Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is nftables ready for production?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Tue Jul 03, 2018 3:17 pm    Post subject: Is nftables ready for production? Reply with quote

Hi,

I'm curious about nftables and its reliability and security.

Has anyone adopted nftables and run a security audit? Can you elaborate on any difficulties or performance issues as compared to iptables? How about ease of use?

Edit: I found this link but have not yet had the chance to read it. https://arxiv.org/pdf/1502.05487.pdf

Thanks.
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2288
Location: near Augsburg, Germany

PostPosted: Thu Jul 12, 2018 4:53 am    Post subject: Reply with quote

You can visit the home page of nftables here: https://netfilter.org/

They begam in the year 1999 and nearly 20 years after that, the code should be stable and run fast.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13511

PostPosted: Fri Jul 13, 2018 2:17 am    Post subject: Reply with quote

Your timeline is a bit off. Netfilter as a general concept is quite old, but according to LWN: Nftables: a new packet filtering engine, nftables was first discussed in 2008 and released in 2009. OP is specifically interested in the nftables project, not the more general idea of Linux netfilter.

Similarly, there are projects just as old, if not older, that have been poorly maintained and are definitely not suitable for their intended purpose now (if they ever were), so merely looking at the project's age is a poor metric for whether it would satisfy OP's requirements.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Fri Jul 13, 2018 2:18 am    Post subject: Reply with quote

Keruskerfuerst wrote:
You can visit the home page of nftables here: https://netfilter.org/

They begam in the year 1999 and nearly 20 years after that, the code should be stable and run fast.

nftables is not 20 years old, it's barely even 5. There's been three full rewrites of the Linux firewall stack in that time.


In any case it's as reliable and secure as iptables since the latter is just a frontend for nftables now. It gets the job done, the syntax is more maintainable with complex rules and in theory you can write much more performant rulesets than iptables, since things like ipsets are baked in instead of an extension. Debugging errors is a pain in the ass though; the error messages are the worst part of the software, sometimes it'll just spit back a stringified libc error code straight from the kernel and you basically have to guess what you did wrong.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Fri Jul 13, 2018 2:40 am    Post subject: Reply with quote

Ant P. wrote:
Keruskerfuerst wrote:
You can visit the home page of nftables here: https://netfilter.org/

They begam in the year 1999 and nearly 20 years after that, the code should be stable and run fast.

nftables is not 20 years old, it's barely even 5. There's been three full rewrites of the Linux firewall stack in that time.


In any case it's as reliable and secure as iptables since the latter is just a frontend for nftables now. It gets the job done, the syntax is more maintainable with complex rules and in theory you can write much more performant rulesets than iptables, since things like ipsets are baked in instead of an extension. Debugging errors is a pain in the ass though; the error messages are the worst part of the software, sometimes it'll just spit back a stringified libc error code straight from the kernel and you basically have to guess what you did wrong.


This was exactly what I was looking for.

Thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum