awlx
commented
1 year ago @DasSkelett maybe we can switch to use netlink for nftables programming that's even possible on machines which don't have nftables binaries.
Open fbuetler opened 1 year ago
awlx
commented
1 year ago @DasSkelett maybe we can switch to use netlink for nftables programming that's even possible on machines which don't have nftables binaries.
DasSkelett
commented
1 year ago Yeah I tried adding nftables support with that library in the past, but in the end the rule building was too low-level for my liking, see for example: https://github.com/siderolabs/talos/blob/dea17d72340b1deddea2215b556a4f193d1feb7f/internal/app/machined/pkg/controllers/kubespan/nftables.go#L181-L223
I might give it another triy, but it will definitely decrease maintainability and expandability of this part of the code.
At the moment only iptables are supported and it would be nice if nftables were supported as well.