BPF comes to firewalls
BPF comes to firewalls
Posted Feb 20, 2018 7:51 UTC (Tue) by vadim (subscriber, #35271)Parent article: BPF comes to firewalls
nftables is a quite nice idea. I think the problem with it was that they were slow at implementing the last few features that were actually quite important.
For instance, nftables can do MSS clamping only since kernel 4.14. This was released this November. nftables has been around since 2014, like this article says. MSS clamping is a feature in wide use for DSL and fiber setups, and this is important precisely to the kinds of people that want to run their own firewall.
IMO, the other problem with it is that the documentation is still not great, and the syntax leaves a lot to be desired.
For instance, nftables involves stringing together commands in a way that highly resembles a run-on sentence:
nft add rule ip filter forward oifname ppp0 tcp flags syn tcp option maxseg size set 1452
It's not immediately obvious how the syntax works and what words fit in where in the hierarchy. The way "ppp0" is not quoted or delimited in any way also makes it hard to tell apart commands from data, though this can be done as seen below. There's a C-ish form that looks a bit nicer, but then when you run into a command that starts with "nft add" it's not obvious how to put that into your config file, which looks like:
table ip filter {
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
iifname "lan0" oifname "wan0" accept
}
}
Note how it is subtly different: we go from "ip filter" to "table ip filter", and from "forward" to "chain forward", and for someone not familiar with the syntax it's not really apparent that "oifname" in the first example is the point where you'd want to start copy/pasting.
I hope that besides the technical details, the makers of BPF also take care of producing a better syntax and good documentation.