When I began using Linux, "ipfwadm" had just been incorporated into the kernel. It was replaced in 2.2 by "ipchains" which was replaced in 2.4 by "iptables". Now we have "nftables".
I'll admit to not knowing much about nftables but from what I've read about it in the last few days, it's still not even close to what OpenBSD's "pf" is capable of.
Given that the kernel portion of nftables appears to just be a byte code interpreter, it probably would be possible to make something that takes pf syntax and puts out nftables byte code.
I think that would be pretty slick. As a long time pf user, I've always preferred it's syntax, and the nftables syntax looks like a step in the right direction at least, given the horror that was previous syntax methods.
I've used all of the above. pf is much, much over-rated. iptables is just about as capable. Plus, in a speed test I did a while ago, a Linux firewall vastly outperformed an OpenBSD firewall on the same hardware, in terms of amounts of traffic it could handle before keeling over and dying.
OpenBSD is neat, but creating a cult around it doesn't help with anything.
Well, there's at least a Linux port of FreeBSD's ipfw and dummynet: http://info.iet.unipi.it/~luigi/dummynet/. I tried it briefly on my home server (Ubuntu 12.04 LTS with a stock 3.2.0 kernel) and it appeared to work as expected with rulesets written for FreeBSD.
nftables sounds like a great example of why you should learn compilers: http://steve-yegge.blogspot.com/2007/06/rich-programmer-food... You can write reams of code that work, but still have limits, and overcoming those limits would require further endless reams of code (iptables). Or you can write something simpler that breaks the problem down into primitives which a compiler will let you put together arbitrary ways, and despite being more flexible, is still less code (nftables).
[+] [-] jlgaddis|12 years ago|reply
When I began using Linux, "ipfwadm" had just been incorporated into the kernel. It was replaced in 2.2 by "ipchains" which was replaced in 2.4 by "iptables". Now we have "nftables".
I'll admit to not knowing much about nftables but from what I've read about it in the last few days, it's still not even close to what OpenBSD's "pf" is capable of.
Ahhh, well, I can wish, right?
[+] [-] zdw|12 years ago|reply
I think that would be pretty slick. As a long time pf user, I've always preferred it's syntax, and the nftables syntax looks like a step in the right direction at least, given the horror that was previous syntax methods.
[+] [-] simcop2387|12 years ago|reply
[+] [-] Florin_Andrei|12 years ago|reply
OpenBSD is neat, but creating a cult around it doesn't help with anything.
[+] [-] networked|12 years ago|reply
Well, there's at least a Linux port of FreeBSD's ipfw and dummynet: http://info.iet.unipi.it/~luigi/dummynet/. I tried it briefly on my home server (Ubuntu 12.04 LTS with a stock 3.2.0 kernel) and it appeared to work as expected with rulesets written for FreeBSD.
[+] [-] Thaxll|12 years ago|reply
[+] [-] lelf|12 years ago|reply
[+] [-] jerf|12 years ago|reply
[+] [-] agumonkey|12 years ago|reply
[+] [-] welterde|12 years ago|reply
[+] [-] jebblue|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]