Nftables reaches 1.0
Nftables reaches 1.0
Posted Aug 30, 2021 9:13 UTC (Mon) by taladar (subscriber, #68407)Parent article: Nftables reaches 1.0
When I call ntf --help I get
> Usage: nft [ options ] [ cmds... ]
> [...]
but not a single command is listed in the help output, nor another command/option that would display that information.
When I try ntf help I get
> Operation not permitted (you must be root)
> Error: syntax error, unexpected newline, expecting string
> help
> ^
which seems like a weird mix of errors and also "unexpected newline" is an odd error to emit for commandline parameters, not to mention that it is far too low level in general.
There is also no obvious option in the --help output to list the currently active ruleset.
On top of that, since firewalls are quite complex we will be unlikely to maintain an iptables and an nftables version of our rulesets in our Puppet configuration management so a working and usable and fully featured version will have to be part of the oldest distros we use before it is even something to consider, so I would imagine nothing will happen before about 2030 since the current version doesn't really look usable yet.
Posted Aug 30, 2021 14:35 UTC (Mon)
by nybble41 (subscriber, #55106)
[Link] (5 responses)
Posted Sep 1, 2021 18:58 UTC (Wed)
by Chousuke (subscriber, #54562)
[Link] (4 responses)
For example, if you wanted to know how to perform a 1:1 nat for an entire IP prefix, the manual page would not help because it doesn't even mention that you can use bitwise operators (&, |) with netmasks to perform calculations and modifications on packet fields.
I know there's a partial sentence somewhere on the wiki page that indirectly hints at this being possible because I found it some time ago when I had to do prefix translation, but I can't find it anymore.
nftables is capable, but its documentation makes me sad. It's unbeliveably bad.
Posted Sep 1, 2021 19:27 UTC (Wed)
by Chousuke (subscriber, #54562)
[Link] (1 responses)
I tried finding the relevant documentation from the wiki page but I can't; I've forgotten where I found it the last time. The manual page says "Expressions can be combined using binary, logical, relational and other types of expressions", but *nowhere* does it detail what those expressions "binary", "logical" or "relational" expressions are. It doesn't even contain the word "operator".
I did find out that man libnftables-json at least lists "binary operations", but there's no context.
Just in case someone ends up needing it, you can do stuff like this:
ip daddr 10.240.1.0/24 dnat to ip daddr & 0.0.0.255 | 10.140.7.0;
I don't even remember how I figured that out the first time, but it wasn't thanks to the documentation.
Posted Sep 9, 2021 4:48 UTC (Thu)
by chaispaquichui (guest, #77035)
[Link]
Posted Sep 2, 2021 5:19 UTC (Thu)
by carORcdr (guest, #141301)
[Link] (1 responses)
There are many non-iproute2 programs, including significant ones, that have far fewer examples. Some have null.
My definition of an example in the context of a program is a command string--
$|# program argument[s] file|filepath
I realize some may limit the definition of string to alphabetic characters. I do not. My definition of string is a string of characters--alphabetic, numeric and/or symbolic.
Posted Sep 3, 2021 19:10 UTC (Fri)
by Chousuke (subscriber, #54562)
[Link]
Lately I've felt a bit spoiled by OpenBSD manual pages. If you want to know what good documentation with man pages can look like, you can take a look at some of them. If everything were documented to the same standard I would never need Google...
For example, If I want a quick overview on how OSPF works, I can just "man ospfd" on OpenBSD. The explanation may not strictly speaking have much to do with configuring ospfd itself, but well-placed context "fluff" is a huge quality-of-life improvement as it helps me understand the kinds of problems I can solve with the software.
Nftables reaches 1.0
Nftables reaches 1.0
Nftables reaches 1.0
Nftables reaches 1.0
Nftables reaches 1.0
Nftables reaches 1.0