by marksamman on 5/7/17, 3:49 PM with 59 comments
by arca_vorago on 5/7/17, 5:17 PM
From the nftables wikipedia:
"...iptables firewalling code, which has protocol awareness built-in so deeply into the logic that the code has had to be replicated four times—for IPv4, IPv6, ARP, and Ethernet bridging—as the firewall engines are too protocol-specific to be used in a generic manner.[10]
The main advantages of nftables over iptables are the simplification of the Linux kernel ABI, reduction of code duplication, improved error reporting, and more efficient execution, storage and incremental changes of filtering rules. Traditionally used iptables(8), ip6tables(8), arptables(8) and ebtables(8) (for IPv4, IPv6, ARP and Ethernet bridging, respectively) are intended to be replaced with nft(8) as a single unified implementation, providing firewall configuration on top of the in-kernel virtual machine.
nftables also offers an improved userspace API that allows atomic replacements of one or more firewall rules within a single Netlink transaction. That speeds up firewall configuration changes for setups having large rulesets; it can also help in avoiding race conditions while the rule changes are being executed. Also, a planned compatibility layer is going to provide translation of already existing iptables firewall rules into their nftables equivalents."
by smartbit on 5/7/17, 7:05 PM
[0] webm http://ftp.nluug.nl/video/nluug/2016-05-26_vj16/Zaal2/21%20-... or https://www.youtube.com/watch?v=0wQfSfDVN94
[1] webm http://ftp.nluug.nl/video/nluug/2016-05-26_vj16/Zaal3/3%20-%... or https://www.youtube.com/watch?v=FXTRRwXi3b4
by ktta on 5/7/17, 6:09 PM
https://developers.redhat.com/blog/2016/10/28/what-comes-aft...
by dspillett on 5/8/17, 12:06 AM
IIRC that is due to change imminently, as Stretch entered full feature freeze in February in preparation for release, and I've not heard of any massive show-stoppers since, but if you install "stable" right now you'll get Jessie (release 8.x) not Stretch (r9).
by warbiscuit on 5/7/17, 7:36 PM
While I'm excited to hear about a simplified abstraction at the kernel level, for most setups I've had to configure, I really like the highlevel abstraction it provides.
by tmaly on 5/7/17, 8:24 PM
I am not yet ready to learn a new tool, and this new tool does not have all the features as the old tool according to others commenting.
by chrisper on 5/7/17, 5:11 PM
If you have to use it on a regular Linux box, I prefer UFW.
Though, it looks like nftables has finally a nicer syntax than iptables making wrappers like UFW unecessary.
by kpcyrd on 5/7/17, 8:40 PM
by ptman on 5/8/17, 10:47 AM
by ilaksh on 5/7/17, 8:42 PM
Can ufw use nftables as a back end? And/or is there a good clean and easy to understand explanation for how to use nftables and useful reference?
Is there a tool to help with common configuration tasks?
by SpiegS on 5/7/17, 4:40 PM
by rfraile on 5/8/17, 8:30 AM
by nwmcsween on 5/7/17, 10:28 PM
by joosters on 5/7/17, 5:20 PM
Instead, all we get is a vague 'the system is more configurable than in iptables' and 'the syntax is much better than in iptables' (like what good is that to someone who already has iptables set up? The last thing people want to do is mess with firewall rules on a working system)
Yes, I know that Debian is FOSS and I can help improve it, but why introduce a whole new firewall system where the 'Moving from iptables to nftables' docs are pages and pages of shell commands? Wouldn't some kind of automated update, to help common use cases, be a sensible thing to include in such an update? (Maybe such a thing exists, but the page doesn't bother to tell me about any such thing).
Instead of going on about how to set up nftables from scratch, perhaps they should focus a little more on 'I have a system using your older recommended firewall, what do I need to do to keep things working?'