Nftables: a new packet filtering engine
Posted Mar 25, 2009 11:31 UTC (Wed) by job
Parent article: Nftables: a new packet filtering engine
An excellent article, as always. Nftables is one of those things I really wanted to take a look at "any day now".
As a user/sysadmin, these are the main problems I have with iptables and friends:
- It's too modular. There are about a gazillion modules, one can hardly know about them all. Sometimes they do common operations with slightly different syntax.
- The iptables syntax can be improved. Compared to pf it is much harder to read configuration files, and to update them run-time. With tc you pretty much have to use the u32 classifier, which is sparsely documented.
- Speaking of tc, the integration between traffic management and packet filter must improve. Preferably using the same classifiers and managed with the same tools.
It would also be desirable to use table lookups for large rulesets to improve performance. Nftables seems to be an interesting development. My immediate worries are that Using a byte code interpreter in the kernel is a very dangerous path. It's like a do-everything-syscall, opaque and hard to understand.
Also, what about the connection trackers such as FTP, SIP etc.? Shall they be called from bytecode or reimplemented? They also contribute to duplicated code.
to post comments)