* nftables
@ 2020-04-28 7:38 Patrick Greiff
2020-04-28 7:50 ` nftables Fatih USTA
0 siblings, 1 reply; 6+ messages in thread
From: Patrick Greiff @ 2020-04-28 7:38 UTC (permalink / raw)
To: netfilter
Hi everyone,
i have a question about nftables.
at iptables i had a blacklist where i wrote in the ip that wanted to
hack me.
how can I integrate something into nftables? and also restart when the
ips are updated.
^ permalink raw reply [flat|nested] 6+ messages in thread
* nftables
@ 2011-05-05 7:24 Juraj Gabčík
0 siblings, 0 replies; 6+ messages in thread
From: Juraj Gabčík @ 2011-05-05 7:24 UTC (permalink / raw)
To: netfilter
Hi
I have a problem:
I try run nftables - i followed steps written here
http://lists.netfilter.org/pipermail/netfilter-cvslog/2009-March/006316.html
I downloaded kernel tree, and compile nftables into kernel
run new kernel wiht nftables support BUT when i wrote some rule f.e.
nft rule add inet filter output ip protocol tcp => drop , system
accepted it bud it doesnt have some effect - I still had internet
access
maybe problem is, that i have compiled iptables into kernel too - and
they are useful
so i tried compile kernel without iptables, but it crash
so can somebody advice me how to compile functional nftables?
sorry, my english is not very good :)
^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <BANLkTikT_ETuEE2e7Khip9xJKFiDgBe7Qg@mail.gmail.com>]
* Fwd: nftables
[not found] <BANLkTikT_ETuEE2e7Khip9xJKFiDgBe7Qg@mail.gmail.com>
@ 2011-04-29 9:33 ` Juraj Gabčík
2011-04-29 10:06 ` nftables Jan Engelhardt
0 siblings, 1 reply; 6+ messages in thread
From: Juraj Gabčík @ 2011-04-29 9:33 UTC (permalink / raw)
To: netfilter
Hi people!
First, I would like to introduce myself to you. My name is Juraj
Gabèík and I am a student at the Faculty of Informatics at the
University of ®ilina, Slovakia. My reason for writing to you is that I
would like to ask you for a favour. Now I am writing my bachelor's
theses about nftables and I would be grateful to you for some
information I need concerning this issue. I found something on the
internet but it wasn't enough.
I am interested in the background of the processing of packet after
it's received by NIC: what queues it passes, where the rules can be
applied etc. Neither I could find any information about whether
nftables have the same structure of classes INPUT, OUTPUT and FORWARD
as iptables.
I need to compare the efficiency of the firewall created by iptables
and nftables and I would be very grateful if you could explain to me
the main differences between the processing of packet by means of
iptables and nftables. Also a demonstration of some rules written by
means of iptables and nftables (rules of the same meaning in both
cases) would be very helpful.
How to compile kernel supporting nftables?
If you would come up with something more that would help me or that
would be useful for my theses I would highly appreciate it. As I have
already mentioned, I am mainly concerned about the information related
to the background of the processing of the packet and the comparison
of the efficiency of iptables and nftables.
Hope to hear from you soon,
Juraj Gabèík
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: nftables
2011-04-29 9:33 ` Fwd: nftables Juraj Gabčík
@ 2011-04-29 10:06 ` Jan Engelhardt
0 siblings, 0 replies; 6+ messages in thread
From: Jan Engelhardt @ 2011-04-29 10:06 UTC (permalink / raw)
To: Juraj Gabčík; +Cc: netfilter
On Friday 2011-04-29 11:33, Juraj Gabčík wrote:
>
>I am interested in the background of the processing of packet after
>it's received by NIC: what queues it passes, where the rules can be
>applied etc. Neither I could find any information about whether
>nftables have the same structure of classes INPUT, OUTPUT and FORWARD
>as iptables.
>
>I need to compare the efficiency of the firewall created by iptables
>and nftables and I would be very grateful if you could explain to me
>the main differences between the processing of packet by means of
>iptables and nftables.
Differences:
iptables (or more precisely the Xtables collective) uses a packed
table and no "indirect interpreter" - a module like xt_u32 is
optional -, which yields the speediest execution environment. This
packing is important the larger the ruleset becomes, and the smaller
the CPU caches are. It also has no limits on call depth.
Xtables does not use the Netlink protocol yet for conveying changes
to the kernel, but it is being pondered how to get it there. Netlink
attributes have some worrying limitations and no consensus was yet
reached on the packet format. The much-sought nlattr32 patches have
not appeared yet either, so the protocol effort is staggering, but I
hold high hopes someone is on nla32 - meanwhile, I utilize the time
by doing precursor work on the userspace components instead (the
option parsing patches posted - a large part of the code is reusable
for a Netlink variant).
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-04-30 3:52 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-28 7:38 nftables Patrick Greiff
2020-04-28 7:50 ` nftables Fatih USTA
[not found] ` <169e18be-82c8-47b7-2ca6-44e03c86eebd@gmx.de>
2020-04-28 8:45 ` nftables Fatih USTA
2020-04-30 3:52 ` nftables Trent W. Buck
-- strict thread matches above, loose matches on Subject: below --
2011-05-05 7:24 nftables Juraj Gabčík
[not found] <BANLkTikT_ETuEE2e7Khip9xJKFiDgBe7Qg@mail.gmail.com>
2011-04-29 9:33 ` Fwd: nftables Juraj Gabčík
2011-04-29 10:06 ` nftables Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox