LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-15-2014, 01:47 PM   #1
kikilinux
Member
 
Registered: Sep 2012
Posts: 126

Rep: Reputation: Disabled
Question translation from iptables to nftables


does these two sentences correct ?

1- The compatibility layer that is introduced in nftables is: working of iptables and nftables at the same time but iptables rules is ran on top of nftables.
2- there are some effort (like a project) to translate iptables rules to the equivalent nftables rules.
 
Old 12-16-2014, 11:52 AM   #2
veerain
Senior Member
 
Registered: Mar 2005
Location: Earth bound to Helios
Distribution: Custom
Posts: 2,524

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
nftables is the new packet filter for linux. It supports legacy iptables rules. There are some see google search but I say you manually adapt it to new nftables rules.
 
Old 12-17-2014, 05:57 AM   #3
kikilinux
Member
 
Registered: Sep 2012
Posts: 126

Original Poster
Rep: Reputation: Disabled
It is not my answer.
I have found this links about nftables (plus compatibility layer) : http://www.spinics.net/lists/netfilt.../msg23831.html
What does that link say? specially 3, 4 and 5 items.
Are those mean, for instance : if we write
Quote:
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
then kernel translates it automatically to the bellow command in nftables? :
Quote:
nft add filter OUTPUT tcp dport 80 accept
Or
it just say : we can use iptables until nftables completely provide all features of iptables?
 
Old 12-17-2014, 02:12 PM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Answers from someone who doesn't know:

Quote:
Originally Posted by kikilinux View Post
does these two sentences correct ?

1- The compatibility layer that is introduced in nftables is: working of iptables and nftables at the same time but iptables rules is ran on top of nftables.
2- there are some effort (like a project) to translate iptables rules to the equivalent nftables rules.
2) is closer to the truth, as I understand it. So, while I know that there is a project to ensure compatibility with iptables rule sets, I don't know of any statement that you can mix iptables and nftables rules, just one or the other (but I'm no expert).

Quote:
then kernel translates it automatically to the bellow command in nftables?
I can't see this being likely or workable. I think that the only approach that is likely to be workable is to have something like a script that translates iptables rules to equivalent nftables ones. Anything that implies that nftables rules are created dynamically, at run time and on requirement is going to be hopeless from a perf point of view (and, iptables isn't hopeless from a perf point of view, so if nftables was hopeless, even in backwards compatibility mode, then it would be a very noticeable step backwards).

Assuming that what is going to happen is that rules are going to be translated once, before the ruleset is instantiated, I can't see why the kernel would be directly involved in translation. Whether you write a Python or a C program to do it, it should be a solidly userspace program that does it.

Quote:
we can use iptables until nftables completely provide all features of iptables?
Well, why not? It still does everything that it used to do. from here

Quote:
Linux 3.13 is out bringing among other thing the first official release of nftables. nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework aka iptables. nftables version in Linux 3.13 is not yet complete. Some important features are missing and will be introduced in the following Linux versions. It is already usable in most cases but a complete support (read nftables at a better level than iptables) should be available in Linux 3.15.
So, I'm just making the point that it takes longer to get these things right than ever seems possible, at first. But, with iptables still working, that isn't necessarily a problem, unless you are a compulsive early adopter.

Last edited by salasi; 12-17-2014 at 02:18 PM. Reason: forgot stuff...
 
2 members found this post helpful.
  


Reply

Tags
iptables, netfilter


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] what is advantage of nftables over iptables packet filter ? kikilinux Linux - Security 1 10-01-2014 03:26 PM
[SOLVED] iptables - Masquerade translation logging hanshagbard Linux - Security 7 01-21-2014 06:44 AM
NFTables To Replace iptables In the Linux Kernel jeremy Linux - News 0 10-21-2013 11:02 AM
LXer: NFTables IPTables-Replacement Queued For Linux 3.13 LXer Syndicated Linux News 0 10-20-2013 08:41 AM
Help with port translation using iptables Allesmachine Linux - Networking 3 08-11-2010 08:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration