
Why you will love nftables - jeltz
https://home.regit.org/2014/01/why-you-will-love-nftables/
======
jlgaddis
I would really love to see "pf" on Linux.

When I began using Linux, "ipfwadm" had just been incorporated into the
kernel. It was replaced in 2.2 by "ipchains" which was replaced in 2.4 by
"iptables". Now we have "nftables".

I'll admit to not knowing much about nftables but from what I've read about it
in the last few days, it's still not even close to what OpenBSD's "pf" is
capable of.

Ahhh, well, I can wish, right?

~~~
simcop2387
I've heard this about every linux firewall, can you give some good examples of
what either iptables or nftables can't do that pf can?

~~~
xiljin
Many people use something like denyhosts or fail2ban to help with brute force
attacks. PF has built-in support for building rules with options which will
throw potential attackers into a 'penalty box' based on certain factors like
connection rate.

~~~
hebz0rl
You can use iptables for that:

    
    
      $ sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    
      $ sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
    

Copied from [http://kvz.io/blog/2007/07/28/block-brute-force-attacks-
with...](http://kvz.io/blog/2007/07/28/block-brute-force-attacks-with-
iptables/) but I agree that pf ist just much more sane config wise.

~~~
simcop2387
Since nftables is supposed to be backwards compatible, I'd guess it can do
this too. I wonder what it'll look like for that. A lot of the other syntax
looks nicer, i suspect that this will be better too.

------
jerf
nftables sounds like a great example of why you should learn compilers:
[http://steve-yegge.blogspot.com/2007/06/rich-programmer-
food...](http://steve-yegge.blogspot.com/2007/06/rich-programmer-food.html)
You can write reams of code that work, but still have limits, and overcoming
those limits would require further endless reams of code (iptables). Or you
can write something simpler that breaks the problem down into primitives which
a compiler will let you put together arbitrary ways, and despite being more
flexible, is still less code (nftables).

------
agumonkey
snapshot in case the server is overwhelmed :
[http://archive.is/M1R6K](http://archive.is/M1R6K)

------
welterde
Being able to load a whole configuration with nft -f instead of having to hack
a script to do the same is also a nice feature (makes it more pf-like)

~~~
jebblue
This is easy with iptables too:

    
    
      iptables-restore < yourfilterfile

~~~
welterde
Yeah.. true.. still prefer the config file format[1] nftables brings along
though.

[1] [https://home.regit.org/netfilter-en/nftables-quick-
howto/](https://home.regit.org/netfilter-en/nftables-quick-howto/)

