port to nftables as a replacement for iptables

Information

ID: 509
PHID: PHID-TASK-bnqk6xb7z3slm7pi4eqn
Author: HulaHoop
Status at Migration Time: open
Priority at Migration Time: Normal

Description

nftables is the biggest change in the linux firewalling system in more than a decade.

It promises simplified rulesets, unification of IPv4/IPv6 rules and superior performance to iptables. It also allows backward compatibility with iptables rules. There may be benefits to switching but also reasons for not: if it ain’t broke don’t fix it. Nonetheless its some food for thought.

Supported in recent kernels 3.13+ and packaged in Debian for Jessie and up.

http://wiki.nftables.org/wiki-nftables/index.php/Main_Page
http://netfilter.org/projects/nftables/


Or Berkeley Packet Filter (BPF)?


IPv6 is coming in Tor:


TODO:

Comments


Patrick

2016-07-20 12:47:50 UTC


marmarek

2017-01-30 11:06:16 UTC


HulaHoop

2018-06-20 13:03:45 UTC


HulaHoop

2018-12-03 17:02:28 UTC


HulaHoop

2019-10-17 17:29:16 UTC


Patrick

2019-10-21 05:33:06 UTC


Patrick

2019-12-11 01:10:33 UTC


marmarek

2019-12-11 02:35:31 UTC


ak88

2021-08-09 17:22:53 UTC


Patrick

2021-08-09 19:13:31 UTC


Patrick

2023-05-09 10:23:50 UTC


Patrick

2023-05-09 10:34:56 UTC


Patrick

2023-05-15 17:23:08 UTC


Patrick

2023-05-15 18:21:27 UTC


Patrick

2023-05-16 10:32:09 UTC


Patrick

2023-11-26 06:28:40 UTC

1 Like

This has been implemented.

@Patrick can you change the tag from status_open_issue_todo to status_closed_issue_implemented ?

Done.

1 Like

This is now in the testers repository.


IPv6 support has now a separate, dedicated ticket: add IPv6 support

This is now in the testers repository.

This is now in the testers repository.

This is now in the stable-proposed-updates repository.