1 |
On Mon, Dec 30, 2013 at 1:04 PM, James <wireless@×××××××××××.com> wrote: |
2 |
> shawn wilson <ag4ve.us <at> gmail.com> writes: |
3 |
> |
4 |
> |
5 |
>> Also see nftables: http://netfilter.org/projects/nftables/ |
6 |
> |
7 |
> Interesting read. |
8 |
> |
9 |
> http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg |
10 |
> |
11 |
> http://upload.wikimedia.org/wikipedia/commons/d/dd/Netfilter-components.svg |
12 |
> |
13 |
> Where is the diagram for nftables, in some detail? |
14 |
> |
15 |
> |
16 |
> How secure is nftables, currently? I could not find any results of |
17 |
> published penetration testing against nftables vs ip,eb,x(tables)?. Any |
18 |
> published results against an array of penetration testing? |
19 |
> |
20 |
|
21 |
First, I don't know what they mean by xtables vs iptables: |
22 |
# whereis iptables |
23 |
iptables: /sbin/iptables /usr/include/iptables /usr/include/iptables.h |
24 |
/usr/share/man/man8/iptables.8.bz2 |
25 |
# readlink /sbin/iptables |
26 |
xtables-multi |
27 |
# whereis xtables-multi |
28 |
xtables-multi: /sbin/xtables-multi |
29 |
|
30 |
Right? So, that's just being neadlessly verbose. |
31 |
|
32 |
Per testing. As long as they didn't do anything stupid (I seriously doubt that): |
33 |
http://www.cvedetails.com/product/1656/Netfilter-Core-Team-Iptables.html?vendor_id=959 |
34 |
|
35 |
Would I convert a prime time server to using nftables right now? Hell |
36 |
no. Is it safe, probably. |
37 |
|
38 |
> Also, libmnl, seems to be a library looking for developers to use? |
39 |
> It seems very early stage to me, and not ready for prime-time, at |
40 |
> first glance? What did I miss? |
41 |
> |
42 |
|
43 |
No idea. |