Netfilter/iptables, the firewall engine that is part of the Linux kernel, already allows stateless packet filtering for versions 4 and 6 of the Internet protocol, but only allows stateful packet filtering for IPv4. Stateful packet filtering is the more secure method, since it analyses whole streams of packets, rather than only checking the headers of individual packets -- as is done in stateless packet filtering.
Harald Welte, a developer on the Netfilter project and maintainer of the packet filter subsystem in the Linux kernel, said last week that a considerable amount of work went into adding IPv6 functionality, as parts of the code needed to be rewritten to create a plug-in architecture which would allow the packet filter to work with either IPv4 and IPv6.
This plug-in architecture also means that developers can write plug-ins for older network protocols such as IPX, the protocol used by old versions of the Novell NetWare operating system and DECnet, the Digital Equipment Corporation's network protocol.
The IPv6 packet filter will not be available in the next stable release of the Linux kernel, 2.6.11, but is expected to be available in the subsequent version of the kernel, said Welte.
"The kernel development team are still stabilising 2.6.11," said Welte. "Nobody would accept a big patch like this when they are stabilising the release. As soon as 2.6.11 is out we will submit the IPv6 packet filter."
Before being accepted into the Linux kernel, the packet filter must be accepted by David Miller, the maintainer of the IP networking layer, who will then pass it on to Linux founder Linus Torvalds, who is the lead maintainer of the Linux development kernel.
The 2.6.12 kernel is likely to be available in May or June, although it is difficult to anticipate the timing, according to Welte.
"The kernel release schedule is like the stock market -- you can never tell when things will happen," said Welte.
The IPv6 packet filter, known as nf_conntrack, is available for testing from the Netfilter Web site.