netfilter project logo
home | download | git | lists | bugzilla | workshop | patchwork | wiki
About
Coreteam
History
License
Thanks
PGP key
Projects
iptables
nftables
libnftnl
libnfnetlink
libnetfilter_acct
libnetfilter_log
libnetfilter_queue
libnetfilter_conntrack
libnetfilter_cttimeout
libnetfilter_cthelper
conntrack-tools
libmnl
nfacct
ipset
ulogd
xtables-addons
News
iptables 1.8.11 released
nftables 1.1.1 released
libnftnl 1.2.8 released
libnetfilter_conntrack 1.1.0 released
nftables 1.1.0 released
libnftnl 1.2.7 released
Arturo Borrero enters emeritus
Eric Leblond enters emeritus
nftables 1.0.9 released
iptables 1.8.10 released
conntrack-tools 1.4.8 released
nftables 1.0.8 released
libnftnl 1.2.6 released
nftables 1.0.7 released
libnftnl 1.2.5 released
iptables 1.8.9 released
nftables 1.0.6 released
libnftnl 1.2.4 released
ulogd 2.0.8 released
conntrack-tools 1.4.7 released
nftables 1.0.5 released
libnftnl 1.2.3 released
nftables 1.0.4 released
libnftnl 1.2.2 released
nftables 1.0.3 released
iptables 1.8.8 released
libnetfilter_cttimeout 1.0.1 released
libnetfilter_cthelper 1.0.1 released
libmnl 1.0.5 released
libnfnetlink 1.0.2 released
nftables 1.0.2 released
libnetfilter_conntrack 1.0.9 released
settlement with Patrick McHardy
Documentation
Mailing Lists
List Rules
netfilter-announce list
netfilter list
netfilter-devel list
Contact
Licensing
GPL licensing terms
GPL compliance FAQ
Supporting netfilter

About the netfilter/iptables project

Who's behind netfilter?

The initial author of and head behind netfilter/iptables was Paul "Rusty" Russell. Later he was joined by other people, who together build the Netfilter core team and maintain the netfilter/iptables project as a joint effort.

But netfilter/iptables wouldn't be what it is today if it wasn't for the numerous contributions by independent software developers, whom we call contributors. We used to keep a scoreboard as a reward for people who helped us a lot - but lately it became too much effort to maintain this scoreboard. It has thus been deactivated until further notice.

If you are interested in more information, there is also a small page about the history of the netfilter project.

The netfilter core team

What Is the Core Team?

The Netfilter Core Team are the people who make the decisions, have commit access to the master Source Control Management (SCM) tree, and do Official Sounding Stuff. To be on the core team implies excellent judgement and some dedication; after all, anyone in the core can do releases. The core team elects one of it's members to be the Head of the netfilter core team. Members of the core team who are no longer actively developing code are called emeritus members of the core team.

Members of the Core Team

Active Members

Emeritus Members

How Do I Get on the Core Team?

To get on the core team is fairly simple. Impress us so someone proposes you and no one vetoes. Suggested methods include:

  • Submit enough great patches over a long time.
  • Read the three HOWTOs, and submit extensions or corrections.
  • Keep your Emails short and to the point. Don't flame; inform.
  • Look at what's happening in GIT, the netfilter-devel and the netdev list (at vger.kernel.org).
  • Implement what's on the projects TODO list.
  • Show an ongoing interest in supporting netfilter/iptables, not only in one specific area of interest, but as a whole.

What Are the Perks of the Core Team?

So far, there are two:

  • If you're ever in Australia, you get a free beer (or alternative beverage) on Rusty. Harald now also offers this for Germany. So it does Pablo in Sevilla, Spain ;)
  • You may get to meet some very cool people in associated projects (most of all other Linux kernel hackers). Of course, you may not.

Webmaster

Web site layout and logo design by Daniel García. The current Webmaster is Pablo Neira Ayuso. Harald Welte, the former webmaster, made the XML/XSLT Docbook-website conversion of the page.

Project history

The netfilter project was founded by Paul "Rusty" Russell to re-design and to heavily improve the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.

Early in the development, a few people contributed some code, but none of them had become long term contributors. After considering the problem, Rusty decided to try keeping a scoreboard of people who contributed patches and bug reports. It was this process of quantizing the contributions which brought to attention the quantity and quality of work coming out of the passionate French Canadian Marc Boucher, and Rusty decided that it was time to start a Core Team, of which Marc would become the second member.

The core team was actually started shortly after Rusty, while on a trip to SF in November 1999, made a detour to Montreal (despite the lack of warm clothing) to meet and discuss some big design issues.. Rusty and Marc spent a whole night in Marc's office conceiving the multiple tables framework which lead to the death of ipnatctl (a separate tool used to control nat in early versions of netfilter), generalization of iptables and birth of the iptable_{filter,nat,mangle} modules.

After all this was mightily implemented (and ip_conntrack rewritten) by Rusty, we started getting some nice contributions from a certain James Morris (a netlink and userspace queuing freak, living down under like Rusty).

In the spring of 2000 Marc traveled to Australia to attend a few conferences and spend some time in Canberra working with Rusty at Linuxcare on netfilter/iptables (fixing various bugs, implementing additional modules and merging everything into the official Linux tree).

At the Sydney Linux Expo we met James Morris in person, and his amazing coolness convinced us to invite him to become the third Netfilter slave core team member around the beginning of June.

Following James' assimilation into the collective, our efforts were mainly directed towards preparations for the release of Netfilter as part of the upcoming 2.4 kernel. It was the dawn of the third age of Linux firewalling; a time of great struggle and heroic deeds. It was our last, best hope for peace. Great communities were founded, old civilizations were lost, and new alliances were formed. James' missions during this period included the continued perversion of the networking code, such that it was now possible to load an ASN.1 parser into the kernel and inflict grave terror upon unsuspecting SNMP packets; and to extend the IP stack into userspace with Perl. Now peering squarely into the abyss, we noticed the good deeds of a young kernel warrior named Harald Welte, who seemed to actually understand the NAT code.

Accordingly, his distinctiveness was added to the collective. With balance restored, the netfilter juggernaut was now free to accelerate into the brave new world of Linux 2.4 and face it's greatest challenge: users.

Harald's first (code-) contribution to the Netfilter project was the connection tracking module for IRC. Following that he worked on some smaller stuff like TTL match and target modules as well as IPv6 porting. The ULOG target including the ulogd daemon were the next milestone. After getting included in the Netfilter core team in September 2000 he took over lots of the administrative work like doing releases, maintaining SCM, TODO lists, etc. and got involved more and more with fundamental design issues.

At the time of writing, this is mainly the new conntrack/Nat helper framework for multiple related expectations, the upcoming new kernel/userspace interface nfnetlink as well as the whole new userspace world based on libiptables.

At the first netfilter development workshop in November 2001, Jozsef Kadlecsik was invited to join the coreteam as its fifth member. Jozsef is a long-time active netfilter contributor. Among his contributions are: REJECT target, TCP window tracking code, continued development of the newnat API and the raw table.

At the second netfilter development workshop in August 2003, Martin Josefsson was invited to join the coreteam. Martin did a lot of useful work, especially with regard to optimizations on the connection tracking code

At this time, the coreteam also decided to formally elect a Chairman who get's the final call on all decisions. It was further decided that members of the team who do no longer actively contribute code can became emeritus members.

In January 2004, Patrick McHardy was asked to join the coreteam because of his continuing important contributions to the codebase of the netfilter project. Unfortunately, Patrick was suspended in June 2016 for not subscribing The Principles of Community-Oriented GPL Enforcement.

In October 2005, Yasuyuki Kozakai was asked to join the coreteam, especially in regard to his long-standing work on nf_conntrack and his ip6_tables caretaking.

In February 2007, Pablo Neira Ayuso was asked to join the coreteam, especially in regard to ctnetlink and conntrackd.

In October 2012, Eric Leblond and Florian Westphal joined the coreteam for their longstanding contributions and fellow hackers Harald Welte, Martin Josefsson and Yasuyuki Kozakai entered Emeritus officially. Arturo Borrero became coreteam member in July 2017 for his outstanding contributions to nf_tables and the conntrack-tools.

During the Netfilter Workshop 2013 in Copenhagen, Denmark, Pablo Neira Ayuso officially became the head of the coreteam, although he has been serving already as co-maintainer since 2011.

License terms of the netfilter/iptables software

Netfilter/Iptables is - like all of the Linux kernel - free software (sometimes referred to as Open Source), distributed under either the terms of GNU GPLv2 only or any later version.

For further information, please see the Licensing and the GPL compliance FAQ sections of this homepage.

Netfilter project PGP key

The Netfilter Core Team has a PGP key that we use to sign all software released by the project. Current PGP key id is 0xD70D1A666ACF2B21, this key was generated on October 13th, 2024 and will be valid until October 12th, 2028. 

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGcLlIQBEADH+pWx2d5XgY2JCOHTVaOpbNlNfp1k9Ul0W5zaZ7EFHIGSj06E
o3+OM0eI6+d51PnqwRE+WbV4T3ooGnfgXN4fmKgq2TwkxlhKeFSzNGMuzzuoEwD+
2cvSF9VIrwif1o9oa9KMNfKTY/qjuWZS0QWZ08thPAf/tWpoaA3gaqYQUshj5G3w
nTMdYlHUj7wkZCMg63tDygAe/7fDT3zurKCMbFoyiyQkp7V1SLxZpvuyuyPH6HtQ
P5xcbXsp5ots0BgN+BplMX89DrspxJXqi7AsTf4QnC78KbchMJJxLKZQS759dQHF
qHUTb3YdlxXFou6Si5LiBzvmqBRFj6m/WV1a8mDy5fPDkOLoTCUFHLmgvYHPJdtK
5EqNkwYAbSnZKe9aSeVa4XhaZqyyQb9vIsKyOnwdJ/l222J95qHQapZSLcRdqgQz
ZgxuEdOHacEaJ1IJ21CE8EtJfFA5DMZtkZNIGF3OFlXhw7YxJoPgsodtlVspQsfX
u2FGP9yg0fd4zLgHnotKqfJQ9ZjMB6bbJUd6Au9jv0SiM+kVGeVfyaaX7TDeQ3TT
/e44uFvkHkbYFQPcqsTalxtre6v7pMG2iu2mbkhQOC7qbL5MKMSdA93w/lF7w20b
cwyDavEoKk9vgDjSkVjaffvdy4cESa5JY4lM4ZmzoujnAZMwbzQeGcBtqQARAQAB
tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
VAQTAQoAPhYhBIxfcUahdXpl4kIqlNcNGmZqzyshBQJnC5SEAhsDBQkHhM4ABQsJ
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENcNGmZqzyshRE4P/AknD3DAWuCT7x7L
LFIUCkfl7WUou9zMQKy62JRK/+/lNyG1dkmvBu7XWLl/+IRv1uIb25I4xwaze6GF
8yhZDNXZLhUjComr864fMEdKNdXInAClLRNY0InkFmHw/SizvwDld4PgsLzoS+qL
5JY4FBlYEnd4wlIwH/w3gPycmdmQNVOjeWJhDrYKGLnjolpGRQPYRME4kjasWPbK
AWG/lpINQEB1DgtK8e6kcbUA8wSU6MMEsJjPY0o7lr9NvPfRpPXq34LjoFUXk3Hi
Bt8OuVVMo+wTmlZWkXdknFKS4IPVxUA53oJOVMFW8divmF/l676KBogSnczoX4vR
VW8sgDEKqb0NicKWJ2Fou+/KueY5OXsO8aZrZtXOsXIAMberdrNDYhyTUSYF8mZF
RdL6Jcm5GbQB/zOQElgzMwPQq5AD7SkziMzGOusWjqGmu9qphed/FimVbyRhMl5B
uDvGHthhy1KlPkqVcddN6i3/Kd/AMqXAuWMZH9FXJkUUWe+VAyeNHfEuBtSK2rqE
zf8TYGg5Gz+oNspWuqEyWUwoH7eQkRx2GIbwu2rwcIzrh8L0rsyu+6FNNHnQfnNq
ytbE888dxKkXeJ5T09Pp/hPwkNM8X8ZLcTTsAknrvqLNp2As49dP6iJwysfYLf/v
3Cyvz23JNeSQiTcC4YfKLs4LtCFkiQIzBBABCgAdFiEEN9lkrMBJgcdVAPub1V2X
iooUIOQFAmcLlJ0ACgkQ1V2XiooUIOQGJRAAsz/jYoNkSAhzvrY1t/5kSaa3Hyqi
wpaJNIb6YCNT9JFlEvfsIlikjK28I+LNqVrWoLZyX1np8h0AGfNUPo/rLzVXzqZ/
UHZi5AjzXM6BVnR84LahFVVLISBtjt3DvY4xvl8cIh03ShJe/yAKIXZUbxXevtnj
M0/5bLaLjlVf3KldR+gFjUaTT1nxfkQnzxbk2yKe+1tuQzFsYPLG9Elzyagb4QYm
