| 1 |
On Mon, Dec 30, 2013 at 1:04 PM, James <wireless@×××××××××××.com> wrote: |
| 2 |
> shawn wilson <ag4ve.us <at> gmail.com> writes: |
| 3 |
> |
| 4 |
> |
| 5 |
>> Also see nftables: http://netfilter.org/projects/nftables/ |
| 6 |
> |
| 7 |
> Interesting read. |
| 8 |
> |
| 9 |
> http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg |
| 10 |
> |
| 11 |
> http://upload.wikimedia.org/wikipedia/commons/d/dd/Netfilter-components.svg |
| 12 |
> |
| 13 |
> