nftables, AIO packet filtering tool
Posted: 2016-11-26 20:19
I'm sure you guys heard of NFTABLES, which will very soon deprecate iptables, arptables, ebtables etc.. and all their plugin modules, so we'll basically have one tool capable of doing all that before mentioned tools did for us so far.
right now, I'm about to "translate" my firewall rules, into nftables syntax which according to NFTABLES WIKI at first glance looks like a "new programing language", giving us much more control, which previous tools lack in one or other way.
according to NFTABLES WIKI- ingress hook starting from Linux kernel 4.2, gives us ability to filter
Layer 2 packets.. Obviously right now debian users can't enjoy this feature yet, since current Linux kernel is 3.16, but...
I did a lot of research around www, about basics, reading articles but, wasn't able to find an article stating possibility of raw packet filtering.
According to wiki and my understanding, ingress hook feature does the same job, as arptables, which, I guess means that nftables is strictly around IP stack, I mean raw IP packets simply "baypass" the stack by design..
Do you have any idea if raw IP filtering is possible in nftables?
apart from my question which does not really fit into this subforum, what are your experiences with nftables? Is it harder to maintain firewall with nftables?
right now, I'm about to "translate" my firewall rules, into nftables syntax which according to NFTABLES WIKI at first glance looks like a "new programing language", giving us much more control, which previous tools lack in one or other way.
according to NFTABLES WIKI- ingress hook starting from Linux kernel 4.2, gives us ability to filter
Layer 2 packets.. Obviously right now debian users can't enjoy this feature yet, since current Linux kernel is 3.16, but...
I did a lot of research around www, about basics, reading articles but, wasn't able to find an article stating possibility of raw packet filtering.
According to wiki and my understanding, ingress hook feature does the same job, as arptables, which, I guess means that nftables is strictly around IP stack, I mean raw IP packets simply "baypass" the stack by design..
Do you have any idea if raw IP filtering is possible in nftables?
apart from my question which does not really fit into this subforum, what are your experiences with nftables? Is it harder to maintain firewall with nftables?