NFTables To Replace iptables In the Linux Kernel

← Back to Stories (view on slashdot.org)

NFTables To Replace iptables In the Linux Kernel

Posted by Soulskill on Saturday October 19, 2013 @11:07AM from the out-with-the-old dept.

An anonymous reader writes "NFTables is queued up for merging into the Linux 3.13 kernel. NFTables is a four-year-old project by the creators of Netfilter to write a new packet filtering / firewall engine for the Linux kernel to deprecate iptables (though it now offers an iptables compatibility layer too). NFTables promises to be more powerful, simpler, reduce code complication, improve error reporting, and provide more efficient handling of packet filter rules. The code was merged into net-next for the Linux 3.13 kernel. Iptables will still be present until NFTables is finished, but it is possible to try it out now. LWN also has a writeup on NFTables."

20 of 235 comments (clear)

Min score:

Reason:

Sort:

again? by Leroy+Brown · 2013-10-19 11:14 · Score: 5, Interesting

ipfwadm.. ipchains.. iptables.. nftables... progress sucks. :(
1. Re:again? by Anonymous Coward · 2013-10-19 11:22 · Score: 5, Interesting
  
  And the iptables docs haven't even been finished yet. I was at the North Carolina Biotechnology Center at the Linux Expo in 1997 when one of the speakers that was talking about iptables promised they would write docs for it. I think I was the only teen girl and only black female there, so if you were there, you'll probably remember me. How about finishing what you start rather than screwing the users with half-ass unfinished projects?
2. Re:again? by jamesh · 2013-10-19 11:40 · Score: 5, Insightful
  
  Documentation: There is a quick howto available at Eric Leblond's website.
  Yeah I guess a "quick howto" isn't quite going to cut it. I wonder if Linus would ever put his foot down and say "no docs = no patch accept".
3. Re:again? by Anonymous Coward · 2013-10-19 13:25 · Score: 5, Funny
  
  Don't you know? Open-source software doesn't need docs, because the best docs available are the sources.
4. Re:again? by skids · 2013-10-19 15:31 · Score: 4, Informative
  
  There is an intersection between the tasks iptables/ebtables/arptables can perform, so someties you need to decide which responsibility you want to delegate to which.
  But you are correct, ebtables was never a replacement.for iptables.
  This diagram is very useful when you get deep in the weeds.
  
  --
  Someone had to do it.
5. Re:again? by evilviper · 2013-10-19 16:46 · Score: 5, Insightful
  
  ipfwadm.. ipchains.. iptables.. nftables... progress sucks. :(
  Not trying to troll or flame here, BUT...
  That's not the fault of "progress", it's just a Linux thing... Same thing happened with audio, file systems, and much more.
  The BSDs:
  * haven't changed their audio systems since their inception.
  * Kept their file systems backwards-compatible for decades, and did not have a flood of XFS/JFS/ReiserFS/etc. options. There have been changes recently, but incredibly few by comparison.
  * Used the powerful and simple IPF as their stateful firewall dating back before many /.ers were born... at least 1993 or so. Only changed to PF (with very similar syntax) after IPF's license was changed, and all the BSD still use it. There are some alternative projects, but again, even with several BSDs, there's still less churn than with Linux.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
6. Re:again? by ras · 2013-10-20 13:10 · Score: 5, Interesting
  
  Hear hear! A bit of background to the politics of this:
  NFTables is brought to you by a group of codes created when Alexey Kuznetsov decided to replaced the low level linux network stack for Linux 2.2 to make it more like what Cisco provided in IOS. The result added whole pile of new functionality to Linux (eg routing rules), and a shiny new highly module traffic control engine. Alexey produced a beautifully written postscript documentation for the new user land routing tools (the "ip" command), and 100 line howto for the far more complex traffic control engine tools (the "tc" command).
  Technically it was a was tour de force. But to end users it could at best be called a modest success. Alexey re-wrote the net-utils tools ("ifconfig", "route" and friends) to use the new system, and did such a good job very few bothered to learn the new "ip" command even though the documentation was good and it introduced a modest amount of new features. But real innovation was the traffic control engine, and to this day bugger all people know how to use it.
  At this point it could have gone two ways. Someone could have brought tc's documentation up to the same standard Alexey provided for ip, or they could ignore the fact that almost no one used the code already written and add more of the same. They did the latter.
  It was also at this time the network code wars started in the kernel. Not many people know that a modest amount of NAT, filtering and so on can be done by Alexey's new ip command. But rather than build on that Rusty Russell just ported the old ipfwadm infrastructure, called it ipchains (and later replaced it with iptables). There was some overlap between Rusty's work and tc, and this has grown over time. For example the tc U32 filter could do most of the packet tests ipchain's introduced over time on day 1. Technically the modular framework provided by tc was more powerful than ipchains, and inherently faster. Tc was however near impossible for mere mortals to use even if they had good documentation. There were some outside efforts to fix this - tcng was an excellent out-of-tree attempt to fix the complexity problems of tc. But in what seems like a recurring theme, it was out of tree and ignored. In contrast, Rusty provided ipchains with the some best documentation on the planet. In the real world the result of these two efforts are plain to see - while man + dog uses iptables, there maybe 100 people on the planet who can use tc.
  Another example of the same thing is IMQ. IMQ lets you unleash the full power of the traffic control engine on incoming traffic. (Natively the traffic control engine only deals with packets being sent, not incoming packets - a limitation introduced for purely philosophical reasons). IMQ was very well documented, and heavily used. The people who brought you tc had a list of technical objections to IMQ. I don't know whether they were real or just a case of Not Invented Here, but I'd give them the benefit of the doubt - they are pretty bright guys. So they replaced it with their own in-kernel-tree concoction. (For those of you who don't follow the kernel "in-tree" means it comes with the Linux Kernel. An out-of-tree module like IMQ means at the very least you have to compile the module source, and possibly the entire kernel.) For a while this discouraged the developers of IMQ so much they stopped working on it. If you follow that link, you will see it's back now. Why? Because the thing that replaced it had absolutely no documentation. They never do. So no one could use the replacement. Again, in the end, the thing code that was documented won the day.
  By now you might be guess where this is heading. We have two groups in the kernel competing to provide the
Bah by Billly+Gates · 2013-10-19 11:18 · Score: 5, Funny

IPChains work just fine thank you very much!
Kernel 2.4 works fine for my needs. You kids today have no idea what it is like upgrading thousands of computers at work! Especially when you have to justify to a beancounter to upgrade an IP table that has worked fine since October 2001 and already works. It is an enterprise standard that works so why fix what isn't broken?
Last thing I need is another confusing IP table interface designed for teenagers.
With a modern AV I should be just fine if I do not go to questionable websites.

--
http://saveie6.com/
1. Re:Bah by lgw · 2013-10-19 17:50 · Score: 4, Insightful
  
  All malware today uses ports 80 and 443. Port-based firewalling is a meaningless ritual from the previous century.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:Bah by Kjella · 2013-10-19 23:15 · Score: 4, Insightful
  
  All malware today uses ports 80 and 443. Port-based firewalling is a meaningless ritual from the previous century.
  I think you're confusing cause and effect, if we didn't have port based firewalls we'd still have Blaster-style worms spreading like wildfire. Because we've locked things down to a few approved ports, naturally that's where they try getting in.
  
  --
  Live today, because you never know what tomorrow brings
Noooooo by binarylarry · 2013-10-19 11:23 · Score: 5, Funny

All my precious iptables knowledge gone!
Linus hates us precious! Hates us!

--
Mod me down, my New Earth Global Warmingist friends!
1. Re:Noooooo by binarylarry · 2013-10-19 11:24 · Score: 4, Interesting
  
  Okay so after RTFMing, I like the changes.
  It reminds me of the ip command, which is so much better than route.
  NFTables FTW!
  
  --
  Mod me down, my New Earth Global Warmingist friends!
2. Re:Noooooo by dbIII · 2013-10-20 01:36 · Score: 4, Interesting
  
  It's as useless as having the option of having car windows painted black, but people wanted it so it's there (so I've heard - I'm an end user not a developer of this).
  When NAT came in it was a pity we needed that shit due to a lack of numbers instead of having everything adressable, and now for some reason people like the smell of that shit. They think it smells like security.
  If you think I'm wrong please spend at least five minutes learning how a firewall works and look up router on wikipedia or something before you reply. You should work out from that that the devices that provide the security will still be upstream whether you have NAT or not.
pf by Alioth · 2013-10-19 11:24 · Score: 4, Informative

Can't we have OpenBSD pf instead? Powerful, nice, decent documentation on how to use it, syntax that makes a lot more sense than iptables.

--
Oolite: Elite-like game. For Mac, Linux and Windows
I really like the idea by vadim_t · 2013-10-19 11:39 · Score: 4, Interesting

The main advantage of this is moving protocol knowledge out of the kernel into userspace.
Which means that the kernel doesn't need a million modules that understand the various bits of various protocols. If something new comes up, the userspace compiler can patched to deal with it.
It should also make the kernel part much smaller and easier to make secure.
1. Re:I really like the idea by icebike · 2013-10-19 12:20 · Score: 4, Interesting
  
  It should also make the kernel part much smaller and easier to make secure.
  You hope.
  I've learned to become suspicious of change for change sake.
  Long running well debugged code is almost always better understood than new code.
  
  --
  Sig Battery depleted. Reverting to safe mode.
2. Re:I really like the idea by gweihir · 2013-10-19 12:36 · Score: 4, Funny
  
  Indeed. I see several possible outcomes:
  - This never reaches the quality level of iptables
  - It becomes fast and stable enough to use, but nobody cares
  - It replaces iptables in the distant future
  Iptables is not broken. Do not fix it.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:I really like the idea by gweihir · 2013-10-19 14:26 · Score: 4, Insightful
  
  This is not an improvement. This is a replacement. Replacing things that are not broken is stupid.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
drunken troubleshooting in 3 years by RITjobbie · 2013-10-19 11:45 · Score: 5, Funny

I can't get to slashdot. Let's troubleshoot!
[root@wang]# ifconfig
bash: ifconfig: command not found

[root@wang]# iptables -F
bash: iptables: command not found
Re:You go girl :D by philip.paradis · 2013-10-19 15:42 · Score: 4, Informative

Don't worry, iptables and arptables aren't going to magically disappear. A ridiculous amount of infrastructure depends on both, and the nftables announcement is severely over-hyped. Having alternatives is a good thing, and it doesn't mean the sky is falling.

--
Write failed: Broken pipe