|
|
Log in / Subscribe / Register

Nftables: a new packet filtering engine

Nftables: a new packet filtering engine

Posted Mar 25, 2009 11:58 UTC (Wed) by osma (guest, #6912)
In reply to: Nftables: a new packet filtering engine by Alan_Hicks
Parent article: Nftables: a new packet filtering engine

What I particularly like (as a sysadmin) in pf are two things:

  • the configuration syntax is concise, very readable and it is easy to do infrequent adjustments without having to look at the documentation
  • after editing the ruleset file, the pfctl tool can be used to do a live update of the kernel ruleset without e.g. breaking existing connections

I don't have an opinion on whether to port pf or not, but I hope that whatever replaces iptables will consider these features. It sounds like the nftables approach has the potential for these, as the ruleset processing is done mostly in user space.

to post comments

Nftables: a new packet filtering engine

Posted Apr 2, 2009 10:39 UTC (Thu) by jengelh (subscriber, #33263) [Link]

>after editing the ruleset file, the pfctl tool can be used to do a live update of the kernel ruleset without e.g. breaking existing connections

You can do the same with iptables-restore.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds