Discussion:
[Shorewall-users] NFTables on the roadmap?
Ob Noxious
2016-10-31 17:44:28 UTC
Permalink
Hi,

You probably already know most of its contents but here's a nice
introduction to NFTables:

http://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/

Is there any plan in the future to switch to it?

I ask because it's now quite widely available, since kernel 3.13, in most
distros and the benefits are huge.
--
ObNox
Tom Eastep
2016-10-31 18:27:03 UTC
Permalink
Post by Ob Noxious
Hi,
You probably already know most of its contents but here's a nice
http://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/
Is there any plan in the future to switch to it?
I ask because it's now quite widely available, since kernel 3.13,
in most distros and the benefits are huge.
The design of Shorewall is inexorably linked to that of iptables. So
there are no plans to implement nftables support. That must be an
entirely new product, and at the age of 71, I have no interest in
taking on such a large project.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Lee Brown
2016-11-04 01:21:32 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Ob Noxious
Hi,
You probably already know most of its contents but here's a nice
http://developers.redhat.com/blog/2016/10/28/what-comes-
after-iptables-its-successor-of-course-nftables/
Post by Ob Noxious
Is there any plan in the future to switch to it?
I ask because it's now quite widely available, since kernel 3.13,
in most distros and the benefits are huge.
The design of Shorewall is inexorably linked to that of iptables. So
there are no plans to implement nftables support. That must be an
entirely new product, and at the age of 71, I have no interest in
taking on such a large project.
- -Tom
*nft* syntax differs from {ip,ip6,eb,arp}tables. Moreover, there is a *backward
compatibility layer* that allows you run iptables/ip6tables, using the
same syntax, over the nftables infrastructure.
So it would seem Shorewall should remain relevant .. at least for a while.

Personally I'd like to take the opportunity to, once again, thank Tom and
the team behind Shorewall for their excellent work. By observing the input
and output, I was able to gain an understanding of iptables that I was
never able to glean any other way (what's better than a working example?).
As a one-man admin Shorewall has enabled me to very easily provide various
services (voice, video, internet) to 5 sites separated with MPLS and
redundant radio bridges.
-- lee
Ryan Joiner
2016-11-04 04:34:13 UTC
Permalink
-------- Original Message --------
Subject: Re: [Shorewall-users] NFTables on the roadmap?
From: Lee Brown <***@ratnaling.org>
To: Shorewall Users <shorewall-***@lists.sourceforge.net>
Date: 11/3/16, 6:21 PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Ob Noxious
Hi,
You probably already know most of its contents but here's a nice
http://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/
<http://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/>
Post by Ob Noxious
Is there any plan in the future to switch to it?
I ask because it's now quite widely available, since kernel 3.13,
in most distros and the benefits are huge.
The design of Shorewall is inexorably linked to that of iptables. So
there are no plans to implement nftables support. That must be an
entirely new product, and at the age of 71, I have no interest in
taking on such a large project.
- -Tom
*nft* syntax differs from {ip,ip6,eb,arp}tables. Moreover, there
is a *backward compatibility layer* that allows you run
iptables/ip6tables, using the same syntax, over the nftables
infrastructure.
So it would seem Shorewall should remain relevant .. at least for a while.
Personally I'd like to take the opportunity to, once again, thank Tom
and the team behind Shorewall for their excellent work. By observing
the input and output, I was able to gain an understanding of iptables
that I was never able to glean any other way (what's better than a
working example?). As a one-man admin Shorewall has enabled me to
very easily provide various services (voice, video, internet) to 5
sites separated with MPLS and redundant radio bridges.
-- lee
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
I second that in thanking Tom and all who contribute to Shorewall. There
are so many people I have been able to help not waste money on
unnecessary products that cost a ton and are so limited unless you spend
way more money on licensing, etc. THANKS. I dread iptables going away.
Gerhard Wiesinger
2016-11-15 09:12:34 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Ob Noxious
Hi,
You probably already know most of its contents but here's a nice
http://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/
Is there any plan in the future to switch to it?
I ask because it's now quite widely available, since kernel 3.13,
in most distros and the benefits are huge.
The design of Shorewall is inexorably linked to that of iptables. So
there are no plans to implement nftables support. That must be an
entirely new product, and at the age of 71, I have no interest in
taking on such a large project.
Anyway, thank you for your further development of shorewall!

Ciao,
Gerhard

------------------------------------------------------------------------------
Tom Eastep
2016-11-16 20:57:16 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Gerhard Wiesinger
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Post by Ob Noxious
Hi,
You probably already know most of its contents but here's a
http://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/
Is there any plan in the future to switch to it?
Post by Gerhard Wiesinger
Post by Ob Noxious
I ask because it's now quite widely available, since kernel
3.13, in most distros and the benefits are huge.
The design of Shorewall is inexorably linked to that of iptables.
So there are no plans to implement nftables support. That must be
an entirely new product, and at the age of 71, I have no interest
in taking on such a large project.
Anyway, thank you for your further development of shorewall!
Thank you Gerhard, and to all who responded to my email above.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYLMgsAAoJEJbms/JCOk0QV1UP/3CdiaA0S3sJCJrncXLI7kPq
VRTIuqPyMoQ32tx81BVVvLIBPzec+FKIOoisdXE3bpcoZ6z8g9SmmFwVXrg6cxv5
dlS/GyxpbupvpC9yEkQbHueDOew6ZL/ew63FEQSwf3lNGwEBNp8mJXppJuzWSfx8
P6+lrKRbN1YXucxIspHn3oJVHoWdhZ2GZlHJpW3YcCsSH4/oMSGLSHh2XWaWdU4a
TzRPlIrS1G7qdS8TcyYiZIyuBNcHUs5VeyKsBjvyHmn8M6pl8GqdhuG4EDkWCIVP
it4b4IcASFPXPnksa2kAi+INpZrI01Y7txCTOfZHYBteozNBnUdzNwkgwjy9F1/F
HQRzQ32WMu3Rj56KcQ8YWT8M1CqtGT6NhZco85GSX2iskUkxl9WmxM1/q3ctctqC
iAGob1aKAGek03x9nXKYe1gu5wGLCOU7knDy0VzfZkhwVOxgCHAV+DIpnlNVLKyg
kVE2TjULcCLoBLAesenBmdaIimQy61O4BtYlGSI5e1Jf8mFuiGZy6PX3I0rEvF+G
8SmL2Eal9+6Lvs6aKOj3HrHHhKxiYkbolPfQHeNhJXU2ePvjyR/o9amq7lB8XtNc
TTjFp3P5+FFB9lg9J0OTRX9AMwp4rfEiuMqF8LKfqCiRQ1cGiovLnT+Kbis/2lz/
x1zdPYkR26u9mJhnbLb8
=g8sx
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Loading...