[SOLVED] translation from iptables to nftables

kikilinux · 12-15-2014, 01:47 PM

does these two sentences correct ?

1- The compatibility layer that is introduced in nftables is: working of iptables and nftables at the same time but iptables rules is ran on top of nftables.
2- there are some effort (like a project) to translate iptables rules to the equivalent nftables rules.

veerain · 12-16-2014, 11:52 AM

nftables is the new packet filter for linux. It supports legacy iptables rules. There are some see google search but I say you manually adapt it to new nftables rules.

kikilinux · 12-17-2014, 05:57 AM

It is not my answer.
I have found this links about nftables (plus compatibility layer) : http://www.spinics.net/lists/netfilt.../msg23831.html
What does that link say? specially 3, 4 and 5 items.
Are those mean, for instance : if we write

Quote:

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

then kernel translates it automatically to the bellow command in nftables? :

Quote:

nft add filter OUTPUT tcp dport 80 accept

Or
it just say : we can use iptables until nftables completely provide all features of iptables?

salasi · 12-17-2014, 02:12 PM

Answers from someone who doesn't know:

Quote:

Originally Posted by kikilinux

does these two sentences correct ?

1- The compatibility layer that is introduced in nftables is: working of iptables and nftables at the same time but iptables rules is ran on top of nftables.
2- there are some effort (like a project) to translate iptables rules to the equivalent nftables rules.

2) is closer to the truth, as I understand it. So, while I know that there is a project to ensure compatibility with iptables rule sets, I don't know of any statement that you can mix iptables and nftables rules, just one or the other (but I'm no expert).

Quote:

then kernel translates it automatically to the bellow command in nftables?

I can't see this being likely or workable. I think that the only approach that is likely to be workable is to have something like a script that translates iptables rules to equivalent nftables ones. Anything that implies that nftables rules are created dynamically, at run time and on requirement is going to be hopeless from a perf point of view (and, iptables isn't hopeless from a perf point of view, so if nftables was hopeless, even in backwards compatibility mode, then it would be a very noticeable step backwards).

Assuming that what is going to happen is that rules are going to be translated once, before the ruleset is instantiated, I can't see why the kernel would be directly involved in translation. Whether you write a Python or a C program to do it, it should be a solidly userspace program that does it.

Quote:

we can use iptables until nftables completely provide all features of iptables?

Well, why not? It still does everything that it used to do. from here

Quote:

Linux 3.13 is out bringing among other thing the first official release of nftables. nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework aka iptables. nftables version in Linux 3.13 is not yet complete. Some important features are missing and will be introduced in the following Linux versions. It is already usable in most cases but a complete support (read nftables at a better level than iptables) should be available in Linux 3.15.

So, I'm just making the point that it takes longer to get these things right than ever seems possible, at first. But, with iptables still working, that isn't necessarily a problem, unless you are a compulsive early adopter.