Just a tip, if you want scripting with iptables. Use a bash script that renders iptables-save format and pipe it's output to iptables-restore. It's atomic and you can use bash functions, variables and what else you want, including powerful ipsets.
I use ipsets for allow tcp/udp ports. Makes it possible to dynamically add/remove ports without reloading iptables.
Announcement
Collapse
No announcement yet.
Netfilter Releases Nftables 1.0
Collapse
X
-
I switched to iptables a long time ago, so I don't really follow who reports where. Since iptables is working fine, there is nothing to report
Leave a comment:
-
Originally posted by bash2bash View PostI only found someone who reported it to firewalld github issues, but there was no real interest to fix anything, some people just confirmed there is a memory issue with nftables.
Even if someone reported it today, it would take a year before it reached us normal users, I guess people just use iptables and that solves the problem.
It should be reported to the nftables bug tracker.
- Likes 3
Leave a comment:
-
I only found someone who reported it to firewalld github issues, but there was no real interest to fix anything, some people just confirmed there is a memory issue with nftables.
Even if someone reported it today, it would take a year before it reached us normal users, I guess people just use iptables and that solves the problem.
Originally posted by oibaf View Post
Did you report this to netfilter bugzilla https://bugzilla.netfilter.org/ ?
I searched it and didn't find this issue.
Maybe they'll have a chance to fix it.
Leave a comment:
-
Originally posted by bash2bash View PostI don't use nftables because it has terrible problems with ipsets, for example a 1MB list of addresses consumes 1GB of memory. Apparently something to do with how nftables manages addresses in memory. Which makes nftables impossible to use since I've got a 5MB ipset of blocked addresses.
I searched it and didn't find this issue.
Maybe they'll have a chance to fix it.
- Likes 2
Leave a comment:
-
I still use iptables too. It's the same to the kernel anyway. Ipsets are nicer than nft equivalents. In nft some words mean different things depending on where they are written. This is bad UX!
Anyways I use variables with iptables, so that's nothing new.
Leave a comment:
-
I don't use nftables because it has terrible problems with ipsets, for example a 1MB list of addresses consumes 1GB of memory. Apparently something to do with how nftables manages addresses in memory. Which makes nftables impossible to use since I've got a 5MB ipset of blocked addresses.
- Likes 2
Leave a comment:
-
I like NFTables better than IPTables. Why? Because I use variables/aliases. Example:
Code:define External = ethbr0; define Internal = { ethbr10, ethbr20, ethbr30, vmbr0 }; define Router = { 172.20.0.0/30 }; define EngeniusAPs = { 172.20.0.8/29 }; table inet filter { chain INPUT { type filter hook input priority filter; policy drop; ip6 nexthdr icmpv6 accept; iif ethbr0 ip daddr 172.20.0.1 ip protocol icmp accept; iif ethbr10 ip daddr {172.20.1.1,172.20.16.1} ip protocol icmp accept; ip saddr 172.20.5.4 ip daddr 172.20.5.1 ip protocol icmp accept; iif vmbr0 ip daddr {172.20.0.1,172.20.16.1} ip protocol icmp accept; ip saddr 172.20.16.4 accept; iif lo accept; ct state established,related accept iifname $External tcp dport { 53, 32482, 1022 } accept; iifname $Internal udp dport 53 accept; iifname {$External,$Internal} udp dport 123 accept; iifname {$External,$Internal} tcp dport 123 accept; iif {ethbr10,vmbr0} tcp dport { 53, 32482, 1022 } accept; iif {ethbr10,vmbr0} udp dport { 123 } accept; } chain forward { type filter hook forward priority 0; policy accept; iif { ethbr0, ethbr10 } oif ethbr30 accept; iif ethbr30 oif { ethbr0, ethbr10 } accept; ip saddr $EngeniusAPs oifname $Internal drop; iifname $Internal ip daddr $EngeniusAPs drop; iif { ethbr0, ethbr10, vmbr0 } ip daddr 172.20.5.4/30 accept; iif ethbr10 ip daddr 172.20.5.12/30 accept; ip saddr 172.20.5.4/30 oif { ethbr0, ethbr10, vmbr0 } accept; ip saddr 172.20.5.12/30 oif ethbr10 ct state established,related accept; } }
Last edited by GraysonPeddie; 19 August 2021, 10:00 PM.
- Likes 3
Leave a comment:
-
Netfilter Releases Nftables 1.0
Phoronix: Netfilter Releases Nftables 1.0
The Netfilter project has announced the release of Nftables 1.0.0 for their user-space code for interfacing with the Linux kernel's Nftables subsystem for network filtering and classification...
Tags: None
- Likes 1
Leave a comment: