|
|
Log in / Subscribe / Register

Nftables: a new packet filtering engine

Nftables: a new packet filtering engine

Posted Mar 25, 2009 1:12 UTC (Wed) by dlang (guest, #313)
In reply to: Nftables: a new packet filtering engine by herge
Parent article: Nftables: a new packet filtering engine

it is possible to replicate between firewalls

you can match on every packet of the connection. most people don't bother, but all you have to do is to not put 'if established allow' at the top of your ruleset.

the question of what is done automaticaly and what should be done explicitly can be argued forever, I see this as significantly weakening your RELATED complaint.

where does it match TIME_WAIT by default?

as for macros for rule management, with iptables you can use whatever tools you want in userspace to create your rules.

the things you are listing as drawbacks don't seem as drastic to me as they seem to appear to you.

to post comments

Nftables: a new packet filtering engine

Posted Mar 25, 2009 10:50 UTC (Wed) by herge (guest, #57423) [Link]

where does it match TIME_WAIT by default?
# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
120

Once a connection has reached the TIME_WAIT state, it will be kept in the connection table for 120s.
While it can be tuned down, thei behavior should be dropped IMHO.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds