WritingNetfiltermodulesJanEngelhardt,NicolasBoulianerev.July3,2012TheNetfilter/Xtables/iptablesframeworkgivesusthepossibilitytoaddfeatures.Todoso,wewritekernelmodulesthatregisteragainstthisframework.Also,dependingonthefeature’scategory,wewriteaniptablesuserspacemodule.Bywritingyournewextension,youcanmatch,mangle,trackandgivefaithtoagivenpacketorcompleteflowsofinterrelatedconnections.Infact,youcandoalmosteverythingyouwantinthisworld.Bewarethatalittleerrorinakernelmodulecancrashthecomputer.WewillexplaintheskeletalstructuresofXtablesandNetfiltermoduleswithcompletecodeexamplesandbythisway,hopetomaketheinteractionwiththeframeworkalittleeasiertounderstand.WeassumeyoualreadyknowabitaboutiptablesandthatyoudohaveCprogrammingskills.Copyright©2005NicolasBouliane<acidfu(at)people.netfilter.org>,Copyright©2008–2012JanEngelhardt<jengelh(at)inai.de>.ThisworkismadeavailableundertheCreativeCommonsAttribution-Noncom-mercial-Sharealike3.0(CC-BY-NC-SA)license.Seehttp://creativecommons.org/licenses/by-nc-sa/3.0/fordetails.(Alternatearrangementscanbemadewiththecopyrightholder(s).)Additionally,modificationstothisworkmustclearlybeindicatedassuch,andthetitlepageneedstocarrythewords“ModifiedVersion”ifanysuchmodificationshavebeenmade,unlessthereleasewasdonebythedesignatedmaintainer(s).TheMaintainersaremembersoftheNetfilterCoreTeam,andanyperson(s)appointedasmaintainer(s)bythecoreteam.1AbouttheauthorsNicolashasbeenusingLinuxsince1998.Heistheco-authoroftheNetfiltergeoipmodule.HeiscurrentlyworkingforAirJaldiandhiscurrentfocusistoempowercommunitiesthroughwirelesstechnologiesusingfreesoftware.Hewrotetheoriginal“Howtowriteyourowniptablesmodule”inFebruary2005.Janisaconsultantforsystem-levelsoftwareandnetworkadministrationwithastrongfocusonLinux-basedenvironments.HeusesLinuxsincefall1999,andisinvolvedinkerneldevelopmentsince2003.HislatestsignificantactivitiesareinthefieldoffirewallingwithNetfilterandXtables.Nicolas’sarticlehasbeenextensivelyrewrittenandextendedbyJanin2008,up