top | item 14286798

(no title)

click170 | 8 years ago

I use and recommend nftables, and while it's very usable I also think it's important to acknowledge that nftables is not yet at full feature parity with iptables.

More details can be found here:

- https://wiki.nftables.org/wiki-nftables/index.php/Supported_...

- https://wiki.nftables.org/wiki-nftables/index.php/List_of_up...

All the basics are there and I'm already using it for my home firewall so don't get the wrong idea, but if you use any of the more interesting iptables features you might want to test those features out in nft before committing yourself to it. Your kernel version is key.

Also, let me extend a Thank You to everyone who's worked to make nftables a reality! My favorite parts are atomic ruleset replacement and the ability to do 'log and drop' in one rule.

Edit: Added link to actual feature comparison

discuss

jeltz|8 years ago

Damn, it does not support NETMAP which I use on one of my machines. :( Maybe I could work around that though by rethinking how I rewrite the addresses. But either way I will start using nftables everywhere I can after upgrading to stretch.

click170|8 years ago

Have you seen these examples yet? It's not the exact same but maybe you can use it to the same effect?

https://wiki.nftables.org/wiki-nftables/index.php/Maps