1. 8

  2. 6

    If someone’s new to the topic, I think they’d probably do better to learn nftables, which is in the process of replacing iptables. My understanding of the process (and let me admit I’m not an expert here) is that it covers all the common uses of iptables but hasn’t yet displaced it in distros.

    1. 2

      I am a fan of nftables, but the userland tooling was buggy when you tried to do things outside of TCP/UDP filtering.

      The unified handling IPv4 and IPv6 with the same rule broke down quickly once you started looking at ICMP. It meant you had to go back to managing separate rulesets again which was one of the big reasons to go to nftables originally.

      As a network admin and programmer I understand why this was a problem and was prepared that things are never that simple regardless of the glossy broucher.

      For adminstrators though, I suspect it has nothing compelling enough to use that cannot already be done with iptables. nftables as a kernel developer makes sense, but of course that is not the target userbase

      Though, maybe all the userland problems have been fixed in the two years since I last seriously used it, but if not maybe this is why nftables is not getting the airtime it deserves. It sent off the fanfare before it was ready or primetime.

      1. 1

        You can even use both, together at the same time!

        1. 2

          Though, not for NAT. Be careful on routers, which often includes machines running containers.