Announcement

Collapse
No announcement yet.

Netfilter Releases Nftables 1.0

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • S.Pam
    replied
    Just a tip, if you want scripting with iptables. Use a bash script that renders iptables-save format and pipe it's output to iptables-restore. It's atomic and you can use bash functions, variables and what else you want, including powerful ipsets.

    I use ipsets for allow tcp/udp ports. Makes it possible to dynamically add/remove ports without reloading iptables.

    Leave a comment:


  • bash2bash
    replied
    I switched to iptables a long time ago, so I don't really follow who reports where. Since iptables is working fine, there is nothing to report

    Leave a comment:


  • Nuc!eoN
    replied
    Originally posted by bash2bash View Post
    I only found someone who reported it to firewalld github issues, but there was no real interest to fix anything, some people just confirmed there is a memory issue with nftables.

    Even if someone reported it today, it would take a year before it reached us normal users, I guess people just use iptables and that solves the problem.
    Why should firewalld devs fix a bug that is in nftables?

    It should be reported to the nftables bug tracker.

    Leave a comment:


  • bash2bash
    replied
    I only found someone who reported it to firewalld github issues, but there was no real interest to fix anything, some people just confirmed there is a memory issue with nftables.

    Even if someone reported it today, it would take a year before it reached us normal users, I guess people just use iptables and that solves the problem.


    Originally posted by oibaf View Post

    Did you report this to netfilter bugzilla https://bugzilla.netfilter.org/ ?
    I searched it and didn't find this issue.
    Maybe they'll have a chance to fix it.

    Leave a comment:


  • oibaf
    replied
    Originally posted by bash2bash View Post
    I don't use nftables because it has terrible problems with ipsets, for example a 1MB list of addresses consumes 1GB of memory. Apparently something to do with how nftables manages addresses in memory. Which makes nftables impossible to use since I've got a 5MB ipset of blocked addresses.
    Did you report this to netfilter bugzilla https://bugzilla.netfilter.org/ ?
    I searched it and didn't find this issue.
    Maybe they'll have a chance to fix it.

    Leave a comment:


  • S.Pam
    replied
    I still use iptables too. It's the same to the kernel anyway. Ipsets are nicer than nft equivalents. In nft some words mean different things depending on where they are written. This is bad UX!

    Anyways I use variables with iptables, so that's nothing new.

    Leave a comment:


  • bash2bash
    replied
    I don't use nftables because it has terrible problems with ipsets, for example a 1MB list of addresses consumes 1GB of memory. Apparently something to do with how nftables manages addresses in memory. Which makes nftables impossible to use since I've got a 5MB ipset of blocked addresses.

    Leave a comment:


  • GraysonPeddie
    replied
    I like NFTables better than IPTables. Why? Because I use variables/aliases. Example:

    Code:
    define External = ethbr0;
    define Internal = { ethbr10, ethbr20, ethbr30, vmbr0 };
    define Router = { 172.20.0.0/30 };
    define EngeniusAPs = { 172.20.0.8/29 };
    
    table inet filter {
    chain INPUT {
    type filter hook input priority filter;
    policy drop;
    ip6 nexthdr icmpv6 accept;
    iif ethbr0 ip daddr 172.20.0.1 ip protocol icmp accept;
    iif ethbr10 ip daddr {172.20.1.1,172.20.16.1} ip protocol icmp accept;
    ip saddr 172.20.5.4 ip daddr 172.20.5.1 ip protocol icmp accept;
    iif vmbr0 ip daddr {172.20.0.1,172.20.16.1} ip protocol icmp accept;
    ip saddr 172.20.16.4 accept;
    iif lo accept;
    ct state established,related accept
    iifname $External tcp dport { 53, 32482, 1022 } accept;
    iifname $Internal udp dport 53 accept;
    iifname {$External,$Internal} udp dport 123 accept;
    iifname {$External,$Internal} tcp dport 123 accept;
    iif {ethbr10,vmbr0} tcp dport { 53, 32482, 1022 } accept;
    iif {ethbr10,vmbr0} udp dport { 123 } accept;
    }
    
    chain forward {
    type filter hook forward priority 0;
    policy accept;
    iif { ethbr0, ethbr10 } oif ethbr30 accept;
    iif ethbr30 oif { ethbr0, ethbr10 } accept;
    ip saddr $EngeniusAPs oifname $Internal drop;
    iifname $Internal ip daddr $EngeniusAPs drop;
    iif { ethbr0, ethbr10, vmbr0 } ip daddr 172.20.5.4/30 accept;
    iif ethbr10 ip daddr 172.20.5.12/30 accept;
    ip saddr 172.20.5.4/30 oif { ethbr0, ethbr10, vmbr0 } accept;
    ip saddr 172.20.5.12/30 oif ethbr10 ct state established,related accept;
    }
    }
    Unfortunately, VBulletin removed leading spaces that are used for indentation between { and }.
    Last edited by GraysonPeddie; 19 August 2021, 10:00 PM.

    Leave a comment:


  • phoronix
    started a topic Netfilter Releases Nftables 1.0

    Netfilter Releases Nftables 1.0

    Phoronix: Netfilter Releases Nftables 1.0

    The Netfilter project has announced the release of Nftables 1.0.0 for their user-space code for interfacing with the Linux kernel's Nftables subsystem for network filtering and classification...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
Working...
X