From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>,
"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Cc: Michiel Leenaars <michiel@nlnet.nl>,
Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>,
kaber@trash.net
Subject: [ANNOUNCE] nft-sync: nftables ruleset synchronization software
Date: Mon, 12 May 2014 19:49:51 +0200 [thread overview]
Message-ID: <20140512174951.GA13725@localhost> (raw)
Hi!
We just finished the initial codebase for a new Netfilter project in
the frame of the nftables subproject, its name is nft-sync [1].
Basically, this software aims to support two different setups:
1) Rule-set repository server. The software serves the nft rule-set to
clients that request the ruleset. Basically from the system that acts
as repository, you have to run:
# nft-sync -c ../contrib/nft-sync.conf.server
Then, from the client:
# nft-sync -c ../contrib/nft-sync.conf.client --fetch
Which displays the nft rule-set in the standard output, so you can
inspect the nft rule-set. Alternatively, the client can also retrieve
and apply the nft rule-set using the pull command instead:
# nft-sync -c ../contrib/nft-sync.conf.client --pull
[ Note that this command above does not work in this bootstrap yet ]
2) Rule-set synchronization: In case of primary-backup and
multiprimary firewall configurations, the software makes sure that the
firewall cluster is deploying the same filtering policy. In this case,
you have to launch the process:
# nft-sync -c ../contrib/nft-sync.conf --sync
[ Note that this command above does not work in this bootstrap yet ]
This bootstrap provides the basic infrastructure as a
proof-of-concept. Many of the necessary features are still lacking:
* Implement --sync and --pull commands.
* SSL support, specifically the repository mode needs it to make sure
nobody can evesdrop your filtering policy from the network too
easily.
* IPv6 support.
* Allow to serve different rule-sets in the repository mode.
And many others that will be added progressively.
I would like to thank the NLnet Foundation [2] for sponsoring the
bootstrap of nft-sync.
[1] http://git.netfilter.org/nft-sync/
[2] http://nlnet.nl
reply other threads:[~2014-05-12 17:49 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140512174951.GA13725@localhost \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=kaber@trash.net \
--cc=michiel@nlnet.nl \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.