Nftables: a new packet filtering engine

Posted Mar 24, 2009 18:21 UTC (Tue) by kaber (guest, #18366)
In reply to: Nftables: a new packet filtering engine by yokem_55
Parent article: Nftables: a new packet filtering engine

Translating normal header matches like address and port matches should work fine, there really arent't any subtleties in that area. It might look differently in case of matches with more complex behaviour, like, lets say, the policy match. But with the necessary care I wouldn't expect many problems.

That said, iptables is certainly going to stay for quite a while. The rough plan so far is to add a converter/parser for the old syntax, shake out the bugs, and at some point transparently enable it in userspace once it has proven itself. A couple of years sounds realistic to me. But since this hasn't been discussed yet, things might also turn out differently.

to post comments

Nftables: a new packet filtering engine

Posted Mar 24, 2009 22:17 UTC (Tue) by man_ls (guest, #15091) [Link] (1 responses)

I like this. So, if I understood well, an iptables-like command (with syntax identical to the old-style command) will transparently generate new-style rules and load them? That would be a very good proof of the versatility of the new engine.

Nftables: a new packet filtering engine

Posted Mar 29, 2009 6:58 UTC (Sun) by ernest (guest, #2355) [Link]

Wel, a translator which loads the old iptable rules could prevent the new high level nftable language from ever being further developped.

This could be a problem, but maybe not. It depends on how much more can be done with the new highlevel nftable language or how efficient the iptable rule translator will be.

Ernest.