Announcement

Collapse
No announcement yet.

Fedora 32 Looking At Switching Firewalld From Iptables To Nftables

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora 32 Looking At Switching Firewalld From Iptables To Nftables

    Phoronix: Fedora 32 Looking At Switching Firewalld From Iptables To Nftables

    While Fedora 31 isn't even out yet, looking ahead to the Fedora 32 release next spring is a plan to switch firewalld as Fedora's default network firewall from its existing iptables back-end to the more modern nftables back-end...

    http://www.phoronix.com/scan.php?pag...walld-Nftables

  • #2
    Considering Fedora is normally the incubator to test changes for Red Hat Enterprise Linux, I am surprised that RHEL 8 got changed to nftables before Fedora did.

    From the RHEL 8 release notes section 5.1.14:

    * "nftables replaces iptables as the default network packet filtering framework"

    * "firewalld uses nftables by default"

    As can be found here:
    https://access.redhat.com/documentat...ase#networking


    Comment


    • #3
      Originally posted by chilinux View Post
      Considering Fedora is normally the incubator to test changes for Red Hat Enterprise Linux, I am surprised that RHEL 8 got changed to nftables before Fedora did.
      They rushed it because otherwise, they would be stuck with iptables for the whole RHEL 8 life cycle.

      Comment


      • #4
        Nice.

        It is long overdue for nftables to get some wider adoption.
        Last edited by intelfx; 09-11-2019, 03:19 AM.

        Comment


        • #5
          Wasn't there some discussion on lkml some time ago that the future is eBPF and XDP, and that nftables is a failed experiment with little usage? And somebody had created some kind of iptables implementation that in fact compiled the rules to eBPF (bpfilter). But subsequently I've heard little of it, and it seems that distros are slowly starting to switch over to nftables. What gives?

          Comment


          • #6
            Originally posted by jabl View Post
            Wasn't there some discussion on lkml some time ago that the future is eBPF and XDP, and that nftables is a failed experiment with little usage? And somebody had created some kind of iptables implementation that in fact compiled the rules to eBPF (bpfilter). But subsequently I've heard little of it, and it seems that distros are slowly starting to switch over to nftables. What gives?
            https://old.lwn.net/Articles/747551/

            Comment


            • #7
              Originally posted by starshipeleven View Post
              Thanks for re-jogging my memory, I remember reading that article when it came out. Any news in the subsequent 1½ years since it was written, except that bpfilter was apparently merged for 4.18?

              Comment


              • #8
                What happens with docker/libvirt? They still don't use nftables and you can't mix iptables and nftables rules. How did they solve this issue in RHEL8?
                Last edited by darkbasic; 09-11-2019, 04:13 AM.
                ## VGA ##
                AMD: X1950XTX, HD3870, HD5870
                Intel: GMA45, HD3000 (Core i5 2500K)

                Comment


                • #9
                  Originally posted by darkbasic View Post
                  What happens with docker/libvirt? They still don't use nftables and you can't mix iptables and nftables rules. How did they solve this issue in RHEL8?
                  You can, if you use iptables with the new -nft backend, which is the default since Debian 10 and RHEL 8.

                  Comment


                  • #10
                    I don't get why somebody wants to change iptables or netfilter, by some crap..
                    Last edited by tuxd3v; 09-11-2019, 09:24 AM. Reason: typos

                    Comment

                    Working...
                    X