About the netfilter/iptables project

The initial author of and head behind netfilter/iptables was Paul "Rusty" Russell. Later he was joined by other people, who together build the Netfilter core team and maintain the netfilter/iptables project as a joint effort. Harald Welte was the former leader until 2007. The current head of the netfilter core team is Patrick McHardy.

But netfilter/iptables wouldn't be what it is today if it wasn't for the numerous contributions by independent software developers, whom we call contributors. We used to keep a scoreboard as a reward for people who helped us a lot - but lately it became too much effort to maintain this scoreboard. It has thus been deactivated until further notice.

If you are interested in more information, there is also a small page about the history of the netfilter project.

There are numerous people contributing to the project. In the early develpoment period we used to keep a scoreboard and list the contributions of every single developer. However, the scoreboard is closed now.

Web site layout and logo design by Shane Chen. The current Webmaster is Harald Welte, who also did the XML/XSLT Docbook-website conversion of the page.

The listmaster takes care of the moderation and administration of our mailinglists.

The current Listmaster is Travis Taylor.

The faqmaster takes care of the FAQ collection.

The current faqmaster is Tarek W. Said.

Early in the development, a few people contributed some code, but none of them had become long term contributors. After considering the problem, Rusty decided to try keeping a scoreboard of people who contributed patches and bug reports. It was this process of quantizing the contributions which brought to attention the quantity and quality of work coming out of the passionate French Canadian Marc Boucher, and Rusty decided that it was time to start a Core Team, of which Marc would become the second member.

The core team was actually started shortly after Rusty, while on a trip to SF in November 1999, made a detour to Montreal (despite the lack of warm clothing) to meet and discuss some big design issues.. Rusty and Marc spent a whole night in Marc's office conceiving the multiple tables framework which lead to the death of ipnatctl (a separate tool used to control nat in early versions of netfilter), generalization of iptables and birth of the iptable_{filter,nat,mangle} modules.

After all this was mightily implemented (and ip_conntrack rewritten) by Rusty, we started getting some nice contributions from a certain James Morris (a netlink and userspace queuing freak, living down under like Rusty).

In the spring of 2000 Marc traveled to Australia to attend a few conferences and spend some time in Canberra working with Rusty at Linuxcare on netfilter/iptables (fixing various bugs, implementing additional modules and merging everything into the official Linux tree).

At the Sydney Linux Expo we met James Morris in person, and his amazing coolness convinced us to invite him to become the third Netfilter slave core team member around the beginning of June.

Following James' assimilation into the collective, our efforts were mainly directed towards preparations for the release of Netfilter as part of the upcoming 2.4 kernel. It was the dawn of the third age of Linux firewalling; a time of great struggle and heroic deeds. It was our last, best hope for peace. Great communities were founded, old civilizations were lost, and new alliances were formed. James' missions during this period included the continued perversion of the networking code, such that it was now possible to load an ASN.1 parser into the kernel and inflict grave terror upon unsuspecting SNMP packets; and to extend the IP stack into userspace with Perl. Now peering squarely into the abyss, we noticed the good deeds of a young kernel warrior named Harald Welte, who seemed to actually understand the NAT code.

Accordingly, his distinctiveness was added to the collective. With balance restored, the netfilter juggernaut was now free to accelerate into the brave new world of Linux 2.4 and face it's greatest challenge: users.

Harald's first (code-) contribution to the Netfilter project was the connection tracking module for IRC. Following that he worked on some smaller stuff like TTL match and target modules as well as IPv6 porting. The ULOG target including the ulogd daemon were the next milestone. After getting included in the Netfilter core team in September 2000 he took over lots of the administrative work like doing releases, maintaining SCM, TODO lists, etc. and got involved more and more with fundamental design issues.

At the time of writing, this is mainly the new conntrack/Nat helper framework for multiple related expectations, the upcoming new kernel/userspace interface nfnetlink as well as the whole new userspace world based on libiptables.

At the first netfilter development workshop in November 2001, Jozsef Kadlecsik was invited to join the coreteam as its fifth member. Jozsef is a long-time active netfilter contributor. Among his contributions are: REJECT target, TCP window tracking code, continued development of the newnat API and the raw table.

At the second netfilter development workshop in August 2003, Martin Josefsson was invited to join the coreteam. Martin did a lot of useful work, especially with regard to optimizations on the connection tracking code

At this time, the coreteam also decided to formally elect a Chairman who get's the final call on all decisions. It was further decided that members of the team who do no longer actively contribute code can became emeritus members.

In January 2004, Patrick McHardy was asked to join the coreteam because of his continuing important contributions to the codebase of the netfilter project.

In October 2005, Yasuyuki Kozakai was asked to join the coreteam, especially in regard to his long-standing work on nf_conntrack and his ip6_tables caretaking.

In February 2007, Pablo Neira Ayuso was asked to join the coreteam, especially in regard to ctnetlink and conntrackd.

Netfilter/Iptables is - like all of the Linux kernel - free software (sometimes referred to as Open Source), distributed under either the terms of GNU GPLv2 only or any later version.

For further information, please see the Licensing section of this homepage.

The Netfilter Core Team has a PGP key that we use to sign all software released by the project. Current PGP key id is 0xBB5F58CC, this key was generated on October 21th, 2010 and will be valid until October 20th, 2015.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)

mQINBEzAS5EBEADVlGm+KwODJcVmP33HTCbn/eP8obZbgu+3Z1CYRklF8V43vC6D
8Jfk7fjD4/gWbAKZxriOESXVAN7mp0Fho4+Ga+pxWeLIET9tVM5xbNFK1p9R3XCK
p5SrugG+tGhizTR9b/1YCMVRz/yX3aDtC7lwObas4hkr5BqhphjvlkjFE7us32by
43LPpFj2yUpp1VdOf6gxl03kAgJg08h9J7a+n9KHQeAhIpXSRFq3tXiTdXQlovsv
ckwBjO0m8P2d1Z8/UYwXQgXzuO8W8EqaUSR95nDwl7UnilnKJm2fGvNg3A6PfCSk
3KdeEBZ45SRfMTPsuC5C4T0Az75h3HFR6YSae46ymg7d4ZA/Bd5K4hvp4PdYrfCi
GXen7iK9q5XDpopWb0yCrEVJzKjBjDurvpLtAD0IFWcpB6zwM38AnxVH05J8QOx/
VCZ4vZJxTKWbpHbdcISSMmVt00VfKorF9DsjiAcBRMBcIvDpJTP4yjvr32W09wLc
d5CIYGrLKhLNysUIJ44AQoTL9yV5aQvCb2EFnoPqCEKQm8onTAGX19PpTDjDPJFt
WyMMUDtiMp2yODuFo1qHjxvqzSVX+Ti2sGpiT1hEz97GAIlbAvmXs/bTb+U+rBnd
6027ooes3cWmBSV5kpz/sMp+nFynrLZ5NDnehPScz3W31oGgSdrGsnnhaQARAQAB
tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
PgQTAQIAKAUCTMBLkQIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
CgkQpBEfibtfWMzULxAAtGgYeuEqk0F9y4sz6hFJf+fXKSPPrwWTIUXs/sCxlBtS
lgf9oTvk3aT48zsMIfsDsS8yfIUjaK+eedIZW3oJ0lBtwRncZKjks8Od5J7DvEhR
Kpo3cajT1KXJh584IvXN0/BbCdPUI6EQE8n0fEUrSWANfzhuD3qYtX9UUGBq/7i8
Cf3pGFDeYRjcwWeNZ1T+xbaCKPS5BGlOVhMtauaTBZvTJniB828bOZXd3KrXUeul
AicbzZzqU7XcNX2YKw19MTQzuGNZQ3npJUPQiHgyELTh3+YUmRkPaZaZiDNZeQvu
/j8cgSoa26Q48apjghREo0Ues4MwQwEGBbdVkEQQMuC9ASti3OyZBTOqyApc2rpE
VsW2CkqvoQ8jaP51Ua4mjerYkqEqXaVtbPelNFMJXGNXrKdf0xg5Nl/onWnT9S/s
jtR3LtjOQ0apbBiGPROtYKWSQtA55TgYNLLS1+947TvU134Px1FA8Dqi72SBl7Xc
ET4nwISO222wMJBxbY4MYB2TppMysIKXUazIyekbRkpK1woH4AR6NsuJOiVdhjEi
46MkN7tmHI9S9blA98Ih6C9hMz2YgmQEwOQ0qYgVruPdYZSP+M5o+pra9ch+STBk
FbB03L9kqcAAE8wpGSBRYU+KuyVRipnPeqoeR8niO71AiKbsfbL1skTGRafC2Q+I
RgQQEQIABgUCTMBMKAAKCRBdpcZVMPSL/9JZAKCAfvIWVNimXJT07aVS6gYpiX7I
nwCgov7DU5Xo84ReYfaphrwDALsEwfWIRgQQEQIABgUCTMBNyAAKCRBbjaaHD6d0
2asaAJkBVsUSeihHASzntD0+T5PnW1SKlQCgkPYE6YduynCil6lIBmZEk0iaDMaI
RgQQEQIABgUCTMBN8gAKCRBBh/hlLQmH5pxNAKCNGomg6w+J+OkF08UgweQnxq4f
AgCfS/hNLDmcpCflT1cU2imBiFoGzLu5Ag0ETMBLkQEQANNv2Ymm/BVxwqb1vrLq
1scoWK5kmeaRD3ndMBv9F3xwqGnE/JTnHnVoZIzGb8MD+MCe9jfm8Y+NLU0D71Np
DDqRzFZCCjcTmRMYV6QXlsg/ndnSaU1bhG0gSq4N+qZFZ+35yiY5pYv1qZkIqWr4
/vg9mk53CU620bNgNJ1+F19s/eTw1231pJ6K6BsDi7pj4LXGD5wHZPKAmLabFweC
kGbGQo6VwWw1ieNJ0igvzkZtVXuvoeHUmAitCaZT9AIYDl4PHryckIzjgTdhK0PP
92fyHV64Yr3B7G6hWlEwq4wKk9irdgqD20Fuqw8Cvv6k1YucWfdpNbZkUI3siQE+
1HUUuRTcT8yrPcEA5ZM1/U+e8jBT3EArhk69G6LCfwyX2Xd/JGlBmc0Qv0t2YKqj
9Io1G5lBN1q57+vK7ttiIUomwvfD2ltY0bdcEr5LjXOk3Sb+OPIVm7+vr6hDMKdU
pdm5ABZRSUb0RJ37hBT+DKYbnp0t/e3aMXxV9m3jUq8hNdwc8vU1khr9kf+MWPon
E0Vw2kqHIIb4I5W9HkMJf4Vzj9/hVPMIucV+2de/7zqxwa0Jh5VSD7SeKj7LznsA
y9gi/AioYq4AKVTsigfyJlWpjOLeOvv7z4uUfLRQ5OWWfX8BBw8SoPwnWQD4cXHk
rHXVwYR2yy7pEc1CstUN+uqXABEBAAGJAiUEGAECAA8FAkzAS5ECGwwFCQlmAYAA
CgkQpBEfibtfWMyLqw/6A12S4bnLYaikToKc13ywTUsHplbmlLOy2E/5ZMksdfuW
jh9XTMR0nbXWnFULxGKTP00kA0yVpv/jbeDY/qLzY2Yb0rROCQJjuWSLYuNW40+H
mh9TGsDWt7iK3XsONVpV0sRsMOBCwV3k2EsFXu73Fj+1JvQ+WSGluj+N7HFAqPi5
OFk3IFFnIGhScUz22V6meSaOEqiXLySgqh3lv7+XuGzoBjdy7dDm+SnbmK9lO1Iq
PsIm4iDwmTNJBiu1Wrz319kLYA0/Vx+ofmxyViOX1GZShb1mGH0Aeo4jeYmDNLXa
pkoymC3HCIMctYDmuIw6QlgG8i1LRcFhVKMngLjZ17dl/w8gYOdkCsGIUBzvbFBh
xuJnXMnFVyDxft/lorMAimH2kbjDn6qaH0uV8ILfFVe6gnKzanugmaSQjWzby/AR
Phs6OYAXoIUv5MUVDgvTzVmTckWjVa1RkMm3eGmDSqoMxsPmarb80nkoFQMOPhJW
lyaUCt6HHRYuSkIcxY4H4Ni3Oq1s1R9/EqUuIfxNv7Kp0mcsE2KvANc3JfB9wXwL
WqDYRCifLkCD6pbpt9L/+xQ49VzcFxNO9DqTyk4N7cz7OZrAi+ouVrdFuiwnZyn5
YSQoof6Pos58b3bkFn14m9gofwTqGzPhR4Vot9rRu5zrWdoCM4cRThpJyrjqBMs=
=nwmO
-----END PGP PUBLIC KEY BLOCK-----

You can also get a plain text file with the key.

In accordance with good key management practices, we have also generated a revocation certificates for our old PGP keys. The revocation certificate for PGP key id 0xCA9A8D5B and 0x2D0987E6 have also been sent to the public PGP key servers.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: A revocation certificate should follow

iFQEIBECABQFAk48EUUNHQBrZXkgZXhwaXJlZAAKCRBBh/hlLQmH5veHAJ49osHB
RWWTfrzfvJrcGCxp7T9dSgCeO4NKGCGSl05vFU+I5PAU2xOR538=
=17+S
-----END PGP PUBLIC KEY BLOCK-----

You can also get a plain text file with the revocation certificate.

We want to thank all our vivid contributors. Without their general help, suggestions, bug reports, comments and actual code contributions, Netfilter wouldn't be what it is.

We thank Linus Torvalds for starting the development of the Linux kernel.

We thank the Linux networking gods (Alexey Kuznetsov, David Miller, Andi Kleen, et al.) for providing Linux with its great network stack.

We thank the founding fathers of the Internet. Who would need firewalls if there was no Internet ;-)

We also thank the companies and individuals who contributed funding or equipment for netfilter/iptables development: