Interview : Pablo Neira Ayuso (Netfilter) # Hello Pablo : could you introduce yourself for the LSM future visitors who do not know you yet ? I’ve been a member of Netfilter Core Team since the beginning of last year and I’ve contributed to the project for more than four years. For three years I’ve worked as in the Seville university, in Andalusia in the south of Spain as an operating system teacher within the laboratory of operating system (C programming language which is unfortunately more and more considered as obsolete in the study programs in engineering...) and Computer Security. I have a great time in education. In the same time I’ve completed my thesis which has connection with the project of high disponibilty for Linux firewall systems. # How do you succeed in the contribution of the Netfilter project ?What are your different missions in the core team Netfilter? I appreciate free software and its philosophy which appeal to me from the beginning: the possibility to work with other people to build something which can be useful for the whole community. I think that it is my principal motivation. On the other hand an other motivation for me was the possibility to access unconditional technology : free software permits indeed a computer engineer to understand how the system precisely functions.lastly we can say that the motivations of developers are quite different, not to say very heterogeneous. They often are more trivial (for example to kill tedium) and then more complex. And then when do I begin to develop? Well, at the time, I was a student at the university, I worked for a small business specialized in the development of firewall based on Linux, firewall that we installed on networks of some businesses and of seats of the government in Andalusia.This permitted me to understand in a better way the intern functioning of Netfilteras well as its tools. I began to make small hacks that I’ve still sent on the mailing list. It was nice to have Harald Welte’s , Patrick McHardy’s or Joszsef Kadlecsik’s answers... even if very often the hack could not enter the trunk for different reasons...So I began to develop more and more things. For example: the Netfilter interface for connecting the tracking system, tools and userspace library, string match, etc... And at least I was invited to take part in the core team ... :-) My tasks in the project are very simple and mainly concern the following domains : To reconsider contributions of other developers who are not in the coreteam,mainly on ulogd and conntrack-tools, and the libnfnetlink library and libnetfilter_*. To stabilize and to resolve problems towards Netfilter (bugs). To develop or to work in the development of new functionalities. To take part in discussions on the mailing list and to give my point of view. The most boring task but I really need to do it: to do tasks of maintenance on the website , FTP, bugzilla, ... # What are your purposes about your speech at the 2008 LSM ? I will introduce the problem on high-disponibility in the stateful firewall and detail the current solution which is used in the Netfilter project. As I also asked Eric Leblond, are there exchanges between pf from the BSD world and the netfilter project from GNU/Linux ? Your presentation is particularly about high disponibility of firewalls and follow-up of transactions:are exchanges with pfsync/carp developers about these high disponibility problems? Not for the time being but I think that it would be interesting to think of them. # What are in your opinion the main lines in which Netfilter will develop in the next months/years ? Good question :) , I think that it would rather be : to consolidate the conntrack-tools project which is still in progress. to give an xtables interface,more flexible than the current interface and totally free from the level OSI 2, 3 and 4.We may have a netlink interface for iptables and soon a user space library. We also need to consolidate the support for bridging. to introduce ipset in the core to give higher scalability to"rule-set matching". perhaps to have a look on layer 7solutions (which are not for the moment developed by the core team). W# hat are the subjects which interest you? What are these subjects you would like to work on in term of development? In a first time I would like to end my work within the framework of conntrack-tools. # How is your work environment everyday when you encode for Netfilter ? It is not exceptional:three xterm 24x80 windows, vim and sometimes paper and pens to do "mental debugging". it is probably a little bit basic but it works :) # A last word : have you a special wish for the 2008 LSM ? I wish to spend three friendly days at the LSM! # We all hope that with all our heart, Pablo and thank you very much for the time devoted to this interview :) Interview realized by mail by Christophe Brocas, thème Sécurité RMLL 2008.