|
|
Log in / Subscribe / Register

Nftables: a new packet filtering engine

Nftables: a new packet filtering engine

Posted Mar 24, 2009 19:11 UTC (Tue) by kaber (guest, #18366)
In reply to: Nftables: a new packet filtering engine by quotemstr
Parent article: Nftables: a new packet filtering engine

It is a lot less flexible than even iptables. Less features is always a hard sell. It would also need massive changes to be able to represent an iptables ruleset, so there's really nothing to gain from it.

to post comments

Nftables: a new packet filtering engine

Posted Mar 24, 2009 19:45 UTC (Tue) by patrick_g (subscriber, #44470) [Link]

>>> Less features is always a hard sell

Could you please tell us wich features are missing in pf ?

>>> there's really nothing to gain from it

You gain a very modern and efficient packet filter with a good and clear syntax. pf is part of OpenBSD, FreeBSD, NetBSD, DragonflyBSD and I think it would be wise to, at least, consider and discuss this option.

Nftables: a new packet filtering engine

Posted Mar 24, 2009 19:45 UTC (Tue) by flewellyn (subscriber, #5047) [Link] (4 responses)

Too true on the "less flexible" bit. PF is a nice idea, but the OpenBSD folk did not add nearly as much flexibility to the system as iptables offers. Doing NAT with it is easy enough in the default setting, but more complex stuff, I found painful.

Nftables: a new packet filtering engine

Posted Mar 24, 2009 19:51 UTC (Tue) by quotemstr (subscriber, #45331) [Link] (3 responses)

What exactly were you trying to do?

Nftables: a new packet filtering engine

Posted Mar 24, 2009 20:08 UTC (Tue) by flewellyn (subscriber, #5047) [Link] (2 responses)

Route between two NATted LANs and the WAN, with port forwarding and connection tracking. It got hairy when I tried to set up the connection tracking between the two LANs. The WAN-to-LANs tracking wasn't too hard.

This was in 2005, so I will grant that things may have changed since then.

Nftables: a new packet filtering engine

Posted Mar 24, 2009 20:11 UTC (Tue) by Alan_Hicks (guest, #20469) [Link] (1 responses)

Yeah, that's really pretty easy to do with pf. You should give it a look next time you need a firewall, particularly one with several different interfaces and needs.

Nftables: a new packet filtering engine

Posted Mar 25, 2009 13:54 UTC (Wed) by rvfh (guest, #31018) [Link]

How about a PF to Nftables translator, along with the iptables to Nftables translator? Isn't that one of the real strength of Nftables, flexibility?

Nftables: a new packet filtering engine

Posted Mar 24, 2009 20:00 UTC (Tue) by Alan_Hicks (guest, #20469) [Link] (2 responses)

Could you please expand on the "lot less flexible than iptables" comment? In my experience, I've found it to be far far more flexible than iptables. With the ability to update tables in pf from userspace, not to mention the insane performance boost from tables over individual rules[0], it's not only more flexible but outperforms iptables.

Setting up class-based or priority-based queues is also ridiculously easy with pf and included right in the code, not as some add-on. One of the features mentioned in the article about nftables is the ability to easily jump to a different rule or class of rules. This was solved years and years ago by pf with the use of anchors.

As far as features go, I just gave you three. There are plenty more (scrubbing packets and antispoof instantly come to mind), but perhaps the best is the sane and clearly readable syntax for pf, not to mention the more powerful pfctl tool[1].

As for porting, pf originated with OpenBSD and has been ported to FreeBSD, NetBSD, and Dragonfly BSD. I'm not programmer though, so I can't say for certain how easy it would be to port to Linux, but my understanding is that there are some fairly radical architecture differences in those four BSDs, particularly in regards to the new off-shoot Dragonfly. I would make a SWAG that porting it wouldn't be any more difficult than writing an entirely new packet filter.

[0] There's an out-of-tree module for iptables that allows binary lists and functions similarly to pf's tables I'm told.
[1] As compared to iptables. I have not looked at the userspace component of nftables at all.

Nftables: a new packet filtering engine

Posted Mar 25, 2009 11:58 UTC (Wed) by osma (guest, #6912) [Link] (1 responses)

What I particularly like (as a sysadmin) in pf are two things:

  • the configuration syntax is concise, very readable and it is easy to do infrequent adjustments without having to look at the documentation
  • after editing the ruleset file, the pfctl tool can be used to do a live update of the kernel ruleset without e.g. breaking existing connections

I don't have an opinion on whether to port pf or not, but I hope that whatever replaces iptables will consider these features. It sounds like the nftables approach has the potential for these, as the ruleset processing is done mostly in user space.

Nftables: a new packet filtering engine

Posted Apr 2, 2009 10:39 UTC (Thu) by jengelh (subscriber, #33263) [Link]

>after editing the ruleset file, the pfctl tool can be used to do a live update of the kernel ruleset without e.g. breaking existing connections

You can do the same with iptables-restore.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds