Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Nftables: a new packet filtering engine
Posted Mar 24, 2009 19:45 UTC (Tue) by patrick_g (subscriber, #44470)
Posted Mar 24, 2009 19:45 UTC (Tue) by flewellyn (subscriber, #5047)
Posted Mar 24, 2009 19:51 UTC (Tue) by quotemstr (subscriber, #45331)
Posted Mar 24, 2009 20:08 UTC (Tue) by flewellyn (subscriber, #5047)
This was in 2005, so I will grant that things may have changed since then.
Posted Mar 24, 2009 20:11 UTC (Tue) by Alan_Hicks (subscriber, #20469)
Posted Mar 25, 2009 13:54 UTC (Wed) by rvfh (subscriber, #31018)
Posted Mar 24, 2009 20:00 UTC (Tue) by Alan_Hicks (subscriber, #20469)
Setting up class-based or priority-based queues is also ridiculously easy with pf and included right in the code, not as some add-on. One of the features mentioned in the article about nftables is the ability to easily jump to a different rule or class of rules. This was solved years and years ago by pf with the use of anchors.
As far as features go, I just gave you three. There are plenty more (scrubbing packets and antispoof instantly come to mind), but perhaps the best is the sane and clearly readable syntax for pf, not to mention the more powerful pfctl tool.
As for porting, pf originated with OpenBSD and has been ported to FreeBSD, NetBSD, and Dragonfly BSD. I'm not programmer though, so I can't say for certain how easy it would be to port to Linux, but my understanding is that there are some fairly radical architecture differences in those four BSDs, particularly in regards to the new off-shoot Dragonfly. I would make a SWAG that porting it wouldn't be any more difficult than writing an entirely new packet filter.
 There's an out-of-tree module for iptables that allows binary lists and functions similarly to pf's tables I'm told.
 As compared to iptables. I have not looked at the userspace component of nftables at all.
Posted Mar 25, 2009 11:58 UTC (Wed) by osma (subscriber, #6912)
What I particularly like (as a sysadmin) in pf are two things:
I don't have an opinion on whether to port pf or not, but I hope that whatever replaces iptables will consider these features. It sounds like the nftables approach has the potential for these, as the ruleset processing is done mostly in user space.
Posted Apr 2, 2009 10:39 UTC (Thu) by jengelh (subscriber, #33263)
You can do the same with iptables-restore.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds