On 2/20/19 3:40 PM, Simon Hobson wrote: > Erich Titl <erich.t...@think.ch> wrote: > >> But back to shorewall, do you see any way >> your work could be carried on? > > One of the issues is that iptables is being deprecated. AIUI, it's already to > the stage where nft must be installed and ipt cmd line tools are being > relabelled *-legacy - and they call translation tools to translate ipt calls > into nft. Or something like that.
The good news is that the iptables functionality is a sub-set of the nftables functionality. I have been playing with Debian 10 Testing, where: - nft is not required to be installed. - you currently get a choice of using the nftables backend or the iptables/xtables backend (via /etc/alternatives). - so far, with the exception of the functionality provided by xtables-addons, everything in Shorewall seems to work when using the nftables backend. - When you do install nft, you can use it to display the translated iptables ruleset generated by Shorewall. - xtables-addons installation currently fails on Debian 10, but that is the norm for that package at this stage of a Debian release > There's also the bpf package that looks like it might be better - but it's > only at an early stage. > > Whatever happens, Shorewall as it is now will be obsolete. It would need > someone with a good skill set (which rules me out) to determine which parts > can be re-used, and to write new translators to convert the Shorewall configs > into whatever packet filtering system ends up becoming "the standard". The Shorewall rules compiler was originally written to translate the user input directly into iptables-restore input. That made implementation of a workable optimizer almost impossible. To resolve that issue, an intermediate representation was created that is independent of iptables syntax and that is amenable to optimization. Once that intermediate form has been optimized, it is converted back into iptables-restore form. Much of the compiler has been converted to generate the intermediate form directly from user input, but a sizable part still generates iptables-restore code which is then translated. The good news is that a very small part of the compiler is dedicated to converting the intermediate form back into iptables commands. For the most part, modifying Shorewall to generate nft input involves only that small part. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
