>>Wasn't nftables mostly iptables compatible? mostly :/
https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families Deprecated extensions --------------------- physdev br_netfilter aims to be deprecated by nftables. quota nfacct already provides quota support. tos deprecated by dscp ----- Mail original ----- De: "Josef Johansson" <[email protected]> À: "pve-devel" <[email protected]> Envoyé: Mardi 27 Novembre 2018 14:58:31 Objet: Re: [pve-devel] pve-firewall : nftables ? On 11/27/18 2:55 PM, Wolfgang Bumiller wrote: > On Mon, Nov 26, 2018 at 09:00:47AM +0100, Alexandre DERUMIER wrote: >> Hi, >> >> I would like to known if somebody have already made some test with nftables >> recently ? >> >> Mainly, is not possible to use physdev direction, >> >> like: >> >> -A PVEFW-FWBR-OUT -m physdev --physdev-in tap160i1 --physdev-is-bridged -j >> tap160i1-OUT >> >> >> I wonder if a simple vmap like this could work: ? >> >> https://wiki.nftables.org/wiki-nftables/index.php/Classic_perimetral_firewall_example >> >> >> >> chain forward { >> type filter hook forward priority 0; policy drop; >> jump global >> oifname vmap { $nic_dmz : jump dmz_in , $nic_lan : jump lan_in } >> oifname $nic_inet iifname vmap { $nic_dmz : jump dmz_out , $nic_lan : jump >> lan_out } >> } > The issue was that the regular filter forward table isn't really used > for bridged traffic (IIRC?), while the bridge filter forward table > doesn't have access to conntrack. There may be other ways (at some > point I marked packets in the netdev tables), but I haven't checked in > a while. > At least I haven't produced any kernel crashes in a while ;-D > > IIRC the issue with netdev tables on the other hand was that they'd have > to be created after a network device was created. Can't have them "wait > around" for the device. (Not a big deal, just needs a little more > callbacks in our interface creation code and lxc bridge hook.) I'd want > source mac & ip checks to be moved to those tables for outgoing > packets, they happen quite early in the stack. > > The pve-firewall code is very iptables-oriented though, and I'm not sure > if maybe we're not better off splitting the rule-generating part out > and write the nftables variant from scratch... The iptables part would > be considered feature-frozen from that point on I'd say/hope/think... Wasn't nftables mostly iptables compatible? Maybe it's a good thing to not freeze the current implementation. > _______________________________________________ > pve-devel mailing list > [email protected] > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel -- Med vänliga hälsningar Josef Johansson _______________________________________________ pve-devel mailing list [email protected] https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list [email protected] https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
