LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-26-2019, 09:50 PM   #1
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Rep: Reputation: Disabled
nftables vs. iptables


Any Slackers using nftables rather than iptables? If yes, any comments or observations to offer?
 
Old 09-26-2019, 11:43 PM   #2
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
I attempted (studied) using nftables but couldn't really get used with the new syntax and messed up some of my firewalls. While waiting for some other inputs from more experienced Slackers, you could have a look at:
https://linux-audit.com/differences-...les-explained/
https://wiki.nftables.org/wiki-nftab...es_to_nftables
https://developers.redhat.com/blog/2...king-nftables/

Before you decide which one to use, note that if you look for inspiration/examples, you'll find the majority of firewall rules in iptables syntax.
Printing/learning this schematic could be more helpful at the start of the journey:
https://upload.wikimedia.org/wikiped...acket-flow.svg

And, there's already a new kid in town:
https://lwn.net/Articles/747551/
https://linux-audit.com/bpfilter-nex...inux-firewall/
 
2 members found this post helpful.
Old 09-27-2019, 12:26 AM   #3
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers) / Ubuntu (workstations)
Posts: 102

Rep: Reputation: 41
I also studied nftables.
RHEL / CentOS and Debian have already switched to nftables.
I am pleased that in Slackware I have the opportunity to choose what I want and can use. I even tried a conversion of my firewall with iptables-translate -> I failed ... but, of course, I still have to learn!
Don't know if I can anymore, I'll try again when I have more free time.
 
Old 10-02-2019, 07:43 PM   #4
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Original Poster
Rep: Reputation: Disabled
Quote:
RHEL / CentOS and Debian have already switched to nftables.
This was partly my reason for starting the thread. Slackware has included nfstables for a while now but I haven't seen any related chatter among Slackers.
 
Old 10-02-2019, 08:51 PM   #5
stormtracknole
Senior Member
 
Registered: Aug 2005
Distribution: Slackware, RHEL
Posts: 1,142

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by upnort View Post
This was partly my reason for starting the thread. Slackware has included nfstables for a while now but I haven't seen any related chatter among Slackers.
From what I understand, iptables does not scale well when you have to write fairly large and complex rules. The newer implementations are supposed to be more efficient and can implement newer features. I don't think iptables will be going anywhere though.
 
Old 10-02-2019, 09:12 PM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,672

Rep: Reputation: Disabled
Going off on a slight tangent, I believe one important reason why netadmins haven't been flocking to nftables, is that iptables is a quite powerful tool, and nftables doesn't really bring much to the table (ahem) while introducing an entirely new syntax.

You even see those advocating nftables misrepresenting iptables in terms of what functionality it has to offer. For instance, consider the first of these two articles:
Quote:
Originally Posted by abga View Post
From that article:
Quote:
Iptables has not aged entirely well. For example, there is no way to add or replace a single rule (or small set of rules); iptables can only wipe out the entire configuration and start from scratch.
Really? Does iptables -D and iptables -I not work at the lwn.net offices?

(And as for the syntax, I really detest the nftables config files. They look nothing like the firewall ruleset on any other device I've ever used.)
 
6 members found this post helpful.
Old 10-02-2019, 09:27 PM   #7
stormtracknole
Senior Member
 
Registered: Aug 2005
Distribution: Slackware, RHEL
Posts: 1,142

Rep: Reputation: 158Reputation: 158
I should also state that this was the information given during a Red Hat Training class by the instructor. I can't really say for sure how factual it is.
 
Old 10-02-2019, 09:57 PM   #8
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_12{.0|.1}
Posts: 5,227
Blog Entries: 11

Rep: Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176
Not using nftables, but I did make the effort, so I hope my comments are helpful.

Quote:
Originally Posted by Ser Olmy View Post
...iptables is a quite powerful tool, and nftables doesn't really bring much to the table (ahem) while introducing an entirely new syntax.
It has been a while ago, but I initially looked into nftables, and my conclusion was this, exactly.

The netfilter kernel hooks and routing infrastructure remain unchanged, as well as connection states... so what do I get other than a new syntax? There are claims of better performance, but I have no performance issues to address.

I have decided to stay with iptables and will continue to maintain and extend my own iptables based management tools without concern that iptables might disappear or fall behind.

Last edited by astrogeek; 10-02-2019 at 10:09 PM.
 
4 members found this post helpful.
Old 10-03-2019, 09:01 AM   #9
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,298

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
Quote:
Originally Posted by Ser Olmy View Post
Going off on a slight tangent, I believe one important reason why netadmins haven't been flocking to nftables, is that iptables is a quite powerful tool, and nftables doesn't really bring much to the table (ahem) while introducing an entirely new syntax.

You even see those advocating nftables misrepresenting iptables in terms of what functionality it has to offer. For instance, consider the first of these two articles:
Quote:
Iptables has not aged entirely well. For example, there is no way to add or replace a single rule (or small set of rules); iptables can only wipe out the entire configuration and start from scratch.
From that article:
Really? Does iptables -D and iptables -I not work at the lwn.net offices?
Those commands "work" the same way an editor works when adding or deleting text in a file, i.e. by creating an entirely new file that includes the changes and then replacing the old file with the new. "iptables -I ..." and "iptables -D ..." extract the entire current rule set from the kernel, make the indicated change, and then load the entire new rule set into the kernel. For a large rule set, that's a very inefficient way to do business and impacts packet flow while that new, large rule set is being loaded.
 
1 members found this post helpful.
Old 10-03-2019, 09:15 AM   #10
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,672

Rep: Reputation: Disabled
Quote:
Originally Posted by rknichols View Post
For a large rule set, that's a very inefficient way to do business and impacts packet flow while that new, large rule set is being loaded.
Any idea how large the ruleset would have to be before this would be noticable?

I've never had any issues with traffic being impeded due to inserts or deletions, but admittedly I mostly deal with sub-gigabit Internet uplinks and rulesets with no more than 400-500 filter rules, and perhaps 50 NAT rules at most.
 
Old 10-03-2019, 12:49 PM   #11
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,298

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
Quote:
Originally Posted by Ser Olmy View Post
Any idea how large the ruleset would have to be before this would be noticable?

I've never had any issues with traffic being impeded due to inserts or deletions, but admittedly I mostly deal with sub-gigabit Internet uplinks and rulesets with no more than 400-500 filter rules, and perhaps 50 NAT rules at most.
I really don't know. I've never experienced a problem with it myself. I was as surprised as others about the "whole rule set" action -- surprised enough to dig into the source code for the iptables command to confirm it, and yes, that's what it does. It's been a couple of years since I did that, but I doubt it has changed.
 
Old 10-03-2019, 01:42 PM   #12
karlmag
LQ Newbie
 
Registered: Apr 2014
Distribution: Slackware
Posts: 22

Rep: Reputation: Disabled
Quote:
Originally Posted by upnort View Post
Any Slackers using nftables rather than iptables? If yes, any comments or observations to offer?
Have been looking into setting up my new firewall-to-be using nftables.
For various reasons it's been dragging out, but *most* of those reasons are unrelated to nftables itself.

Main observations;
- Not really having touched/written firewall rules in neither nftables nor iptables for litterally years one would have to (re-)learn stuff in any case. So why not try the new one?
- Finding good documentation for nftables was, or at least felt quite difficult. Most of what I found was either more or less assuming you know iptables fairly well and/or assumes you are a seasoned programmer. I am neither, even though I - for the most part - am able to understand code if I am so inclined. But yeah, it felt a bit more demanding than I hoped for. To be fair I would feel a bit the same about iptables, but since it has been around for longer it's easier to find good documentation for it - for "someone like me".
- After stating the above; it isn't totally black magic when you start figuring out what's going on. Just might take a bit of time to wrap your head around some of it. That said, you *can* write rules that look awfully much like iptables rules if you are so inclined. You would forego some of the simplifications and updates/strengths (whatever you'll call it) in nftables though. But it is possible.

