About the netfilter/iptables project

The initial author of and head behind netfilter/iptables was Paul "Rusty" Russell. Later he was joined by other people, who together build the Netfilter core team and maintain the netfilter/iptables project as a joint effort. Harald Welte was the former leader until 2007. The current head of the netfilter core team is Patrick McHardy.

But netfilter/iptables wouldn't be what it is today if it wasn't for the numerous contributions by independent software developers, whom we call contributors. We used to keep a scoreboard as a reward for people who helped us a lot - but lately it became too much effort to maintain this scoreboard. It has thus been deactivated until further notice.

If you are interested in more information, there is also a small page about the history of the netfilter project.

There are numerous people contributing to the project. In the early develpoment period we used to keep a scoreboard and list the contributions of every single developer. However, the scoreboard is closed now.

Web site layout and logo design by Shane Chen. The current Webmaster is Harald Welte, who also did the XML/XSLT Docbook-website conversion of the page.

The listmaster takes care of the moderation and administration of our mailinglists.

The current Listmaster is Travis Taylor.

The faqmaster takes care of the FAQ collection.

The current faqmaster is Tarek W. Said.

Early in the development, a few people contributed some code, but none of them had become long term contributors. After considering the problem, Rusty decided to try keeping a scoreboard of people who contributed patches and bug reports. It was this process of quantizing the contributions which brought to attention the quantity and quality of work coming out of the passionate French Canadian Marc Boucher, and Rusty decided that it was time to start a Core Team, of which Marc would become the second member.

The core team was actually started shortly after Rusty, while on a trip to SF in November 1999, made a detour to Montreal (despite the lack of warm clothing) to meet and discuss some big design issues.. Rusty and Marc spent a whole night in Marc's office conceiving the multiple tables framework which lead to the death of ipnatctl (a separate tool used to control nat in early versions of netfilter), generalization of iptables and birth of the iptable_{filter,nat,mangle} modules.

After all this was mightily implemented (and ip_conntrack rewritten) by Rusty, we started getting some nice contributions from a certain James Morris (a netlink and userspace queuing freak, living down under like Rusty).

In the spring of 2000 Marc traveled to Australia to attend a few conferences and spend some time in Canberra working with Rusty at Linuxcare on netfilter/iptables (fixing various bugs, implementing additional modules and merging everything into the official Linux tree).

At the Sydney Linux Expo we met James Morris in person, and his amazing coolness convinced us to invite him to become the third Netfilter slave core team member around the beginning of June.

Following James' assimilation into the collective, our efforts were mainly directed towards preparations for the release of Netfilter as part of the upcoming 2.4 kernel. It was the dawn of the third age of Linux firewalling; a time of great struggle and heroic deeds. It was our last, best hope for peace. Great communities were founded, old civilizations were lost, and new alliances were formed. James' missions during this period included the continued perversion of the networking code, such that it was now possible to load an ASN.1 parser into the kernel and inflict grave terror upon unsuspecting SNMP packets; and to extend the IP stack into userspace with Perl. Now peering squarely into the abyss, we noticed the good deeds of a young kernel warrior named Harald Welte, who seemed to actually understand the NAT code.

Accordingly, his distinctiveness was added to the collective. With balance restored, the netfilter juggernaut was now free to accelerate into the brave new world of Linux 2.4 and face it's greatest challenge: users.

Harald's first (code-) contribution to the Netfilter project was the connection tracking module for IRC. Following that he worked on some smaller stuff like TTL match and target modules as well as IPv6 porting. The ULOG target including the ulogd daemon were the next milestone. After getting included in the Netfilter core team in September 2000 he took over lots of the administrative work like doing releases, maintaining SCM, TODO lists, etc. and got involved more and more with fundamental design issues.

At the time of writing, this is mainly the new conntrack/Nat helper framework for multiple related expectations, the upcoming new kernel/userspace interface nfnetlink as well as the whole new userspace world based on libiptables.

At the first netfilter development workshop in November 2001, Jozsef Kadlecsik was invited to join the coreteam as its fifth member. Jozsef is a long-time active netfilter contributor. Among his contributions are: REJECT target, TCP window tracking code, continued development of the newnat API and the raw table.

At the second netfilter development workshop in August 2003, Martin Josefsson was invited to join the coreteam. Martin did a lot of useful work, especially with regard to optimizations on the connection tracking code

At this time, the coreteam also decided to formally elect a Chairman who get's the final call on all decisions. It was further decided that members of the team who do no longer actively contribute code can became emeritus members.

In January 2004, Patrick McHardy was asked to join the coreteam because of his continuing important contributions to the codebase of the netfilter project.

In October 2005, Yasuyuki Kozakai was asked to join the coreteam, especially in regard to his long-standing work on nf_conntrack and his ip6_tables caretaking.

In February 2007, Pablo Neira Ayuso was asked to join the coreteam, especially in regard to ctnetlink and conntrackd.

Netfilter/Iptables is - like all of the Linux kernel - free software (sometimes referred to as Open Source), distributed under either the terms of GNU GPLv2 only or any later version.

For further information, please see the Licensing section of this homepage.

The Netfilter Core Team has a PGP key that we use to sign all software released by the project. Current PGP key id is 0x2D0987E6, this key was generated on March 28, 2007 and will be valid until March 27, 2011.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQGiBEYKje4RBACE7W54AP4nQO5IDunSfcAvo7T8s2eExHV49mZAvCJkzHPeayTt
ed4QgOwWIrIUTUIZFTl8AU/s1kVT7QcJBfBmK/qQbCvpWezyq4Ew+46jl/TaY6zs
6PSCzQHuiUTLsH/xbs5FJ9lY0Be+010PSWD40wN4DTBTeKPXIovUTsOjkwCgxRlf
Fcv0rgVsXWjjpmwCI//oX5MD/i8os+tuUQ4Kr+v7OcCb8qDSNtNdeWGauHP0MNhU
f85PVlvPMJNEZzl1X0cUzomjnYPa3alnwjsvf5SKB5ppfcygDxZGzMzI2d63XBrZ
qfOmPfvSlLrRYVx/rTp8L0KN1NpEtdu2wyfMqIRkleH5qGw012jNpPINmtI1ZcSJ
hmbuA/9XBTME6czHZPDT311Wrd+z/4XQ5r1JHMgAMOYHYdnrB51q2MXRtTE8CxHY
JFlA7YEoMz3PGe+cgpTH3v+Ze5VZRSgHlaH8dCr5VpOQJraOI/P008c91BPzQKo7
6loWx7Iv/xb2ygaOEcq4eaGPTogsfT5BZX+HH6MTd66GZ2ljPrQsTmV0ZmlsdGVy
IENvcmUgVGVhbSA8Y29yZXRlYW1AbmV0ZmlsdGVyLm9yZz6IZgQTEQIAJgUCRgqN
7gIbAwUJB4TOAAYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEEGH+GUtCYfmIuEA
nipH7Ff4iSaVaqsaNrTmrzLP/IWoAKCqzDe/2mNKAHG4upI+NXAibsW1Y7kCDQRG
Co37EAgAiTVPzaAnZxyRG5VRqpw0ietSlc6HGWat1pjVDj8f4cYGMVw/m/tOssT5
W/XY8sVbne5HFSCmkCJA4yG7qKiz16YzMK0JtqyAUwFnBPRA+yALGtkckOeS1KKT
mgV0NtUXT2WNqqaq8NlR16IdZvgFBTWAZ86OCk62I9PqxI2yNPsqmoK/mb89G8P2
FgY+Ij3nZ/IAct+eW06WL847gYzzT4reWMJSoJZyybdiVv1JxOsD4CXYHMz3ktQy
D8jKjd5NLVi96FASuXz8J/3d2AkaBTDc44FNaUjRrKjS2bBiuR0Oo9xXjBj6r0Dr
ICpP2FQc2NpR4K5gNE37hqI6HhKw4wADBQf/fe68GNVU9sPRxdqr6jfGrzQYN+hU
prDn9stXNNX8I/tqbnz4J66KbF6LQNHr8WVALmv5dtxJLMPxyLv/Ix3dC86tKKRg
YkjuqNuVuxm77Qd+hUdDfINHi85+/WzoxJFL0f1q6Gy+1GBLPPbAqtCUoNjiPyhI
htgHrCE4vXxOZGF5f+/6e02BpD3scpzg9aCIhl4CHDwAoHPumJ/JN5sdYO061yzM
93qmTUjUVJfFn52iqpjMJPe+oaN8sVhqMvHOqXeKl3HOEanX7xXrm88X0zxegMTX
0xRkSC8xnRIJzH5Y35Jst+djFXscpx1ZRqYvhthhQyAYVFHOiO0pXv6D1IhPBBgR
AgAPBQJGCo37AhsMBQkHhM4AAAoJEEGH+GUtCYfmlnUAnjI/hpE8LVoLnB0dg/fT
80sch2V9AJwOGkT3LRfkM5Uv5D8eYemYP6ATTw==
=TGkH
-----END PGP PUBLIC KEY BLOCK-----

You can also get a plain text file with the key.

In accordance with good key management practices, we have also generated a revocation certificate for the old PGP key. The revocation certificate for PGP key id 0xCA9A8D5B has also been sent to the public PGP key servers.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: A revocation certificate should follow

iFQEIBECABQFAkYKjNQNHQFrZXkgZXhwaXJlZAAKCRA1+onMypqNW9QtAJsExzcu
dHEtq73/iwFs8obMYRQFxQCgvU4+E3fzAhMYjdcFxH8C+xTwj2M=
=aDIy
-----END PGP PUBLIC KEY BLOCK-----

You can also get a plain text file with the revocation certificate.

We want to thank all our vivid contributors. Without their general help, suggestions, bug reports, comments and actual code contributions, Netfilter wouldn't be what it is.

We thank Linus Torvalds for starting the development of the Linux kernel.

We thank the Linux networking gods (Alexey Kuznetsov, David Miller, Andi Kleen, et al.) for providing Linux with its great network stack.

We thank the founding fathers of the Internet. Who would need firewalls if there was no Internet ;-)

We also thank the companies and individuals who contributed funding or equipment for netfilter/iptables development: