View previous topic :: View next topic |
Author |
Message |
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Tue Jul 03, 2018 3:17 pm Post subject: Is nftables ready for production? |
|
|
Hi,
I'm curious about nftables and its reliability and security.
Has anyone adopted nftables and run a security audit? Can you elaborate on any difficulties or performance issues as compared to iptables? How about ease of use?
Edit: I found this link but have not yet had the chance to read it. https://arxiv.org/pdf/1502.05487.pdf
Thanks. |
|
Back to top |
|
|
Keruskerfuerst Advocate
Joined: 01 Feb 2006 Posts: 2289 Location: near Augsburg, Germany
|
Posted: Thu Jul 12, 2018 4:53 am Post subject: |
|
|
You can visit the home page of nftables here: https://netfilter.org/
They begam in the year 1999 and nearly 20 years after that, the code should be stable and run fast. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Fri Jul 13, 2018 2:17 am Post subject: |
|
|
Your timeline is a bit off. Netfilter as a general concept is quite old, but according to LWN: Nftables: a new packet filtering engine, nftables was first discussed in 2008 and released in 2009. OP is specifically interested in the nftables project, not the more general idea of Linux netfilter.
Similarly, there are projects just as old, if not older, that have been poorly maintained and are definitely not suitable for their intended purpose now (if they ever were), so merely looking at the project's age is a poor metric for whether it would satisfy OP's requirements. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Jul 13, 2018 2:18 am Post subject: |
|
|
Keruskerfuerst wrote: | You can visit the home page of nftables here: https://netfilter.org/
They begam in the year 1999 and nearly 20 years after that, the code should be stable and run fast. |
nftables is not 20 years old, it's barely even 5. There's been three full rewrites of the Linux firewall stack in that time.
In any case it's as reliable and secure as iptables since the latter is just a frontend for nftables now. It gets the job done, the syntax is more maintainable with complex rules and in theory you can write much more performant rulesets than iptables, since things like ipsets are baked in instead of an extension. Debugging errors is a pain in the ass though; the error messages are the worst part of the software, sometimes it'll just spit back a stringified libc error code straight from the kernel and you basically have to guess what you did wrong. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Fri Jul 13, 2018 2:40 am Post subject: |
|
|
Ant P. wrote: | Keruskerfuerst wrote: | You can visit the home page of nftables here: https://netfilter.org/
They begam in the year 1999 and nearly 20 years after that, the code should be stable and run fast. |
nftables is not 20 years old, it's barely even 5. There's been three full rewrites of the Linux firewall stack in that time.
In any case it's as reliable and secure as iptables since the latter is just a frontend for nftables now. It gets the job done, the syntax is more maintainable with complex rules and in theory you can write much more performant rulesets than iptables, since things like ipsets are baked in instead of an extension. Debugging errors is a pain in the ass though; the error messages are the worst part of the software, sometimes it'll just spit back a stringified libc error code straight from the kernel and you basically have to guess what you did wrong. |
This was exactly what I was looking for.
Thanks. |
|
Back to top |
|
|
|