23 Nov
2018
23 Nov
'18
8:26 p.m.
It's already there for Debian 9. Recent Kernels actually use the NFT engine
to operate IPTables as RHEL does. From the next release of Debian NFT will
replace IPTables. One of the beauties of nftables is that you handle ipv4
and ipv6 in the same tables. No repetition of rules, and of course, with
multiple verdicts on each rule, fewer rules easier to read. So you can have
a rule that says if the condition is met, log it, put the IP in a set and
then drop it. It can do all that IPTables can and more. Sets are now native
so no need to faf around with ipsets. It covers and replaces all the
xtables family IPTables, ARPTables etc.
I am impressed with it.
On Sat, 24 Nov 2018 at 03:13, Mike Zanker <mike(a)zanker.uk> wrote:
On 23 Nov 2018, at 18:11, Ed
<ed-bitfolk(a)s5h.net> wrote:
The syntax is appealing. It mimics 'pf'
which I found very easy to read.
nftables seemed to a bit behind iptables, I could be wrong, if they're
at the same capability level now then I think maintaining iptables would
be less desirable. Might have been dreaming, did RH say they were were
going to use nftables for the next release?
It’s already in at least RHEL 7.6 (and, therefore, CentOS 7.6). It’s used
underneath firewalld, but can be used by itself, too.
Cheers,
Mike
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users