97CTxim3QcO0qWweoeusBqCkh7qD/ght76JrSnzq859XS//2jaq3A5ZsX5UJk5/E
FkzL4zersQZwQE10BByBBJbxC8DzMuGeV+eTVVHKU81cEnzZFxfyOtQBD+oHBauW
IC/v509TiH4qhZshJwcznsDZK1xAxxm3mryVtHbfSDSqzc5r/kNQt9mijD6wdsRb
0yQy1P2xkk1zyvOw3BRI2NVXq6+642cp21tjsY136JT/3a6KwIlIIdzIUqejbLoF
GgGZPJiQXthfmLpDgvduD6YgaSHyhtJesX3SIGvYBdCGT69blrB7lHazYRE/xKNu
bhnVzsaWlOXg52ChAMzsAAi5DV1669xUqRgj7zJHUq72bItZWdAvDSTIrQB4z7u8
QW+XZsveWM2sKjzpLZjQaxdS7dFvGepYY5liA01w7Bx2lU75ejgaWrm/hlaT//RD
Al9IQzw14mOtm0e5Ag0EZwuUhAEQANmO+fv67llu3nOZh9mcTbKa0MTT6cNjpEVU
3MDImbN7pKTc/P+s6TVYBYn1q1U0XTXQlfh2HGdrLebAOdWW0Wcz4Kj9oOlRHOAR
yq3mRzb9hiCB89mJcw5xNIn83d5L/IJqONSaVLKnTwfwnTVaCJYuF5yIqDMOSXgS
C3sbGLx/yEchAhQEWUG8nm9WTybFfq98mFrHEKRGsSgfCHq6KMNn9NuhW149ZK+K
klPXZqFyDoRHdyivt9j9hfA0lr4t6sfXEfJedzjNO2f0Z8r2sQhmw3ykYDkzEF8I
zkgiik1Ke4+TmpD/4uL/hfgbkoVxZV6gI3M9rqs5o1glAuSFjsrGyog1EkUXplST
Qn4ea/vQ6t1iBkTb2r3qzhK+VL7GWlvZa9DGq8btNAiOjKKqa0+3zRTXyPJAdMQM
X+FBAhmaHJoylArEHdzv5haB7rv0aGjKV4O1ifonSGE2pllmSDbTO3exIeslLgDh
5GqVmQW30K5JvecKnb871c0utzRLHBF34HOYgRWBcl18DGD+SzXKj1//+4AatcAB
woNJHTEh6N3/mD3fJyWkyMwLJzo1x43Pmm1DkzioO9VMSxG7ReaH9WRDty3R83gT
njEI0CDkG7m0nXctrsDcmBCYMSnvriWVr7kNYQ9tSi9WUa8Cs0xCmy49fF+7ihIl
yANR2aMrABEBAAGJAjwEGAEKACYWIQSMX3FGoXV6ZeJCKpTXDRpmas8rIQUCZwuU
hAIbDAUJB4TOAAAKCRDXDRpmas8rIZPuD/4qYhAdmCtaicOjeuMI0EhKA0O0cnXv
BRwKXKGISZ6bt/f5fify78NQ4VdQzcpsRk1VvaEHRF5H+qxCQJ8MdzKcYpolCphj
ir1gE+zNP7gtzH4HOBzz3/q6GK5HmqwWth3X35ySrgrhnUZZX+plm9gRIRIqmijh
hdDp/3/2FcskQzr9UvIQDB14TbbSVAsDx5cQUM5F1nS1AAJNSrebuEcBeeM0N1HP
tqWmcJuAHtTlk+K5yk02cgbP9926vlty1uI46UyI4t/xOxmIY6gXlcSMbBnVmB0s
E+sKJTE7QrDpRRNiseCNLZcr/TNp9lrFpaUXz/JwXc+c1VC8UmARk9NLHsfoGz5H
fvhiUwl96wtvu1YKIev9nfVp1bb3/XeNAVJd+hNxOlkv68s3feutvv7vQR14E8cv
CVTXK7aAZKkWJl2n8pPohsXs5vwrsG36oFSH98jehLtzLrpgtWj6N7U8SWhI9JlT
EaIpEL/C1foVJeSZs8Tq1sqYaw81lovDFk8wuS1eFhWeEVodJQsfCPBgsQGZ46oZ
gWz3AU3KrB4ruNxjkJJxfgKu39pHDrv3o5ZufAHoIAHRdPTPlcH1Wi/1LLgLqHVC
9+i7N1ClsO1/VgtYmZwzxWxsEJOcE2+vOROoVzgMh5lGhCLh6/3VTL96hIjcMp4W
oD8ElPP+m/v6iA==
=70vD
-----END PGP PUBLIC KEY BLOCK-----

