It's already there for Debian 9. Recent Kernels actually use the NFT engine to operate IPTables as RHEL does. From the next release of Debian NFT will replace IPTables. One of the beauties of nftables is that you handle ipv4 and ipv6 in the same tables. No repetition of rules, and of course, with multiple verdicts on each rule, fewer rules easier to read. So you can have a rule that says if the condition is met, log it, put the IP in a set and then drop it. It can do all that IPTables can and more. Sets are now native so no need to faf around with ipsets. It covers and replaces all the xtables family IPTables, ARPTables etc.
I am impressed with it.
On 23 Nov 2018, at 18:11, Ed <ed-bitfolk@s5h.net> wrote:
> The syntax is appealing. It mimics 'pf' which I found very easy to read.
> nftables seemed to a bit behind iptables, I could be wrong, if they're
> at the same capability level now then I think maintaining iptables would
> be less desirable. Might have been dreaming, did RH say they were were
> going to use nftables for the next release?
It’s already in at least RHEL 7.6 (and, therefore, CentOS 7.6). It’s used underneath firewalld, but can be used by itself, too.
Cheers,
Mike
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users