From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Reindl Harald <h.reindl@thelounge.net>
Cc: "Trent W. Buck" <trentbuck@gmail.com>, netfilter@vger.kernel.org
Subject: Re: Moving from ipset to nftables: Sets not ready for prime time yet?
Date: Wed, 8 Jul 2020 12:36:56 +0200 [thread overview]
Message-ID: <20200708103656.GA22743@salvia> (raw)
In-Reply-To: <44067eef-0cfe-ac29-f3e6-463c20d8e38d@thelounge.net>
On Wed, Jul 08, 2020 at 12:16:18PM +0200, Reindl Harald wrote:
>
>
> Am 08.07.20 um 09:51 schrieb Trent W. Buck:
> > Reindl Harald <h.reindl@thelounge.net> writes:
> >
> >> Am 03.07.20 um 09:04 schrieb G.W. Haywood:
> >>> On Fri, 3 Jul 2020, Timo Sigurdsson wrote:
> >>>
> >>>> ... I use ipsets for blacklisting.
> >>>> I fetch blacklists from various sources
> >>>> ... This approach has worked for me for quite some time.
> >>>> ... some of my blacklists may contain the same addresses or ranges,
> >>>> I use ipsets' -exist switch when loading
> >>>> ... I don't think that the use case is that extraordinary ...
> >>>
> >>> +6
> >>>
> >>> FWIW I'll be following this thread very closely.
> >>
> >> it turned out at least with recent kernel and recent userland
> >> "iptables-nft" can fully replace "iptables" and continue to use "ipset"
> >> unchanged
> >
> > I tested this and you're right - it is working. This surprised me!
> >
> > I saw these "commented out" rules in iptables-translate, where
> > I (wrongly) assumed that meant the rule was completely inactive.
>
> "iptables-translate" comments out much more than just upset related
> stuff, in my case xt_recent and connlimit rules are also just comments
If you could post what kind of rule examples are commented out, it
would help us keep this in the radar.
It is not too hard to add new translations, there is a _xlate()
function under iptables/extensions/libxt_*.c that provides the
translation. The important thing is to validate that the translation
is semantically equivalent, or if not possible, provide a close
translation.
Thanks.
next prev parent reply other threads:[~2020-07-08 10:36 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-02 23:18 Moving from ipset to nftables: Sets not ready for prime time yet? Timo Sigurdsson
2020-07-03 7:04 ` G.W. Haywood
2020-07-03 10:39 ` Reindl Harald
2020-07-08 7:51 ` Trent W. Buck
2020-07-08 10:16 ` Reindl Harald
2020-07-08 10:36 ` Pablo Neira Ayuso [this message]
2020-07-08 10:48 ` Reindl Harald
2020-07-09 4:40 ` Trent W. Buck
2020-07-14 13:27 ` Timo Sigurdsson
-- strict thread matches above, loose matches on Subject: below --
2020-07-02 22:30 Timo Sigurdsson
2020-07-03 9:28 ` Stefano Brivio
2020-07-03 10:24 ` Jozsef Kadlecsik
2020-07-03 13:38 ` Stefano Brivio
2020-07-03 14:03 ` Timo Sigurdsson
2020-07-30 19:27 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200708103656.GA22743@salvia \
--to=pablo@netfilter.org \
--cc=h.reindl@thelounge.net \
--cc=netfilter@vger.kernel.org \
--cc=trentbuck@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.