Nftables: a new packet filtering engine
Posted Mar 27, 2009 5:21 UTC (Fri) by quotemstr
In reply to: Nftables: a new packet filtering engine
Parent article: Nftables: a new packet filtering engine
Someone was supposed to write the cool GUI tool
Oh, people have written neat front-ends
. But because there was no de facto standard rule compiler distributed with iptables, all the tutorials, guides, and so on focused on what was
universal, direct iptables manipulation. Since everyone was familiar with raw iptables, front-ends were seldom used, and seldom distributed.
pf also has a fairly primitive kernel-side "assembly language", but because pfctl is the way everyone manipulates the kernel state, nobody notices the difference between pf.conf and the raw rules as seen when reading the firewall state back from the kernel.
If, from the start, iptables had an official and useful front-end language tied to exactly the same kernel architecture, I doubt we'd be talking about a replacement today.
changing your NAT rules should not imply a change to
your filtering rules unless you're being very tricky
It's still very useful to be able to specify them in the same place. When writing filtering and NAT rules, we mentally track the path of a packet as it transits the network stack; since a packet is subject to filtering and address translation in sequence, it's useful to be able to specify the rules in the same place.
to post comments)