I guess those are the main things I remember right now at least.

The more people starts using nftables, the more resources for it would pop up over time and I guess it will kind of be "demystified" a bit. And yeah, nftables does a fairly good job for most people and it's been around for longer so it's an old habit that will die hard.

--
KarlMag
 
Old 10-03-2019, 03:52 PM   #13
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
@Ser Olmy
I didn't read that LWN article (actually presenting BP filter and not nftables) thoroughly and my intention was to provide upnort with some unbiased (by my rejection of nftables - new syntax adoption) info about what nftables brings new.
There is not that much detailed architectural info I could find available in one place about nftables, I knew it has its own virtual machine in the kernel but wasn't aware about how it loads/unloads the rulesets different from iptables.
LWN has an actual article about nftables (kernel mailing list):
https://lwn.net/Articles/324251/
netfiler.org too:
https://netfilter.org/projects/nftables/

Thanks to the very useful insights rknichols provided, I learned now that nftables is more efficient in modifying rules and this article - in section "iptables vs. iptables-nft vs. nft" confirms and details this:
https://www.redhat.com/en/blog/using...linux-firewall

@stormtracknole
Quote:
From what I understand, iptables does not scale well when you have to write fairly large and complex rules.
KISS always "scales well"

Last edited by abga; 10-03-2019 at 04:05 PM. Reason: LWM=LWN
 
Old 10-03-2019, 04:45 PM   #14
karlmag
LQ Newbie
 
Registered: Apr 2014
Distribution: Slackware
Posts: 22

Rep: Reputation: Disabled
Quote:
Originally Posted by abga View Post

@stormtracknole
From what I understand, iptables does not scale well when you have to write fairly large and complex rules.

KISS always "scales well"
Well.. sometimes you can only keep it as simple as you can.
If you start keeping it simpler than that, something (important) has to give, and then what?

Not exactly a common home setup, but if you have to filter data on a multi homed, multi ISP connected machine (think multiple 10Gb (or even faster) connections). Such a setup, granted, isn't yet extremely common, but also not totally unheard of.
Would be nice if it manages to get as much traffic as possible filtered as needed, preferrably all of it.

--
KarlMag

Last edited by karlmag; 10-03-2019 at 04:47 PM. Reason: Trying to get quoting correct.. eventually... :-P
 
Old 10-03-2019, 06:08 PM   #15
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
@karlmag

I keep the firewall as simple as possible considering that every rule has an impact on both the latency (packets delay) and performance (processed pps & throughput). Starting by dropping everything and then focus only on the necessary rules to allow required traffic, no unnecessary additional rules or custom chains.
Modern firewall tools netfilter&nftables are versatile and there is a temptation to connect (route&forward) everything with/to everything and then build complex firewalls as "magical" solutions and single point of failure (security-wise). Wrong IMHO. VLANS, network separation, advanced routing can&should also be employed.
With the KISS approach I haven't got into performance issues, even on gigabit, with iptables and that's why I didn't really focus on nftables. I tried it only because I considered to simplify my 2-3 pages iptables firewalls with the new nftables syntax, reduce them to maybe one page, but failed to adopt/memorize the new syntax - my fault! - and dropped it.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] translation from iptables to nftables kikilinux Linux - Security 3 12-17-2014 02:12 PM
[SOLVED] what is advantage of nftables over iptables packet filter ? kikilinux Linux - Security 1 10-01-2014 03:26 PM
NFTables To Replace iptables In the Linux Kernel jeremy Linux - News 0 10-21-2013 11:02 AM
LXer: NFTables IPTables-Replacement Queued For Linux 3.13 LXer Syndicated Linux News 0 10-20-2013 08:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 03:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration