On 16 May 2015 at 20:31, Bruce Dubbs <[email protected]> wrote: > Richard Melville wrote: > >> I'm about to build a new firewall for a gateway box and I'm tempted by >> nftables. It's interesting for two reasons: it's the next generation >> GNU/Linux firewall, and alone it can replace iptables, ip6tables, >> arptables, and ebtables. >> >> Has anybody used nftables and have anything to report (negative or >> positive)? I saw mention of it on one of these lists just over a year ago >> which linked to a useful website. I had already found the website the >> link >> pointed to (via google), and it's here http://is.gd/hP4WX0 if anybody is >> interested. >> > > I started to look at nftables. My initial reaction was that I didn't like > the interface. Perhaps it's just a style issue, but I prefer using the > option format. That is something like: > > iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > > That seems to emphasize the options and arguments better than > > nft add rule ip filter output ip daddr 192.168.1.0/24 counter > > It seems that nft wants to copy the cisco ios syntax (its been a while, so > I'm not sure), but it just doesn't 'feel' comfortable to me. >
I have to agree Bruce, the syntax just doesn't seem as intuitive as iptables et al. However, with a new product there's always something new to learn and it's difficult to know whether the product/interface *is* inferior or whether it's just the comfort factor getting in the way. I think I'll investigate further before coming to a decision. Thanks Richard
-- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
