NFTables To Replace iptables In the Linux Kernel

← Back to Stories (view on slashdot.org)

NFTables To Replace iptables In the Linux Kernel

Posted by Soulskill on Saturday October 19, 2013 @11:07AM from the out-with-the-old dept.

An anonymous reader writes "NFTables is queued up for merging into the Linux 3.13 kernel. NFTables is a four-year-old project by the creators of Netfilter to write a new packet filtering / firewall engine for the Linux kernel to deprecate iptables (though it now offers an iptables compatibility layer too). NFTables promises to be more powerful, simpler, reduce code complication, improve error reporting, and provide more efficient handling of packet filter rules. The code was merged into net-next for the Linux 3.13 kernel. Iptables will still be present until NFTables is finished, but it is possible to try it out now. LWN also has a writeup on NFTables."

5 of 235 comments (clear)

Min score:

Reason:

Sort:

Re:again? by jamesh · 2013-10-19 11:40 · Score: 5, Insightful

Documentation: There is a quick howto available at Eric Leblond's website.
Yeah I guess a "quick howto" isn't quite going to cut it. I wonder if Linus would ever put his foot down and say "no docs = no patch accept".
Re:I really like the idea by gweihir · 2013-10-19 14:26 · Score: 4, Insightful

This is not an improvement. This is a replacement. Replacing things that are not broken is stupid.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:again? by evilviper · 2013-10-19 16:46 · Score: 5, Insightful

ipfwadm.. ipchains.. iptables.. nftables... progress sucks. :(
Not trying to troll or flame here, BUT...
That's not the fault of "progress", it's just a Linux thing... Same thing happened with audio, file systems, and much more.
The BSDs:
* haven't changed their audio systems since their inception.
* Kept their file systems backwards-compatible for decades, and did not have a flood of XFS/JFS/ReiserFS/etc. options. There have been changes recently, but incredibly few by comparison.
* Used the powerful and simple IPF as their stateful firewall dating back before many /.ers were born... at least 1993 or so. Only changed to PF (with very similar syntax) after IPF's license was changed, and all the BSD still use it. There are some alternative projects, but again, even with several BSDs, there's still less churn than with Linux.

--
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Re:Bah by lgw · 2013-10-19 17:50 · Score: 4, Insightful

All malware today uses ports 80 and 443. Port-based firewalling is a meaningless ritual from the previous century.

--
Socialism: a lie told by totalitarians and believed by fools.
Re:Bah by Kjella · 2013-10-19 23:15 · Score: 4, Insightful

All malware today uses ports 80 and 443. Port-based firewalling is a meaningless ritual from the previous century.
I think you're confusing cause and effect, if we didn't have port based firewalls we'd still have Blaster-style worms spreading like wildfire. Because we've locked things down to a few approved ports, naturally that's where they try getting in.

--
Live today, because you never know what tomorrow brings