From: "Daniel Tiebler" <daniel.tiebler@tik.uni-stuttgart.de>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: Netfilter Users Mailing list <netfilter@vger.kernel.org>
Subject: Re: iptables-normalizet: argument normalization and DNS resolution?
Date: Thu, 10 Apr 2014 15:16:21 +0200 [thread overview]
Message-ID: <web-181218610@uni-stuttgart.de> (raw)
In-Reply-To: <CAOkSjBiFCZP4CBvj1K=tD1ApaWJ+6LswezqLemNwiQzOvv5FGA@mail.gmail.com>
Hello,
On Wed, 9 Apr 2014 16:00:56 +0200
Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
wrote:
> On 9 April 2014 14:10, Daniel Tiebler
> <daniel.tiebler@tik.uni-stuttgart.de> wrote:
> [...]
>> * Is something similar possible with nftables?
>
> In nftables, you can know a low-level (netlink)
> representation of all nftables objects (tables,
> sets, chains, rules...) in userspace (using
> libnftnl).
Userspace is great.
Is it necessary to load the rules into the kernel
beforehand?
It would be nice to operate in userspace completely to be
able to compare two sets of rules.
> This representation is either XML or JSON, where DNS
> name resolution, service name resolution and friends
> are translations to the internal kernel data structures.
If every exported or generated data has the same format,
that is okay.
> Tracking FQDNs changes is another, different issue.
That's right.
The normalization has a higher priority for us.
At the moment we are using iptables, but if nftables will
replace iptables, it would be nice, if it would have the
requested features.
With kind regards,
Daniel Tiebler
prev parent reply other threads:[~2014-04-10 13:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-09 12:10 iptables-normalizet: argument normalization and DNS resolution? Daniel Tiebler
2014-04-09 14:00 ` Arturo Borrero Gonzalez
2014-04-10 13:16 ` Daniel Tiebler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=web-181218610@uni-stuttgart.de \
--to=daniel.tiebler@tik.uni-stuttgart.de \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).