Open NRGLine4Sec opened 4 years ago
Hi NRGLine4Sec,
Not for now, but I guess it's one of the next logical steps.
Nftables is already used by default in Ubuntu and Fedora among others. So iptables's countdown has started
Maybe, it could be more interessant to migrate to bpfilter (powered by BPF) : Why is the kernel community replacing iptables with BPF? — Cilium BPF comes to firewalls [LWN.net]
Yes, that's the future (/present). The only problem is that it's not available in all kernels/environments, and not all the features are supported.
So iptables
won't be deleted for now. We only use 1 iptables rule, so the performance is not a problem in this case.
However if we wanted to add lists of IPs/domains to block, then yes, we should use nftables/XDP.
For that purpose ipset
is another option, well supported in all kernels, and with netlink support, which is a plus for not depending on external binaries.
http://ipset.netfilter.org/index.html
https://github.com/firehol/blocklist-ipsets
https://iplists.firehol.org/
Thank you @gustavo-iniguez-goya for your quick response. I don't know about ipset, I will take a look into it.
It is in your roadmap to migrate to nftables ? And thanks for working on Opensnitch !