc's office conceiving the multiple tables framework which lead to the death of ipnatctl (a separate tool used to control nat in early versions of netfilter), generalization of iptables and birth of the iptable_{filter,nat,mangle} modules.

After all this was mightily implemented (and ip_conntrack rewritten) by Rusty, we started getting some nice contributions from a certain James Morris (a netlink and userspace queuing freak, living down under like Rusty).

In the spring of 2000 Marc traveled to Australia to attend a few conferences and spend some time in Canberra working with Rusty at Linuxcare on netfilter/iptables (fixing various bugs, implementing additional modules and merging everything into the official Linux tree).

At the Sydney Linux Expo we met James Morris in person, and his amazing coolness convinced us to invite him to become the third Netfilter slave core team member around the beginning of June.

Following James' assimilation into the collective, our efforts were mainly directed towards preparations for the release of Netfilter as part of the upcoming 2.4 kernel. It was the dawn of the third age of Linux firewalling; a time of great struggle and heroic deeds. It was our last, best hope for peace. Great communities were founded, old civilizations were lost, and new alliances were formed. James' missions during this period included the continued perversion of the networking code, such that it was now possible to load an ASN.1 parser into the kernel and inflict grave terror upon unsuspecting SNMP packets; and to extend the IP stack into userspace with Perl. Now peering squarely into the abyss, we noticed the good deeds of a young kernel warrior named Harald Welte, who seemed to actually understand the NAT code.

Accordingly, his distinctiveness was added to the collective. With balance restored, the netfilter juggernaut was now free to accelerate into the brave new world of Linux 2.4 and face it's greatest challenge: users.

Harald's first (code-) contribution to the Netfilter project was the connection tracking module for IRC. Following that he worked on some smaller stuff like TTL match and target modules as well as IPv6 porting. The ULOG target including the ulogd daemon were the next milestone. After getting included in the Netfilter core team in September 2000 he took over lots of the administrative work like doing releases, maintaining SCM, TODO lists, etc. and got involved more and more with fundamental design issues.

At the time of writing, this is mainly the new conntrack/Nat helper framework for multiple related expectations, the upcoming new kernel/userspace interface nfnetlink as well as the whole new userspace world based on libiptables.

At the first netfilter development workshop in November 2001, Jozsef Kadlecsik was invited to join the coreteam as its fifth member. Jozsef is a long-time active netfilter contributor. Among his contributions are: REJECT target, TCP window tracking code, continued development of the newnat API and the raw table.

At the second netfilter development workshop in August 2003, Martin Josefsson was invited to join the coreteam. Martin did a lot of useful work, especially with regard to optimizations on the connection tracking code

At this time, the coreteam also decided to formally elect a Chairman who get's the final call on all decisions. It was further decided that members of the team who do no longer actively contribute code can became emeritus members.

In January 2004, Patrick McHardy was asked to join the coreteam because of his continuing important contributions to the codebase of the netfilter project. Unfortunately, Patrick was suspended in June 2016 for not subscribing The Principles of Community-Oriented GPL Enforcement.

In October 2005, Yasuyuki Kozakai was asked to join the coreteam, especially in regard to his long-standing work on nf_conntrack and his ip6_tables caretaking.

In February 2007, Pablo Neira Ayuso was asked to join the coreteam, especially in regard to ctnetlink and conntrackd.

In October 2012, Eric Leblond and Florian Westphal joined the coreteam for their longstanding contributions and fellow hackers Harald Welte, Martin Josefsson and Yasuyuki Kozakai entered Emeritus officially. Arturo Borrero became coreteam member in July 2017 for his outstanding contributions to nf_tables and the conntrack-tools.

During the Netfilter Workshop 2013 in Copenhagen, Denmark, Pablo Neira Ayuso officially became the head of the coreteam, although he has been serving already as co-maintainer since 2011.

License terms of the netfilter/iptables software

Netfilter/Iptables is - like all of the Linux kernel - free software (sometimes referred to as Open Source), distributed under either the terms of GNU GPLv2 only or any later version.

For further information, please see the Licensing and the GPL compliance FAQ sections of this homepage.

Netfilter project PGP key

The Netfilter Core Team has a PGP key that we use to sign all software released by the project. Current PGP key id is 0x26D292E4, this key was generated on November 19th, 2015 and will be valid until November 17th, 2020.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFYldiMBEAC635z9C9kG6VzzdWIO8BEmzjJ6dwe5yMnlZqN5r2CP5h9BrRB3
BW4oLFLeJyFwsSP6aQeTUB/xkfBG01G6tjsnDWiEVkg2B1/iw4o8mfTTupvMG0Dg
3YY66Cu6vKx8zvFafq3jczzNp2O1Id8N7HT6zhERmHmZXdZw8jdtJKNmYOHyCSMF
SWh8L+C9Y/RmACqegAp8hvNflQPWnTzQovWMiGxE/9/21pJfOgEu/Ky2O3xaObNg
WZ9ILxcwgf6vb/3SmLOnuWl+w1HhdquDlvye7yYyE1xrpu8nUQtzXqL/D3XjQGwX
3Is51r508gKxMY4E4h8KkDiA51uHRCbScIjT+dK1Sm+Q2SN/2KJGeQAEFe9GWXpi
/+b3xpemu+8L7lBXChbYkKtyWL7d6FnATs8lm3ey9THMAGzjnkl0vYRlrlh48xbk
Je4oHSQF7OBkQoFGzPN8kwrZgw9dd9+w3nYkn63ILZjaZL30QZI1CmLXp+jdY7DQ
agnry8cNLhWAXklZfeiicsmzHdkXez/rQo7X6T7hL8PQJT6h2SpykOHPL6dOzAiP
SWryf56JWu6wjJNC1CwvbbbcmjhjUg972/7dupV6+qjletPtJcO8RG3QLvM3RKkf
4sSm759Y20mo03B94Hhi+2GpJYrnLUVkwV2MnfGm2ig1M60xEtSSed8UTQARAQAB
tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
PgQTAQIAKAUCViV2IwIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
CgkQq0ZVoSbSkuTaBxAAupoH2w8oEfjK2x4N6mxpIKJz41J2AapAQ8/I4HbxV0t0
JvwDSPdqqni5BvnhbrLoqCKV4OEhzZslAaEfgetLQKQbczvPIgGwh5I738+H6gGa
WCd1c2FyGv0nEqEB4++6rjZDvWmropE4+K6OoJzFCNopTdXb/RW/f912MX8rz+0I
VshkbrvTHpGjzYwE7cO7Q5wwXtAuXh68F5dqIxsZXY9nnnKCy2HBsPMeK1QwMZTZ
XYerTYMHNyEPuBZCK4ubLnSuL8Q5D26Ln7K0+saFHvqgI/vZknFHkRUq63QgkXdh
LAavo4Vkv5DlmtDgIukykjlzCHSc3vODoEfuu5vjzYr5mefl4EpjPwMzd+i8p8fJ
8e1jU4VQnfR1YqvZMlyNbUGsxlN9PvlnnHLfu1RNn+Gj+SE43e1pR5RFC1Y0TAYP
phXc/o35hJ3JguNU41spKr62VrE/fBYTUWIkVbJ4ojb3OwUvF9agTg6L7yoOOMhd
8RMt7hUnBzKsDI4hKrVX0KX2YfT4819XgLo/bDBdejZ81Xk/5+ICmzvBOL3m7SCY
MzHdfWNCgsXzMbuK40h8NU9G2M8DqGvcv3oyjPxvzRJxSs8I8khGxvc5XIiV64W+
2tsvmMzb0oxLj/B7NgSz4CZGbVaIhOFFRPVm+4zYclM+EQtBXY0chiLRoJcnPSGJ
AhwEEAECAAYFAlYld28ACgkQpBEfibtfWMwPuw/+KgcsIbvnAfacFJhYKY8os6YC
x2RtqDS2r+kbdQgc4/ije6591y0nx/gLGk9wBB2p01SJthnI2l5B15c5nlhSfGIE
0bkDDvKOsaoUcUexKC5DFWtz2/6dn/5aPDbSeTPh6vbgND37jAZeuyUKh44tDePU
nNICDFiP9Ly8v117hF/ceH26rprhcGZfbbjqZQe7TppEggB6/ORadfJlQotH+390
uw9OnoQQ6mevGUwGaF8WOafnI5UVyR37o38xcnJ7BH603rsJWYBrdwfDBbVFDc+b
kujAfSyJkex9jel5a1duKpqvXo7+ko5Ow8HS+kXIh1YtF8Cudv51B3G+xNfbSm8l
fZusj9h9huuXB3u4FlWQmgjFC3Z9M3ZQkeWqrnhyQeXKHS6qJy5+IahhkyJamhZJ
Fxa3B/+Y5LapRQoXyEw+5dXJ9oWVeigR7jP7qWnPcI1OY2PI+KHjphb28iuGhDAW
PwTp7tPpghP9r9cXdQQJ4eoreFnKugqOXi3nX9bv74i1MwmxB0mxvtV1F9pUYn9o
+WzX/KWhPtBqMSykPVUyZCzyT/igSzF0WRie8/AtOMWSRAGejwVdrbkJN3uArcKg
HB5DyASUtP04HnO7mR3HBIbR+2UnRJXPgWcVgE9ZSlDwk+FHQfmgF7zB/6FI1IqS
7eIaGZmQVldO4NCaLim5Ag0EViV2IwEQAKytbHA7r71kxCb/stEq94ZzPJpxyCtl
zXJ+Kf3eZztZsgrWVj0VQyEMslyTJ7RKqywTJ48QXUHEJLe6NpiRS8iWDvl2//Sc
h9etTD8mzOtHQ1zk08ZwKd3Qx+LXS/+bJ1QMqwvd1tjzGoSuG3cKTNdAs/xcbXAd
sSe2aKqt273jeCklGm7EWCTdvQcIyrYN/djLSevEgAFjdtX3kPybPSow6TaF9kpf
WaCEdm2yLGhjXrYv3Ik8uNzEv1eilzU3KGK4MkslvxwjcPSo7bx/oP1v83tLAlyS
i28uqEUH7EdszwU7PWAfdhnqRvt49b/rcOI7W75iykrHvkuQRvFHto9wcW8+P0RA
na5cQ3uIF9YYuSv1tNefaQeuX4WvgzN2LyqzaLirKi7MZuQzIw43RKlUFrT3eLWM
uLi9kVnBr73nXvrTea2LAWrX3pTH00hTfo8RZ7cKJOmJrpZ8yAz+DrVIyzqR9Wcj
U3FxMgEM+dWl3I1bpP+jFeuIUhJx9RQe7+/WaPWn3ZjUinaV3/J72dyDux514acI
d6Y1qZcmpWUe52+z5SA8RwiuktxDd5brQV+MPaIdNyn61pX2W9kw/7PObjc21O00
m/ChQvdIvR/6rHdcN5M8uHr0SZchbyKsJLGGO+obk36Q3cfMmm3xWCBtk13NojJA
O0fqDKPgeOpJABEBAAGJAiUEGAECAA8FAlYldiMCGwwFCQlmAYAACgkQq0ZVoSbS
kuSAdg//Xi+kyfNsAq4dx8fkd2HllTm7pBAauB6PCkRZ4LyIvtg9eD5Y1rSEz3qZ
Q7aV7txNYuyO+BdfducRbO6U+gQ+uXtd/9fMuEV+acBn7tB0yaYt1AeO1l5Up8kQ
Sw/v6oinEgpEdZnCiYMiGPSmwNK69Q67/9wyUfsAbfRbsMP4MYL+78iMcaw2tvhh
EsSXNYi8rihYg7Z1JJiaarSVdLM4t/FtTUFMFlhdwllKan7599egieHE8rrqy5/f
eHHiQ4Xq0vbRXGAEnZm5eoOj8FoHRa6Zm+OCe4HQQrAfatnKY4Q27m4E6u1d9glT
ARijk4YoSWRyM/y2crh7/VjWF1DX6RDjlDfewvo+tPdU0ofuT+qCThOtVTAQS+dZ
8N09BRSrQPZLmyi5NPBh++bzy2gai2uQfPGd5yVnZWiTnYBhM+uT1FIe/IlidwBQ
DsIbAxH8RWAvoGVqrfasN1sqdnmNqvuXqeCkcbqqtzNFd81xOs+X3xfAgqkXv8sx
gIfEcRJk/zZfshxCFb+6qSZOhkr5F6+XTf48mQojdnxxIWTgbS75ZxOVIzG2Dhqp
NxfDgER2qyf6gEQE86jWHQ0XvUisZW6IPpOllsSeIr0lZmGNvLxFn+/SGe/WRydM
KEYvr69wsKXOPPEo8Iu2vztB1us10msVzXmEdFZ8L3K2a7ZQqiE=
=xrra
-----END PGP PUBLIC KEY BLOCK-----

You can also get a plain text file with the key.

In accordance with good key management practices, we have also generated a revocation certificates for our old PGP keys. The revocation certificate for our old PGP key id 0xCA9A8D5B, 0x2D0987E6 and 0xBB5F58CC have also been sent to the public PGP key servers.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
Comment: A revocation certificate should follow

iQIuBCABAgAYBQJWUjQZER0BS2V5IGhhcyBleHBpcmVkAAoJEKQRH4m7X1jMYr0Q
AMuzYZg4nmwGEOiz1DIY/nlKCrHAZHqPtcm+qy0QNFwRQgLRigWFvUUyxA+V0LKN
wZYrdM8uIYB76Fy7eWCml79BH2+SJXZDEBRyHsU+t3+Nvf38PmxyoqZcAA62e0SO
nrzn0HHnTK0ckVX7hZZTYqnDcQ7etw40jqnUdn4/waajN8VroffU9lHmZAENyGh9
zsIu+krcH0A0FmOOzgUMwY/iVPK04EhxjPClbYId92WKTq3I0BMzvM2kvjFiyhbA
2aJcvPPhykydx7fhyLfk/HdC3XuZFWykGLJRCKcKSw7CGv+yrS/EbkfYmxsYtH/z
tjKBLwHQ9ORLyIOqnQqtrGFC2s1I7JsTshEtZPlv7P1Kp9oT5CxVxYMs6Vibw/So
VOm4lY7tldTydbb6Gb618lLwGOeakA+t4bddes7/+HZdLdmQQpzDroC+UyZP1V5A
/9S6TMEx1YHXGU6zHb8PjVXH3cD8N/CI4h4IsMmWI+QPf+lXEUioi53giNw+KxhE
YcLsz+C0PkGMdUh8PJ5EGrhqkVC/UrAPmU5wg73hWr2eY6JlsBaoSDjK9ih0CGiV
lVxHD2SE6tK6TmIsA/TZepJOi10WirlTr7Er4pC0hI8AuX+JqlFGN+jhEj0pZa7u
VC9sQFL6IAfU+Q4q+c3usjQHyqKJcPQ67qVlkDaSe39G
=rasM
-----END PGP PUBLIC KEY BLOCK-----

You can also get a plain text file with the revocation certificate.

Thanks

We want to thank all our vivid contributors. Without their general help, suggestions, bug reports, comments and actual code contributions, Netfilter wouldn't be what it is.

We thank Linus Torvalds for starting the development of the Linux kernel.

We thank the Linux networking gods (Alexey Kuznetsov, David Miller, Andi Kleen, et al.) for providing Linux with its great network stack.

We thank the founding fathers of the Internet. Who would need firewalls if there was no Internet ;-)

We also thank the companies and individuals who contributed funding or equipment for netfilter/iptables development:

  • Watchguard Inc for sponsoring Rusty initially
  • Linuxcare Inc. for sponsoring Rusty later on
  • Conectiva Inc. for sponsoring Harald from March to September 2001
    • for sponsoring Harald starting with February 2002
    • for sponsoring the netfilter developer workshop 2003, 2004, 2005 and 2007
    • for sponsoring work on netfilter failover
    • for providing the project with a dual Opteron test system
    • for sponsoring Patrick starting with January 2006
    • for sponsoring Pablo starting with April 2012
    • ... and generally providing support to the project where possible
  • Marion Bates, Chris Brenton, and William Stearns for donating two gigabit NICs to the netfilter coreteam
  • for hosting the netfilter project SCM/www/ftp/mailinglist server and sponsoring the traffic (about 110GB per month) until 2012.
  • for hosting the netfilter project SCM/www/ftp/mailinglist server since 2012.
  • for sponsoring nftables development (from March to April 2014).
  • Theo Zourzouvillys for sponsoring the iptables.org domain registration fee
  • Gert Hansen for sponsoring vishnu.netfilter.org, the main netfilter.org server (Dual G5 XServe)
  • The USAGI Project for working on nf_conntrack, despite we turned down their initial ip6_conntrack
  • Pablo Neira for organizing the Netfilter Workshop 2005.
  • Jesper D. Brouer for organizing the Netfilter Workshop 2013.
  • Balabit for sponsoring the netfilter workshops 2005, 2008 and 2010.
  • INL for sponsoring the netfilter workshops 2005, 2008 and 2010 and organzing the 2008 workshop.
  • ComX for sponsoring the netfilter workshops 2007, 2008 and 2010.
  • Cyberoam for sponsoring the netfilter workshops 2007, 2008 and 2011.
  • Intra2net for sponsoring the netfilter workshops 2010, 2011 and 2012.
  • All the other workshop sponsors, which are mentioned on the individual Workshop Pages.

Copyright © 1999-2014 Harald Welte, Pablo Neira Ayuso . Pablo Neira Ayuso