= Monday 18th October =

10h Welcoming
* Speaker: Pablo Neira Ayuso
* Type: Presentation
* Time required: 60 minutes
* Description: Pablo proposes the schedule. The idea is to discuss the proposal to rearrange presentations according to our needs.

11h Netfilter developments since the last workshop
* Speaker: Patrick McHardy
* Type: Presentation
* Time required: 30 minutes
* Description: Overview of netfilter developments since the last workshop, current state of Netfilter development.

11h45 Recent and pending IPVS developments
* Speaker: Simon Horman
* Type: Discussion
* Time required: 60 minutes
* Description: Recently, there has been much activity on the IPVS front and it seems there is more to come. I would like to give a brief overview of what the recent developments have been, and have a discussion about the design of pending changes — in particular, a new connection synchronisation protocol.

12h45 Core: RPS, RFS, and SKB list handling
* Speaker: David S. Miller
* Proposed by: David S. Miller
* Type: Presentation
* Target audience: Developers (INT)
* Time required: 30 minutes
* Description: The state and development of software packet and flow steering, as well as the ongoing challenges in converting sk_buff over to generic list_head.

13h30-15h30 Meal time

15h30 State of Xtables-addons
* Speaker: Jan Engelhardt
* Proposed by: self
* Type: Presentation
* Target audience: End users
* Time required: 15 minutes
* Description: Xtables-addons has caught on in the real world (after roughly two years). This talk tries to encourage users who still fiddle with patch-o-matic-ng, and developers who have single patches floating around, to make use of Xt-a to ease the amount of work required to make things work across many kernel versions.

15h50 Lifetime of an Xtables module
* Speaker: Jan Engelhardt
* Proposed by: self
* Type: Tutorial
* Target audience: Developers (API users)
* Time required: 15 minutes
* Description: A currently external module of the community's choice will be subject to transformation to compile and run within Xtables-addons. In a second step, it will be prepared from there for (technical) inclusion into the Linux kernel.

16h15 Xtables2: Love for blobs
* Speaker: Jan Engelhardt
* Proposed by: self
* Type: Presentation, project status
* Target audience: Developers (INT)
* Time required: 45 minutes
* Description: The packed serialized ruleset ("blob") such as the one currently in use by Xtables will remain with us for the foreseeable future. Linked lists have undesired big issues at hand, so more efficient means of manipulating packed rulesets need to be devised. The current ideas for that are showcased.

17h Ingress Bandwidth Shaping: IFB vs. iptables
* Speaker: Jesper Dangaard Brouer
* Proposed by: self
* Type: Proposal + Discussion
* Target audience: Developers (INT)
* Time required: 15 minutes
* Description: The IFB (Intermediate Functional Block) device is the successor to the IMQ (InterMediate Queueing) device. We want to use IFB together with the iptables classifier, which is currently not possible. We propose that we add a new Netfilter hook, before the ingress step.

17h30 Uplink balancing
* Speaker: Ulrich Weber
* Proposed by: self
* Type: Presentation
* Target audience: End users
* Time required: 30 minutes
* Description: Multiple Internet uplinks without the help of dynamic routing protocols require heavy use of MARK and CONNMARK to get running. There are some architectural limitations, e.g. SNAT being done after the routing decision is made, or local sockets being bound to an IP address before iptables is involved, which make it even harder to setup and understand. We made some modifications to get multiple Internet uplinks running without the use of MARK/CONNMARK. There is also granular connection balancing based on protocol/port and uplink failover functionality.

18h End of day

= Tuesday 19th October =

10h ipset: The new branch
* Speaker: Jozsef Kadlecsik
* Proposed by: self
* Type: Presentation
* Target audience: Developers (INT)
* Time required: 60 minutes
* Description: After much redesigning and rewriting, the new ipset code is ready to be released. In the talk, the background questions like hash functions and hashing methods are discussed first. Then, the communication protocol on top of netlink is presented, together with the required slight extension to the netlink core. Implementation details of the kernel part of ipset (locking questions, timeouts and garbage collection, code generation for compiling) are explained. In the second part, the userspace tool is presented, both the internals and the syntax. At the end, a little tool on top of the new ipset is shown, which can help to manage large iptables/ip6tables rulesets.

11h nftables status
* Speaker: Patrick McHardy
* Proposed by: self
* Type: Presentation
* Time required: 30 minutes
* Description: There have been quite a lot architectural changes to nftables since it was first released. This presentation will present those changes and the remaining problems.

12h libnetfilter_* library status
* Speaker: Pablo Neira Ayuso
* Proposed by: self
* Type: Presentation
* Target audience: Developers (API users)
* Time required: 15 minutes
* Description: The status of the libnetfilter_* user-space libraries.

