Linux kernel to include IPv6 firewall

Version 2.6.12 of the Linux kernel is likely to include packet filtering that will work with IPv6, the latest version of the Internet Protocol.

Netfilter/iptables, the firewall engine that is part of the Linux kernel, already allows stateless packet filtering for versions 4 and 6 of the Internet protocol, but only allows stateful packet filtering for IPv4. Stateful packet filtering is the more secure method, since it analyses whole streams of packets, rather than only checking the headers of individual packets -- as is done in stateless packet filtering.

Harald Welte, a developer on the Netfilter project and maintainer of the packet filter subsystem in the Linux kernel, said last week that a considerable amount of work went into adding IPv6 functionality, as parts of the code needed to be rewritten to create a plug-in architecture which would allow the packet filter to work with either IPv4 and IPv6.

This plug-in architecture also means that developers can write plug-ins for older network protocols such as IPX, the protocol used by old versions of the Novell NetWare operating system and DECnet, the Digital Equipment Corporation's network protocol.

The IPv6 packet filter will not be available in the next stable release of the Linux kernel, 2.6.11, but is expected to be available in the subsequent version of the kernel, said Welte.

"The kernel development team are still stabilising 2.6.11," said Welte. "Nobody would accept a big patch like this when they are stabilising the release. As soon as 2.6.11 is out we will submit the IPv6 packet filter."

Before being accepted into the Linux kernel, the packet filter must be accepted by David Miller, the maintainer of the IP networking layer, who will then pass it on to Linux founder Linus Torvalds, who is the lead maintainer of the Linux development kernel.

The 2.6.12 kernel is likely to be available in May or June, although it is difficult to anticipate the timing, according to Welte.

"The kernel release schedule is like the stock market -- you can never tell when things will happen," said Welte.

The IPv6 packet filter, known as nf_conntrack, is available for testing from the Netfilter Web site.

Talkback 0 comments

TechGuides

Migrating DHCP from Windows 2000 Server/Windows Server 2003 to Windows Server 2008

With a little bit of work, it's not hard to migrate DHCP services from Windows 2000 Server or Windows Server 2003 to Windows Server 2008. Here's how.

Read more »

Latest from Blog Central

Do we need more delivery centers?

Read more »

• IT Oracle ERP DBA
• Personal Financial Consultant
• TS Sales Consultant
• Software Development Engineer
• Java Developer (rama 3)

• AT&T
• Asustek
• Canon
• Convergys
• Ericsson
• Hewlett-Packard
• Infosys
• LogicaCMG
• NTT
• Samsung
• SingTel Group
• Toshiba
• Xerox

• Accenture
• Atos Origin
• Capgemini
• Dell
• France Telecom
• Hitachi
• Intel
• Microsoft
• Nokia
• Satyam Computer Services
• Sony
• Verizon Communications
• ZTE

• Alcatel-Lucent
• British Telecom
• China Mobile
• Deutsche Telekom
• Fujitsu
• Huawei Technologies
• LG Electronics
• Motorola
• Oracle
• Seagate Technology
• Sun Microsystems
• Western Digital
•  

• Apple
• CSC
• Cisco Systems
• EMC
• Google
• IBM
• Lenovo Group
• NEC
• SAP
• Siemens IT Solutions & Services
• Tata Consultancy Services
• Wipro
•