NFTables To Replace iptables In the Linux Kernel

← Back to Stories (view on slashdot.org)

NFTables To Replace iptables In the Linux Kernel

Posted by Soulskill on Saturday October 19, 2013 @11:07AM from the out-with-the-old dept.

An anonymous reader writes "NFTables is queued up for merging into the Linux 3.13 kernel. NFTables is a four-year-old project by the creators of Netfilter to write a new packet filtering / firewall engine for the Linux kernel to deprecate iptables (though it now offers an iptables compatibility layer too). NFTables promises to be more powerful, simpler, reduce code complication, improve error reporting, and provide more efficient handling of packet filter rules. The code was merged into net-next for the Linux 3.13 kernel. Iptables will still be present until NFTables is finished, but it is possible to try it out now. LWN also has a writeup on NFTables."

9 of 235 comments (clear)

Min score:

Reason:

Sort:

Re:Bah by d33tah · 2013-10-19 11:30 · Score: 3, Insightful

You don't worry about security too much, do you? As far as I know, 2.4 is not supported anymore.
Re:again? by jamesh · 2013-10-19 11:40 · Score: 5, Insightful

Documentation: There is a quick howto available at Eric Leblond's website.
Yeah I guess a "quick howto" isn't quite going to cut it. I wonder if Linus would ever put his foot down and say "no docs = no patch accept".
Re:again? by mcgrew · 2013-10-19 12:03 · Score: 1, Insightful

ipfwadm.. ipchains.. iptables.. nftables... progress sucks. :(
Go to bed, grandpa. It will be transparent to the end user. I'm looking forward to it.

--
Free Martian Whores!
Re:I really like the idea by gweihir · 2013-10-19 14:26 · Score: 4, Insightful

This is not an improvement. This is a replacement. Replacing things that are not broken is stupid.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
IPTABLES too complex and shouldn't be in kernel by knorthern+knight · 2013-10-19 15:02 · Score: 3, Insightful

I've been using linux since 2000. Two comments...
1) IPCHAINS was nice, simple, and usable. IPTABLES has stuff scattered all over the place. This may affect me more as a Gentoo user who configures his own kernel. I have to remember to...
a) enable Netfilter
b) enable "Advanced netfilter configuration" so that I can specify multi-port matches
c) check off the necessary items in "Core Netfilter Configuration"
d) check off the necessary items in "IP: Netfilter Configuration"
That's on a simple home system that doesn't attempt NAT/Masq/Routing/etc.
2) A problem with putting detailed specifications into the kernel is that when I want to enable new features (not just new rules), I have to tweak the kernel, rebuild it, and reboot. If we had to do this with new MTAs or crons or other system programs, there would be a huge outcry. Moving this out of the kernel looks logical.

--

I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Re:again? by evilviper · 2013-10-19 16:46 · Score: 5, Insightful

ipfwadm.. ipchains.. iptables.. nftables... progress sucks. :(
Not trying to troll or flame here, BUT...
That's not the fault of "progress", it's just a Linux thing... Same thing happened with audio, file systems, and much more.
The BSDs:
* haven't changed their audio systems since their inception.
* Kept their file systems backwards-compatible for decades, and did not have a flood of XFS/JFS/ReiserFS/etc. options. There have been changes recently, but incredibly few by comparison.
* Used the powerful and simple IPF as their stateful firewall dating back before many /.ers were born... at least 1993 or so. Only changed to PF (with very similar syntax) after IPF's license was changed, and all the BSD still use it. There are some alternative projects, but again, even with several BSDs, there's still less churn than with Linux.

--
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Re:Bah by lgw · 2013-10-19 17:50 · Score: 4, Insightful

All malware today uses ports 80 and 443. Port-based firewalling is a meaningless ritual from the previous century.

--
Socialism: a lie told by totalitarians and believed by fools.
Re:again? by Anonymous Coward · 2013-10-19 19:01 · Score: 2, Insightful

Don't you know? Open-source software doesn't need docs, because the best docs available are the sources.
It's the most comphrehensive, but also one of the more incomphrehensible not fluent in code.
Yes, because then you can say that subtle bugs are actually features! It is great!
Seriously, I know both of you are joking. But this is a bad joke that should be put down once and for all. Documentation describing the intended function of a program can help you find the bugs that cause inconsistent behavior. Using source as documentation is not even an option the most skilled programmers. As long as we do not have mind-reading skills there is no way of knowing what the original programmer intended.
Captcha: naivete
Re:Bah by Kjella · 2013-10-19 23:15 · Score: 4, Insightful

All malware today uses ports 80 and 443. Port-based firewalling is a meaningless ritual from the previous century.
I think you're confusing cause and effect, if we didn't have port based firewalls we'd still have Blaster-style worms spreading like wildfire. Because we've locked things down to a few approved ports, naturally that's where they try getting in.

--
Live today, because you never know what tomorrow brings