LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Xtables2 vs. nftables

Xtables2 vs. nftables

Posted Jan 14, 2013 21:54 UTC (Mon) by paulj (subscriber, #341)
In reply to: Xtables2 vs. nftables by intgr
Parent article: Xtables2 vs. nftables

You're badly misrepresenting iptables though. The tables are NOT like goto, they're like functions which can return to the calling chain, in addition to terminating rule processing for the packet. So your iptables example can be factored in several ways. E.g.: 

accept_allowed_ssh_hosts () {
  if (proto != tcp)
    RETURN;
  if (port != ssh)
    RETURN;

  if (ip == 1.2.3.4) ACCEPT;
  if (ip == 2.2.2.2) ACCEPT;
  if (ip == 3.3.3.3) ACCEPT;
}

And somewhere in INPUT: 

accept_allowed_ssh_hosts ();
…
DROP;

Note also the existing iptables language could be compiled to something suitable for a JIT. If there's any control-flow it is missing, it could be added, without throwing away the interface that is there today.

(Log in to post comments)

Xtables2 vs. nftables

Posted Jan 14, 2013 23:24 UTC (Mon) by intgr (subscriber, #39733) [Link]

Good point, I never thought of structuring my rules this way. It's better, but it requires you to artificially split things into separate chains and specify lots of things using negative logic, which is far from natural.

I just went the easy route and use FERM to translate between my brain and iptables.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds