[HN Gopher] Nftables 1.0.0 Released
___________________________________________________________________
Nftables 1.0.0 Released
Author : porjo
Score : 31 points
Date : 2021-08-19 21:05 UTC (1 hours ago)
(HTM) web link (marc.info)
(TXT) w3m dump (marc.info)
| betaby wrote:
| Are there plans to move k8s to nft? Seems like more flexible
| back-end compared to iptables.
| moosingin3space wrote:
| This depends on the CNI plugin you're using. In particular,
| Cilium implements the entire firewall in eBPF.
| debarshri wrote:
| Could you elaborate the benefit of doing it that way?
| gerdesj wrote:
| nft and iptables are both packet filters. What is your use
| case?
| phoronixrly wrote:
| Just going to put this here to save some clicks for people
| thinking nftables may have anything to do with NFTs:
|
| > nftables is a subsystem of the Linux kernel providing filtering
| and classification of network packets/datagrams/frames
| AceJohnny2 wrote:
| and I believe it is a meant to be a replacement of iptables.
|
| But because the Linux kernel is developed separately from user-
| space, and never breaks user-space, iptables (at least the API)
| will never go away
| adontz wrote:
| I believe no. As far as I understand RedHat already provides
| user space "iptables" utility which simply converts any
| input/output to/from nftables, so there is no kernel iptables
| in latest RedHat.
| nsajko wrote:
| Are you sure?
|
| As far as I understand, it may happen that everybody stops
| using the old interface (the distros choose what they compile
| into their kernels, I guess), and after a few years of that
| the kernel maintainers may decide to remove the old code,
| assuming it wouldn't be too much work. Don't know how likely
| it for this to happen in the near future, though.
| bbarnett wrote:
| This scenario isn't impossible, but 'a few years' would be
| more like 'decades'.
| jlokier wrote:
| Before iptables there was ipchains, and before ipchains there
| was ipfwadm.
|
| I don't think you can still use all of them.
| nsajko wrote:
| Is there still a chance of an eBPF based effort (bpfilter) making
| nftables unnecessary in the near future?
| kkirsche wrote:
| This is huge. The hash based approach makes speed improvements
| over complex iptables usage very impressive, in its most common
| implementations
| ADSSDA wrote:
| I'm a big fan of nftables, but anyone using iptables with a
| large ruleset is (or should be) using ipset, which is just as
| fast.
| gerdesj wrote:
| Yay.
|
| I learned ipfw. Then ipchains. Then iptables. I got quite good
| with handcrafting firewalls with all of those at some point. The
| machines they ran on (for me) range from 80486 to date.
|
| This laptop has a ... (fumbles with various commands and
| searches) ... $ sudo nft list rules
|
| firewalld and its GUI generates a nftables based firewall.
|
| I generally use ufw on servers because it is easy for a simple
| host based firewall and that is iptables based still. A server
| host based firewall is generally all about ingress filtering.
| Egress can be covered more effectively at the edge and at
| switches/internal routers.
|
| My laptop needs a far more complicated setup and the ruleset that
| is dumped by nft is almost legible in the first read. I do use a
| GUI but it's nice to think that I can sit down and spend some
| time and decide whether my stated policy is what I get at the
| firewall itself.
|
| I don't yet use nft at the edge but it feels as though it might
| do nicely.
|
| Your firewalling choice is not something that happens overnight.
| I'll mull over it for at least two more years.
___________________________________________________________________
(page generated 2021-08-19 23:01 UTC)