|
|
Log in / Subscribe / Register

What comes after ‘iptables’? Its successor, of course: `nftables` (RH blog)

[Posted October 28, 2016 by corbet]

The Red Hat Developers Blog is running an introduction to the nftables packet filtering system. "nftables implements a set of instructions, called expressions, which can exchange data by storing or loading it in a number of registers. In other words, the nftables core can be seen as a virtual machine. Applications like the nftables front end-tool nft can use the expressions offered by the kernel to mimic the old iptables matches while gaining more flexibility."
to post comments

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 28, 2016 22:47 UTC (Fri) by flussence (guest, #85566) [Link] (6 responses)

I wish I'd had this article a few months back! I managed to muddle my way to a working stateful firewall with just the nftables wiki, but that site's pretty spartan on exposition.

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 29, 2016 18:18 UTC (Sat) by dcg (subscriber, #9198) [Link] (5 responses)

Complains about the lack of documentation of everything related to Linux networking are sadly very common (not to say omnipresent)

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 30, 2016 1:49 UTC (Sun) by tao (subscriber, #17563) [Link] (3 responses)

And, just like every other issue, patches are welcome!

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 30, 2016 10:54 UTC (Sun) by itvirta (guest, #49997) [Link] (2 responses)

Um, the problem with documentation is that you need to know something about the system being documented. That's a whole lot easier for those who have actually worked with it, possibly even created it.

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 31, 2016 21:41 UTC (Mon) by kleptog (subscriber, #1183) [Link] (1 responses)

> Um, the problem with documentation is that you need to know something about the system being documented. That's a whole lot easier for those who have actually worked with it, possibly even created it.

While true, if you muddle your way through a subsystem and finally figure out how it works, writing that up as a form of documentation is an excellent way to (a) get some documentation out there and (b) if it's not correct, the people who do know will tell you about it.

The LARTC started with many documents from people who didn't do anything with the code but just wrote down what they had figured out.

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Nov 7, 2016 19:51 UTC (Mon) by davidstrauss (guest, #85867) [Link]

> While true, if you muddle your way through a subsystem and finally figure out how it works, writing that up as a form of documentation is an excellent way to (a) get some documentation out there and (b) if it's not correct, the people who do know will tell you about it.

It's also a good way to ensure the documentation maps to use of the system more than the architecture of the system.

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 31, 2016 15:50 UTC (Mon) by SEJeff (guest, #51588) [Link]

Feel free to contribute patches. Jonathan Corbet (lwn lead dude and all around good guy) is the linux kernel documentation maintainer.

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 29, 2016 22:41 UTC (Sat) by bmur (guest, #52954) [Link] (2 responses)

How does firewalld fit into this? (if at all)

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 30, 2016 11:16 UTC (Sun) by pbonzini (subscriber, #60935) [Link] (1 responses)

firewalld is a higher level tool. It should be able to talk to both iptables and nftables, sort of like libvirt can be used for both Can and KVM.

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 30, 2016 13:22 UTC (Sun) by pbonzini (subscriber, #60935) [Link]

Gah, I meant Xen of course.

What comes after ‘iptables’? It’s successor, of course: `nftables` (RH blog)

Posted Oct 30, 2016 10:11 UTC (Sun) by k8to (guest, #15413) [Link]

It is successor! Of course! ;-)

What comes after ‘iptables’? Its successor, of course: `nftables` (RH blog)

Posted Nov 4, 2016 11:08 UTC (Fri) by paulj (subscriber, #341) [Link] (2 responses)

So this is generating some kind of byte code for a VM, but it's not (e)BPF?

What comes after ‘iptables’? Its successor, of course: `nftables` (RH blog)

Posted Nov 5, 2016 16:36 UTC (Sat) by intgr (subscriber, #39733) [Link]

Yes, sadly. It seems like a case of NIH.

What comes after ‘iptables’? Its successor, of course: `nftables` (RH blog)

Posted Nov 5, 2016 23:00 UTC (Sat) by zenaan (guest, #3778) [Link]

2009 comments:
https://lwn.net/Articles/325671/
and a general search for "nftables bpf" shows a little more info..


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds