wgtdkp
commented
1 year ago I suppose we can talk to kernel directly with nfnetlink messages?
Open stintel opened 1 year ago
wgtdkp
commented
1 year ago I suppose we can talk to kernel directly with nfnetlink messages?
stintel
commented
1 year ago I suppose we can talk to kernel directly with nfnetlink messages?
Probably better to not use libnfnetlink, see https://www.spinics.net/lists/netfilter/msg59210.html Sorry, you didn't mention libnfnetlink, never mind me.
wgtdkp
commented
1 year ago Yeah, I was thinking about reading/writing raw netlink messages given we are already doing so. But libmnl or libnftnl are good candidates if they are generally available on different platforms that we support.
The world is moving away from iptables/ipset to nftables. The latter comes with its own generic set infrastructure. While there are some options that support a hybrid setup (nftables backend with iptables commands), it's probably cleaner to use nftables directly. It's probably also a good time to consider using libmnl or libnftnl or so to talk to the kernel directly rather than calling binaries from C++ code.
Some proof of the claim: https://firewalld.org/2018/07/nftables-backend https://git.openwrt.org/08d9f6e3020b4a149b2007b6ed7d684c49af9bbf https://wiki.debian.org/nftables