12h15 Libnetfilter_queue: to 1.0 and beyond, new API proposal
* Speaker: Eric Leblond
* Proposed by: self
* Type: Proposal
* Time required: 15 minutes
* Description: Libnetfilter_queue has had a few evolutions in the past two years. Extensibility of the current API is clearly suboptimal, mainly because it uses the old-style API.

12h30 Userspace decision: performance issues
* Speaker: Eric Leblond
* Proposed by: self
* Type: Discussion
* Time required: 15 minutes
* Description: libnetfilter_queue is used by an IPS like suricata. In this scope, it suffers from a lack of performance in terms of packet rate. The aim of this discussion is to present these performance limits and to try to find new paths to a fast and efficient queuing system.

12h45 libmnl: a minimalistic library for Netlink developers
* Speaker: Pablo Neira Ayuso
* Proposed by: self
* Type: New product and release
* Target audience: Developers (API users)
* Time required: 15 minutes
* Description: Libmnl is a minimalistic library targeted to Netlink developers. In this talk, we will introduce this new library and make the official release of the 1.0 version.

13h30-15h30 Meal

15h30 Oowall: technologies and software architecture behind the fun
* Speaker: Eric Leblond
* Proposed by: Pierre Chifflier
* Type: Presentation
* Time required: 15 minutes
* Description: Following a famous quote by a previous French culture minister, Pierre Chifflier has developed oowall, the openoffice firewall. Behind the geek joke, the conception shows an interesting work with Netfilter high-level language binding.

16h Ulogd2: finding the way to 1.0
* Speaker: Eric Leblond
* Proposed by: self
* Type: Discussion
* Time required: 15 minutes
* Description: Ulogd2 is now on beta stage for a couple of years. The aim of this discussion is to decide what remains to be done to reach the stable stage. Further evolution will also be discussed.

16h30 Advances in the development of high availability for stateful firewalls
* Speaker: Pablo Neira Ayuso
* Proposed by: self
* Type: Presentation, project status
* Target audience: System administrators
* Time required: 20 minutes
* Description: Availability of stateful firewalls is crucial to ensure uptime of network services. The Netfilter project provides the conntrack-tools package which enables high-availability of stateful firewalls for GNU/Linux. This talk covers the advances in this regard and new directions in the development.

17h Fun with conntrack expectations in user-space with libnetfilter libraries
* Speaker: Pablo Neira Ayuso
* Proposed by: self
* Type: project status and proposals
* Time required: 15 minutes
* Description: Since 2.6.37-rc, Netfilter will provide the basic infrastructure to implement conntrack helpers in user-space. This talk will cover this new feature and proposes some new developments in this direction.

17h30 Netfilter vs. dhcpd vs. raw sockets
* Speaker: Jesper Dangaard Brouer
* Proposed by: self
* Type: Proposal + Discussion
* Target audience: Developers (INT)
* Time required: 15 minutes
* Description: Currently, it is not possible to firewall traffic to and from the DHCP daemon on a server. This poses a practical problem for us (as an ISP), as some customer equipment can go into a DHCP request-ack loop. Normally it is possible to protect the service by means of an iptables trick with hashlimit or recent match. The reason it is not possible to block the traffic is because dhcpd uses a raw socket. We propose that we add a new Netfilter hook, before the raw socket branch-off.
18 End of Day

= Wednesday 20th October =

10h Sharing: Git tricks and tips
* Speaker: Jan Engelhardt
* Proposed by: Jesper Dangaard Brouer
* Type: tutorial
* Target audience: Developers (toolchain end users)
* Time required: 15 minutes
* Description: Practical hints and tricks of howto use Git by the Git gurus. Explaining the stg tool, StackedGit, and how it makes it easier to work with large patch sets.

11h Challenges and experiences with IPTV from a network point of view
* Speaker: Jesper Dangaard Brouer
* Proposed by: self
* Type: Presentation and product release
* Target audience: End users
* Time required: 45 minutes
* Description: I will explain our real-life challenges with IPTV multicast signals on loaded Ethernet switches, with bursty traffic patterns. To face these challenges, I have developed a iptables module for analyzing IPTV/MPEG2-TS streams.

12h Sysadm tasks for netfilter.org
* Speaker: Jesper Dangaard Brouer, Pablo or Patrick
* Type: Administrative + Discussion
* Target audience: Netfilter Core Team and direct associates
* Link: Sysadm Tasks
* Time required: 30 minutes
* Description: We need to assign persons to the netfilter.org system administration maintenance tasks and responsibilities. Discuss which services we want to provide on netfilter.org.