gustavo-iniguez-goya
commented
4 years ago Hi NRGLine4Sec,
Not for now, but I guess it's one of the next logical steps.
Open NRGLine4Sec opened 4 years ago
gustavo-iniguez-goya
commented
4 years ago Hi NRGLine4Sec,
Not for now, but I guess it's one of the next logical steps.
q2dg
commented
3 years ago Nftables is already used by default in Ubuntu and Fedora among others. So iptables's countdown has started
NRGLine4Sec
commented
3 years ago Maybe, it could be more interessant to migrate to bpfilter (powered by BPF) : Why is the kernel community replacing iptables with BPF? — Cilium BPF comes to firewalls [LWN.net]
gustavo-iniguez-goya
commented
3 years ago Yes, that's the future (/present). The only problem is that it's not available in all kernels/environments, and not all the features are supported.
So iptables won't be deleted for now. We only use 1 iptables rule, so the performance is not a problem in this case.
However if we wanted to add lists of IPs/domains to block, then yes, we should use nftables/XDP.
For that purpose ipset is another option, well supported in all kernels, and with netlink support, which is a plus for not depending on external binaries.
http://ipset.netfilter.org/index.html
https://github.com/firehol/blocklist-ipsets
https://iplists.firehol.org/
NRGLine4Sec
commented
3 years ago Thank you @gustavo-iniguez-goya for your quick response. I don't know about ipset, I will take a look into it.
It is in your roadmap to migrate to nftables ? And thanks for working on Opensnitch !