Forgot your password?
Networking Linux

NFTables To Replace iptables In the Linux Kernel 235

Posted by Soulskill
from the out-with-the-old dept.
An anonymous reader writes "NFTables is queued up for merging into the Linux 3.13 kernel. NFTables is a four-year-old project by the creators of Netfilter to write a new packet filtering / firewall engine for the Linux kernel to deprecate iptables (though it now offers an iptables compatibility layer too). NFTables promises to be more powerful, simpler, reduce code complication, improve error reporting, and provide more efficient handling of packet filter rules. The code was merged into net-next for the Linux 3.13 kernel. Iptables will still be present until NFTables is finished, but it is possible to try it out now. LWN also has a writeup on NFTables."
This discussion has been archived. No new comments can be posted.

NFTables To Replace iptables In the Linux Kernel

Comments Filter:
  • pf (Score:5, Informative)

    by Alioth (221270) <no@spam> on Saturday October 19, 2013 @07:24PM (#45177609) Journal

    Can't we have OpenBSD pf instead? Powerful, nice, decent documentation on how to use it, syntax that makes a lot more sense than iptables.

  • Re:again? (Score:5, Informative)

    by skids (119237) on Saturday October 19, 2013 @11:31PM (#45178711) Homepage

    There is an intersection between the tasks iptables/ebtables/arptables can perform, so someties you need to decide which responsibility you want to delegate to which.

    But you are correct, ebtables was never a replacement.for iptables.

    This diagram [] is very useful when you get deep in the weeds.

  • Re:You go girl :D (Score:5, Informative)

    by philip.paradis (2580427) on Saturday October 19, 2013 @11:42PM (#45178759)

    Don't worry, iptables and arptables aren't going to magically disappear. A ridiculous amount of infrastructure depends on both, and the nftables announcement is severely over-hyped. Having alternatives is a good thing, and it doesn't mean the sky is falling.

  • Re:again? (Score:4, Informative)

    by Kjella (173770) on Sunday October 20, 2013 @06:59AM (#45179727) Homepage

    And they're down to 1.1% [] of all web servers, all FreeBSD. From the list of "Popular websites using FreeBSD" only one is in Alexa's top 500 and that's []. The Alexa rankings: 229 557 771 1096 5488 5818 4710 5125 5834 6702

    It is literally less than a handful (the top four) that means BSD even still has a presence and 80% of that is probably just one site. I guess BSD code is lots of places like in OS X and embedded and routers and whatnot but BSD is practically dead as a server (cue and queue the Netcraft and Monty Python jokes, please take a number). Who, at this point, would be interested in building a new network stack for BSD? I guess Juniper would since they use it for Junos, but honestly not that many others...

  • Re:again? (Score:4, Informative)

    by rmadmin (532701) <rmalek@homecod[ ]rg ['e.o' in gap]> on Sunday October 20, 2013 @10:18AM (#45180361) Homepage [] You also forgot some biggies, like Netflix, oh and Apache themselves. Sampling an OS's usage numbers off of how many public facing web servers are out there will give you very biased results. I have two FreeBSD servers running OpenBGPd and OpenOSPFd, and two that are NFS servers, there is absolutely no web server on them. They are ROCKS of stability. This is just FreeBSD, a partner ISP I work with runs OpenBSD route reflectors.

The most delightful day after the one on which you buy a cottage in the country is the one on which you resell it. -- J. Brecheux