Announcement

Collapse
No announcement yet.

NFTables IPTables-Replacement Queued For Linux 3.13

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NFTables IPTables-Replacement Queued For Linux 3.13

    Phoronix: NFTables IPTables-Replacement Queued For Linux 3.13

    NFTables is a new firewall subsystem / packet filtering engine for the Linux kernel that is poised to replace iptables. NFTables has been in development for several years by the upstream author of Netfilter. This new nftables system is set to be merged now into the Linux 3.13 kernel...

    http://www.phoronix.com/vr.php?view=MTQ5MDU

  • #2
    Wonder how that will affect Fedora FirewallD, has from the little I came to use it in the CLI, seemed much better then the old IPtables deamons.

    Comment


    • #3
      No idea what you talk about

      Originally posted by iniudan View Post
      Wonder how that will affect Fedora FirewallD, has from the little I came to use it in the CLI, seemed much better then the old IPtables deamons.
      Ip tables are kernel modules + user land commands. It doesnt use daemon anywhere. Looks like some sort of OS functionality.

      Comment


      • #4
        Originally posted by dimko View Post
        Ip tables are kernel modules + user land commands. It doesnt use daemon anywhere. Looks like some sort of OS functionality.
        Front-end then, sorry for my mistake in terminology.

        Comment


        • #5
          Originally posted by iniudan View Post
          Front-end then, sorry for my mistake in terminology.
          Yeah. The front-end here abstracts away the kernel implementation details. It doesn't matter to end users whether it is netfilter or nftables. They would at the minimum get the same functionality perhaps with better performance.

          Comment


          • #6
            It's still tables though, right? :-P

            Comment


            • #7
              Per-program rules

              Will finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
              :P

              Comment


              • #8
                Originally posted by tesfabpel View Post
                Will finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
                :P
                It's not listed at 'Main features'. If I remember correctly, firewall developers mentioned that this should be handled in userspace. I.e. some LD_PRELOAD library that catches connect() calls and matches this against a list of allowed/blocked connection characteristics. Which, in my opinion, is a sane thing to do (i.e. let userspace handle userspace).

                However, I don't think this has ever been done since it's rather ineffective. A virus could infect an .so and turn a fully legit executable binary into a virus serving thingy... . Furthermore, when I reinstall Windows on friends/relatives computer I let the Windows firewall handle things. Do you really expect everyone to check each .exe (or bin) weather it's legit or not? That is just wishful thinking. Most Linux defense mechanisms (PAX, Selinux) are geared to not get infected in the first place (or mititage it) so you won't need these kind of 'safety measures'.

                Back on topic: This looks really nice, the kernel side will be a lot smaller now that protocol specific handling will move to userspace.

                I just really hope I won't have to rewrite my rules, I spend ages on the current ones .

                Comment


                • #9
                  Rexillion, in windows or os x where you have a million services and system components dialing home, yes whitelisting can be problematic and difficult but in linux distros it wouldn't be.


                  "However, I don't think this has ever been done since it's rather ineffective. A virus could infect an .so and turn a fully legit executable binary into a virus serving thingy... . Furthermore, when I reinstall Windows on friends/relatives computer I let the Windows firewall handle things. Do you really expect everyone to check each .exe (or bin) weather it's legit or not? That is just wishful thinking. "

                  At least you would have a chance, let's say a legit service gets compromised, to see who it was dialing too.

                  I maintain that little snitch is one of the best firewalls I've seen and it allows you to define rules like app x can only dial to ip y via port z once

                  Comment


                  • #10
                    Originally posted by tesfabpel View Post
                    Will finally be possible with nftables to block certain programs to send or receive from the net (optionally filtered by the port too)?
                    :P
                    You can already do this the Android way, by running those programs as their own user. The firewall can filter by UID.

                    Comment

                    Working...
                    X