nftables support #1675
Comments
|
I suppose we can talk to kernel directly with nfnetlink messages? |
|
|
Yeah, I was thinking about reading/writing raw netlink messages given we are already doing so. But libmnl or libnftnl are good candidates if they are generally available on different platforms that we support. |
|
Any movement on this? All of my infrastructure uses nftables, and I would like to keep it that way. |
would you like to submit a PR for this? |
I wouldn't know how to implement it, unfortunately; the lowest-level language I'm fluent with is Haskell ;) |
The world is moving away from iptables/ipset to nftables. The latter comes with its own generic set infrastructure. While there are some options that support a hybrid setup (nftables backend with iptables commands), it's probably cleaner to use nftables directly. It's probably also a good time to consider using libmnl or libnftnl or so to talk to the kernel directly rather than calling binaries from C++ code.
Some proof of the claim:
https://firewalld.org/2018/07/nftables-backend
https://git.openwrt.org/08d9f6e3020b4a149b2007b6ed7d684c49af9bbf
https://wiki.debian.org/nftables
The text was updated successfully, but these errors were encountered: