For a long time, Linux has perhaps been in a transition from the venerable iptables to nftables. I'm haven't been terribly enthused about nftables in the past (the last time I considered it I was persuaded to take a different path) for an assortment of reasons. My recent use of nftables wasn't because I've changed my spots; instead, it's because Ubuntu 22.04 has chosen to make nftables the native interface. If you install a stock 22.04 server, you'll get a system where the 'iptables
' binary is actually a compatibility shim that sets up nftables rules. When I had to do some new firewall stuff on an Ubuntu 22.04 machine recently, I decided that I'd try nftables through its native interface.
The experience wasn't entirely smooth sailing. Nftables does a number of things differently than iptables, so you have to learn its terminology and rules format, and understand its approach to things. Since I've only dipped into nftables, I have at best a sliver of understanding of the proper nftables way, basically just enough to write some simple firewall rules that worked when I tested them. Depending on your perspective, it's either good or bad that I could actually do this without having to really learn nftables.
(On the one hand, I got things working without too much effort. On the other hand, a lack of true understanding can easily lead to firewall rules that have holes and issues you don't expect.)
Although nftables can be used interactively in a way that's like iptables, I chose to use it in a way more like OpenBSD's pf, where I wrote and modified my rules in /etc/nftables.conf and then reloaded the entire collection of everything with 'nft -f'. This experience is much better than the traditional iptables approach, where the 'load from file' and 'save to file' operations have the feel of a hack rather than a designed format and it can be easier to automate your rule setup with a script.
Some of our other Ubuntu 22.04 systems have existing iptables based rules (carried forward from their 18.04 versions). So far these all appear to work correctly, including some iptables rules that use ipsets. We're likely going to keep them using the iptables
command rather than trying to convert them to nftables; we're familiar with iptables
, the rules (still) work, and we wouldn't get much if we switched.
(We have some situations where we add and remove firewall rules on the fly, instead of using a static set of them. This doesn't fit well into the nftables.conf approach, so if we did a native conversion we'd have to try to figure out how to integrate static rules, ideally set up through nftables.conf, and dynamic rules added on top of them.)
from Hacker News https://ift.tt/YS8Q3hk
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.