BPF comes to firewalls
BPF comes to firewalls
Posted Mar 1, 2018 11:31 UTC (Thu) by jengelh (subscriber, #33263)In reply to: BPF comes to firewalls by vadim
Parent article: BPF comes to firewalls
>For instance, nftables involves stringing together commands in a way that highly resembles a run-on sentence:
>
> nft add rule ip filter forward oifname ppp0 tcp flags syn tcp option maxseg size set 1452
>
>It's not immediately obvious how the syntax works and what words fit in where in the hierarchy.
>
> nft add rule ip filter forward oifname ppp0 tcp flags syn tcp option maxseg size set 1452
>
>It's not immediately obvious how the syntax works and what words fit in where in the hierarchy.
This is where the iptables UI excels - the tokens for "options" and tokens for "values" never ever overlap, I am tempted to say *context-free*. The nft "tcp" instead could either mean "-p tcp" or "--tcp-flags ..." depending on where it's located, and what makes the bpf/ip/tc/nft syntax so terrible.