You can also get a plain text file with the key.

In accordance with good key management practices, we have also generated a revocation certificates for our old PGP keys. The revocation certificate for our old PGP key id 0xCA9A8D5B, 0x2D0987E6, 0xBB5F58CC, 0x26D292E4 and 0xD55D978A8A1420E4 have also been sent to the public PGP key servers. 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: This is a revocation certificate

iQI2BCABCgAgFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmcLlcQCHQEACgkQ1V2X
iooUIOQz4g/+OQPIFeLW/XP+ARKPV4nqjM7n3H0dEoQZApQdBFBOE1ElugAsi6Ld
QVwhIVdH3XewVZLWiR8fdSme8YD/bBJiucs8bls5OilEYGCbpdH3LMtQpOt6FRUM
/Y9BpJQE/4OwOuLDuzvIIodp9JfSuQJa0gSk7KHeY4zT9eEljX8toVO1ovc9BWFy
R/4Np1WpGGQni0ksZ+FBcGXxnGRbZvTryDnUYhe5ghah6xX91sRZ2fmsIqW1TG1G
YcSydkwE5HVMdLZwkBUo7Dn2g9CWsUr2UMweoBTv+lpL/lVN4URU7vUmYFLK/44D
FAOP/Jt8vyLQpIW440M8j7kbVmQY5+Bd+483h9lhK7+1PgDSkiCflvyXI0l4QwE1
4UsAxk7TWF1DLHjqDZ3n+bzUTtbr83jKvJ4ZGZuMybeybr3CrSRE3yFj7Ldshrtl
Glz3S9Dw16/tHgJhCshDUGxhWe1Q2+sCbwMYBIEmEz2Q4zJDjrorIsR1d+WGu3vD
EqRaeagg8WzO6sfEK0DQG1LdJj3MUDxrdAjPgYOdWl2dRoCD+Ji6/gEJy/ZLgG9g
6dGgPfcDDu49BUjaNSEJThAw+qU2JKK16k7bnzSDGqr3oTLjjYhkXPEVb6FUaB6a
fc8dLsS6JfajB0Al9fNJ8QCt+MaeDDqCPVq+lNZmFAHm4HVkDityAHA=
=Ralf
-----END PGP PUBLIC KEY BLOCK-----

You can also get a plain text file with the revocation certificate.

Thanks

We want to thank all our vivid contributors. Without their general help, suggestions, bug reports, comments and actual code contributions, Netfilter wouldn't be what it is.

We thank Linus Torvalds for starting the development of the Linux kernel.

We thank the Linux networking gods (Alexey Kuznetsov, David Miller, Andi Kleen, et al.) for providing Linux with its great network stack.

We thank the founding fathers of the Internet. Who would need firewalls if there was no Internet ;-)

We also thank the companies and individuals who contributed funding or equipment for netfilter/iptables development:

  • Watchguard Inc. for sponsoring Rusty initially
  • Linuxcare Inc. for sponsoring Rusty later on
  • Conectiva Inc. for sponsoring Harald from March to September 2001
    • for sponsoring Harald starting with February 2002
    • for sponsoring the netfilter developer workshop 2003, 2004, 2005 and 2007
    • for sponsoring work on netfilter failover
    • for providing the project with a dual Opteron test system
    • for sponsoring Patrick starting with January 2006
    • for sponsoring Pablo starting with April 2012
    • ... and generally providing support to the project where possible
  • Marion Bates, Chris Brenton, and William Stearns for donating two gigabit NICs to the netfilter coreteam
  • for hosting the netfilter project SCM/www/ftp/mailinglist server and sponsoring the traffic (about 110GB per month) until 2012.
  • for sponsoring nftables development (from March to April 2014).
  • Theo Zourzouvillys for sponsoring the iptables.org domain registration fee
  • Gert Hansen for sponsoring vishnu.netfilter.org, the main netfilter.org server (Dual G5 XServe)
  • The USAGI Project for working on nf_conntrack, despite we turned down their initial ip6_conntrack
  • Pablo Neira for organizing the Netfilter Workshop 2005.
  • Jesper D. Brouer for organizing the Netfilter Workshop 2013.
  • Balabit for sponsoring the netfilter workshops 2005, 2008 and 2010.
  • INL for sponsoring the netfilter workshops 2005, 2008 and 2010 and organzing the 2008 workshop.
  • ComX for sponsoring the netfilter workshops 2007, 2008 and 2010.
  • Cyberoam for sponsoring the netfilter workshops 2007, 2008 and 2011.
  • Intra2net for sponsoring the netfilter workshops 2010, 2011 and 2012.
  • All the other workshop sponsors, which are mentioned on the individual Workshop Pages.

Copyright © 1999-2024 The Netfilter webmasters . Contact webmaster