jbclements
commented
4 years ago Sorry, forgot the low-hanging fruit. Maybe at a minimum there should be a brief comment about this in the README?
Open jbclements opened 4 years ago
jbclements
commented
4 years ago Sorry, forgot the low-hanging fruit. Maybe at a minimum there should be a brief comment about this in the README?
dlenski
commented
4 years ago Keep in mind that vpn-slice uses iptables for only one thing: blocking incoming traffic (unless explicitly allowed by the user).
A rewrite to use nftables for this case should be pretty trivial. PRs welcome!
jbclements
commented
4 years ago My, that is self-contained. If there's a corresponding set of command-line arguments to an nftables utility, that would be pretty easy. The hard part would be ... well, maybe adding a command-line flag on the script to indicate which version to use? Keep in mind that I'm a PL person, I know next to nothing about networking.
dlenski
commented
4 years ago It should be easy to autodetect whether nftables or iptables should be used, based on the presence/absence of the nftables binaries.
(I have no idea what PL stands for.)
lusu2004
commented
2 years ago dlenski, any update for this enhancement? I am using a nftable firewall rather than iptables, so looking forward to a version which support nftables. thanks!
dlenski
commented
2 years ago Nope. I don't use nftables myself, and don't have time to learn. A PR to autodetect nftables and use it in place of iptables would be welcome.
I'm in the process of setting up split-tunneling on a Debian 10 machine, and I'm ... concerned? ... about a possible conflict between iptables and nftables. Specifically, I've set up a firewall using a dead simple nftables config file, and I'm worried that installing iptables utilities and unleashing split-vpn will... mess things up.
... okay, much internet-reading later ...
It looks like there are compatibility layers in place for iptables over nftables -- in Debian 10, it looks like this is what you get in the package
iptables--but I'm definitely getting the feeling that going forward, the thing "to do" (so yes I guess this is really just a feature/enhancement request) is to rewrite to target nftables directly.Um... and then support both nftables and iptables for legacy systems. Ha! Ha! Software maintenance is fun!