From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
To: netfilter@vger.kernel.org
Subject: Nftables or Iptables/Ebtables for a simple linux bridge?
Date: Tue, 29 Mar 2016 23:49:41 +0200 [thread overview]
Message-ID: <20160329214941.GA8622@g0n> (raw)
[-- Attachment #1: Type: text/plain, Size: 2310 bytes --]
Hi!
I have done a lot of research, and am unable to decide which way to go
for my planned linux bridge implementation:
iptables+ebtables
or
nftables
All my initial insecure beginner's steps are in the topic on Gentoo
Forums:
A Firewalled Internet Access to Internal Subnet
https://forums.gentoo.org/viewtopic-t-1041028.html
And I posted about my query on another topic on Gentoo Forums, where a
(probably young) talented member attempts to deploy somewhat similar
setup, but the two (very) senior Gentooers in their advice they mete to
him, keep to Iptables only.
They never ever even mention Nftables... Have a look:
PPPoE and static subnet setup
https://forums.gentoo.org/viewtopic-t-1040272.html
Why is that? Those are senior members...
For my setup, that you can glean, maybe best if you go to this post in
my ample and painstaking wandering:
( same: "A Firewalled Internet Access to Internal Subnet" topic)
https://forums.gentoo.org/viewtopic-t-1041028.html#7897936
there is plenty of tutorials if I go the Iptables and the Ebtables way...
And my question to the list is: where are the corresponding Nftables tutorials for a setup like mine?
Or should I better stick with the Iptables/Ebtables?
Pls. also notice the questions I posted today on:
( sae: "PPPoE and static subnet setup" topic )
https://forums.gentoo.org/viewtopic-t-1040272.html#7899080
esp. what "There is currently no connection tracking available for
bridge filtering." on Nftables Wiki means.
WARNING opfront: I am sincere, but not a programmer, nor very advanced
user either, and it may be possible what I propose below, but it also
may be that I wouldn't be able to really test as proper tester:
I'd even be willing to try and do some testing with Nftables (simply
because of the good sides of the new concept), if developers were sure
they can achieve a result that, in some, even longer, but forseeable
future, could be as good as what can be achieved with Iptables/Ebtables.
(
I hope you also read the paragraph previous to that offer.
AND ANOTHER NOTE: you may need to have a lot of patience, but I would
post all here on the list and other readers could assist.
)
Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
reply other threads:[~2016-03-29 21:49 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160329214941.GA8622@g0n \
--to=miro.rovis@croatiafidelis.hr \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox