|
|
Log in / Subscribe / Register

Nftables: a new packet filtering engine

Nftables: a new packet filtering engine

Posted Mar 24, 2009 17:25 UTC (Tue) by JoeBuck (guest, #2330)
Parent article: Nftables: a new packet filtering engine

If there were a translator that could take iptables rules and produce nftables rules, either the high-level form or the virtual machine form, then it seems that this change would be a no-brainer: iptables firewalls keep working and the kernel has a smaller, more flexible and powerful implementation. But without such a translator, users lose big-time.

So a translator should be a prerequisite for accepting nftables, because it allows iptables to go away.

to post comments

Nftables: a new packet filtering engine

Posted Mar 24, 2009 17:44 UTC (Tue) by yokem_55 (subscriber, #10498) [Link] (4 responses)

The main requirement for a translator though is that it cannot cause subtle changes in behavior between the original iptables implementation and the translated nftables implementation. It would seem to me that the less risky, and perhaps easier transition would be to mark iptables as deprecated, merge nftables in parallel with iptables, and in a couple of years pull the plug on iptables. By that time it should be clear if a translator can work reliably, and for most folks to implement their filters in nftables "native" code.

Nftables: a new packet filtering engine

Posted Mar 24, 2009 17:58 UTC (Tue) by martinfick (subscriber, #4455) [Link]

Or, maybe a change like this to the user ABI (removing iptables) could be done by bumping to a 2.8 number?

Nftables: a new packet filtering engine

Posted Mar 24, 2009 18:21 UTC (Tue) by kaber (guest, #18366) [Link] (2 responses)

Translating normal header matches like address and port matches should work fine, there really arent't any subtleties in that area. It might look differently in case of matches with more complex behaviour, like, lets say, the policy match. But with the necessary care I wouldn't expect many problems.

That said, iptables is certainly going to stay for quite a while. The rough plan so far is to add a converter/parser for the old syntax, shake out the bugs, and at some point transparently enable it in userspace once it has proven itself. A couple of years sounds realistic to me. But since this hasn't been discussed yet, things might also turn out differently.

Nftables: a new packet filtering engine

Posted Mar 24, 2009 22:17 UTC (Tue) by man_ls (guest, #15091) [Link] (1 responses)

I like this. So, if I understood well, an iptables-like command (with syntax identical to the old-style command) will transparently generate new-style rules and load them? That would be a very good proof of the versatility of the new engine.

Nftables: a new packet filtering engine

Posted Mar 29, 2009 6:58 UTC (Sun) by ernest (guest, #2355) [Link]

Wel, a translator which loads the old iptable rules could prevent the new high level nftable language from ever being further developped.

This could be a problem, but maybe not. It depends on how much more can be done with the new highlevel nftable language or how efficient the iptable rule translator will be.

Ernest.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds