I think in the end we'll ship the nftables code. Fedora is defaulting
their stuff to nftables now [1][2]. That means systemd-networkd might
need or want (speculation) to update their firewall-util.c [3] to
support it. And knowing their attitudes on this sort of thing, that
means they'll probably (s
On 11.12.2019 1:09, Jason A. Donenfeld wrote:
On Tue, Dec 10, 2019 at 11:03 PM Vasili Pupkin wrote:
As far as I know both of them are maintained in the same repository and
both use the same userspace library to interact with the kernel and down
there all the rules are translated into BPF code w
On Tue, Dec 10, 2019 at 11:03 PM Vasili Pupkin wrote:
> As far as I know both of them are maintained in the same repository and
> both use the same userspace library to interact with the kernel and down
> there all the rules are translated into BPF code which in turn is
> compiled into machine cod
On 10.12.2019 20:12, Roman Mamedov wrote:
On Tue, 10 Dec 2019 17:54:49 +0100
"Jason A. Donenfeld" wrote:
iptables rules and nftables rules can co-exist just fine, without any
translation needed. Indeed if your iptables is symlinked to
iptables-nft, then you'll insert nftables rules when you tr
On Tue, Dec 10, 2019 at 9:30 PM Jordan Glover
wrote:
>
> On Tuesday, December 10, 2019 7:15 PM, Jason A. Donenfeld
> wrote:
>
> > On Tue, Dec 10, 2019 at 7:58 PM Jordan Glover
> > golden_mille...@protonmail.ch wrote:
> >
> > > On Tuesday, December 10, 2019 5:36 PM, Jason A. Donenfeld ja...@zx2c4
On Tuesday, December 10, 2019 7:15 PM, Jason A. Donenfeld
wrote:
> On Tue, Dec 10, 2019 at 7:58 PM Jordan Glover
> golden_mille...@protonmail.ch wrote:
>
> > On Tuesday, December 10, 2019 5:36 PM, Jason A. Donenfeld ja...@zx2c4.com
> > wrote:
> >
> > > On the other hand, if what you say is actu
On Tue, Dec 10, 2019 at 7:58 PM Jordan Glover
wrote:
>
> On Tuesday, December 10, 2019 5:36 PM, Jason A. Donenfeld
> wrote:
>
> >
> > On the other hand, if what you say is actually true in our case, and
> > nftables is utter crap, then perhaps we should scrap this nft(8) patch
> > all together a
On Tuesday, December 10, 2019 5:36 PM, Jason A. Donenfeld
wrote:
>
> On the other hand, if what you say is actually true in our case, and
> nftables is utter crap, then perhaps we should scrap this nft(8) patch
> all together and just keep pure iptables(8). DKG - you seemed to want
> nft(8) supp
On Tue, 10 Dec 2019 18:36:06 +0100
"Jason A. Donenfeld" wrote:
> That bachelors thesis says in the abstract, "Latency was measured
> through the round-trip time of ICMP packets while throughput was
> measured by generating UDP traffic using iPerf3. The results showed
> that, when using linear loo
On Tue, Dec 10, 2019 at 6:30 PM Vasili Pupkin wrote:
>
> On 10.12.2019 18:48, Jason A. Donenfeld wrote:
>
> > restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j
> > DROP
> > nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type !=
> > local drop
>
>
> I a
Hi Roman,
On Tue, Dec 10, 2019 at 6:12 PM Roman Mamedov wrote:
>
> On Tue, 10 Dec 2019 17:54:49 +0100
> "Jason A. Donenfeld" wrote:
>
> > iptables rules and nftables rules can co-exist just fine, without any
> > translation needed. Indeed if your iptables is symlinked to
> > iptables-nft, then y
On 10.12.19 18:12, Roman Mamedov wrote:
> It's the systemd and
> pulseaudio story all over again
By that metric I can only assume that nft is a huge improvement over
iptables.
We have to deal with iptables vs. nfstables, just like we have to deal
with various vendor kernels. Complaining on-list a
On 10.12.2019 18:48, Jason A. Donenfeld wrote:
restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP
nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type !=
local drop
I am trying to understand the rulesets. When you check the type of the
source a
On Tue, Dec 10, 2019 at 6:13 PM Roman Mamedov wrote:
> nftables is slower than iptables across pretty much every metric[1][2]. It
> only wins where a pathological case is used for the iptables counterpart
> (e.g.
> tons of single IPs as individual rules and without ipset). It is a disaster
> that
On Tue, Dec 10, 2019 at 6:05 PM Jordan Glover
wrote:
>
> On Tuesday, December 10, 2019 4:54 PM, Jason A. Donenfeld
> wrote:
>
> > On Tue, Dec 10, 2019 at 5:52 PM Jordan Glover
> > golden_mille...@protonmail.ch wrote:
> >
> > > On Tuesday, December 10, 2019 3:48 PM, Jason A. Donenfeld ja...@zx2c4
On Tue, 10 Dec 2019 17:54:49 +0100
"Jason A. Donenfeld" wrote:
> iptables rules and nftables rules can co-exist just fine, without any
> translation needed. Indeed if your iptables is symlinked to
> iptables-nft, then you'll insert nftables rules when you try to insert
> iptables rules, but it re
On Tuesday, December 10, 2019 4:54 PM, Jason A. Donenfeld
wrote:
> On Tue, Dec 10, 2019 at 5:52 PM Jordan Glover
> golden_mille...@protonmail.ch wrote:
>
> > On Tuesday, December 10, 2019 3:48 PM, Jason A. Donenfeld ja...@zx2c4.com
> > wrote:
> >
> > > If nft(8) is installed, use it. These rule
On Tue, Dec 10, 2019 at 5:52 PM Jordan Glover
wrote:
>
> On Tuesday, December 10, 2019 3:48 PM, Jason A. Donenfeld
> wrote:
>
> > If nft(8) is installed, use it. These rules should be identical to the
> > iptables-restore(8) ones, with the advantage that cleanup is easy
> > because we use custom
On Tuesday, December 10, 2019 3:48 PM, Jason A. Donenfeld
wrote:
> If nft(8) is installed, use it. These rules should be identical to the
> iptables-restore(8) ones, with the advantage that cleanup is easy
> because we use custom table names.
>
I wonder if nft should be used only if iptables is
If nft(8) is installed, use it. These rules should be identical to the
iptables-restore(8) ones, with the advantage that cleanup is easy
because we use custom table names.
---
Hey folks,
I'd appreciate a review from some of the nftables experts on this list
who requested this.
Thanks,
Jason
src
20 matches
Mail list logo