I don't envy the decision makers. NetFilter has been around ~20 years, and nft (NetFilter Tables) finally unified all the various *tables about 5 years after that.
But it's only been about 5 years since distros finally adopted it, although I'll give some distros credit for abstracting their host firewall tools a decade ago so the transition users much more easily. But not even agrees on those tools or the transition for that matter. And some vendors are just so way, way behind, using static, inflexible scripts that don't work well with libvirt, containers, etc... We've seen this with other solutions too, like Docker taking forever to add kernel control groups (cgroups) v2, among other facilities, like more secure, non-root/insecure socket, facilities, which finally pushed some vendors to introduce alternatives (e.g., Red Hat with podman, much like firewalld... dynamic, secure, runtime solutions, that work alongside other facilities, and can insert/reload rules upon dynamic infrastructure changes). I mean, let's face it, many Kube et al. solutions aren't very dynamic and don't always work with various facilities, and it's very frustrating in financial and other, regulated, high compliance environments, which customers then push their 'Enterprise' vendors to address. So, where and when nft comes in, I don:t know. -- Sent from my phone, apologies for any brevity as well as autocorrect Bryan J Smith - http://linkedin.com/in/bjsmith On Wed, Oct 25, 2023, 07:37 Simone Piccardi via lpi-examdev < [email protected]> wrote: > On 23/10/23 19:43, Fabian Thorns via lpi-examdev wrote: > > Please note that this document will be edited as the discussion goes. > > In topic 212.1 there is no mention of nft, still going for iptables and > ip6tables, that are legacy. > > If you choose firewalld as an high level tool for firewall management > you cannot even check the rules it creates using iptables and ip6tables, > because the current version use nft and iptables find nothing. > > Anyway adding nft will be probably need a wieght increase. > > Simone > -- > Simone Piccardi Truelite Srl > [email protected] (email/jabber) Via Monferrato, 6 > Tel. +39-347-1032433 50142 Firenze > http://www.truelite.it Tel. +39-055-7879597 > > _______________________________________________ > lpi-examdev mailing list > [email protected] > https://list.lpi.org/mailman/listinfo/lpi-examdev
_______________________________________________ lpi-examdev mailing list [email protected] https://list.lpi.org/mailman/listinfo/lpi-examdev
