NFTables To Replace iptables In the Linux Kernel

An anonymous reader writes "NFTables is queued up for merging into the Linux 3.13 kernel. NFTables is a four-year-old project by the creators of Netfilter to write a new packet filtering / firewall engine for the Linux kernel to deprecate iptables (though it now offers an iptables compatibility layer too). NFTables promises to be more powerful, simpler, reduce code complication, improve error reporting, and provide more efficient handling of packet filter rules. The code was merged into net-next for the Linux 3.13 kernel. Iptables will still be present until NFTables is finished, but it is possible to try it out now. LWN also has a writeup on NFTables."

Re:again?

[jamesh]

Documentation: There is a quick howto available at Eric Leblond's website.

Yeah I guess a "quick howto" isn't quite going to cut it. I wonder if Linus would ever put his foot down and say "no docs = no patch accept".

Re:again?

[evilviper]

ipfwadm.. ipchains.. iptables.. nftables... progress sucks. :(

Not trying to troll or flame here, BUT...

That's not the fault of "progress", it's just a Linux thing... Same thing happened with audio, file systems, and much more.

The BSDs:

* haven't changed their audio systems since their inception.

* Kept their file systems backwards-compatible for decades, and did not have a flood of XFS/JFS/ReiserFS/etc. options. There have been changes recently, but incredibly few by comparison.

* Used the powerful and simple IPF as their stateful firewall dating back before many /.ers were born... at least 1993 or so. Only changed to PF (with very similar syntax) after IPF's license was changed, and all the BSD still use it. There are some alternative projects, but again, even with several BSDs, there's still less churn than with Linux.