On 10/21/2013 10:34 AM, Yasha Karant wrote:
On 10/21/2013 01:07 AM, Steven Haigh wrote:
On 21/10/2013 4:09 AM, Henrique C. S. Junior wrote:
As reported in Slashdot[1] in the near future iptables is going to be
replaced by NFTables in the linux kernel. The project[2] is said to be a
new and best package filtering framework.
Have any of you, guys, tried it already and have some experiences to
share?
Does it matter? EL6 won't ever have NFTables support.
EL7 probably won't either. Don't stress and keep doing what you're doing.
Perhaps someone familiar with the choices made by TUV will clarify the
above statement: EL7 probably won't either.
SL and other TUV re-distributors of EL simply build and re-package the
TUV product (removing the logos and non-open copyrighted material, but
keeping all of the internal TUV developer statements -- the actual name
of TUV, that evidently is taboo on this list, is plastered all over the
source code for EL). Thus, the decision as to which family of Linux
kernels to use is a TUV decision.
Redhat Enterprise Linux! It isn't taboo, just takes longer to type than
TUV. Their trademarks must be removed from documentation and
distributed materials. Internet discussions really don't matter.
However, as fundamental new functionality, or repackaging of existing
functionality with a new API, is incorporated into the Linux kernel --
not in an experimental way that may be removed, but in the "stable
production" released version - the high reliability approach requires
that the kernel receives extensive field testing (as happens with
Fedora) as well as stress testing and internal hardening against threats
and compromises that may not be as needed in an enthusiast distribution.
Nonetheless, once a major change (e.g., NFTables replacing iptables) is
done in the base source, the production enterprise version must reflect
the change -- and in less than a decade. Why less than a decade? Unless
there is a fully backward compatible set of APIs, new applications and
revisions typically use the current not historical APIs. Presumably,
there will be NFTables features that application developers will use
that have no iptables backport.
If one takes the time to read up on NFTables (e.g. the articles
previously linked), they would find that there is an iptables
compatibility layer under development alongside this new project.
Thus -- how long is the delay? Typically, are two major releases (e.g.,
NFTables in EL8) the usual delay? Does anyone have historical data from
EL/TUV?
Like was previously said. I wouldn't get flustered or worked up over
this. NFTables has been in the works for 4 years and is just making it
into forked development tree (not mainline) and will be some time before
it trickles into the enterprise. Look at how far ahead KDE, Gnome, and
other technologies are from the current SL6 offering for comparison.
-Mark
--
Mr. Mark V. Stodola
Senior Control Systems Engineer
National Electrostatics Corp.
P.O. Box 620310
Middleton, WI 53562-0310 USA
Phone: (608) 831-7600
Fax: (608) 831-9591
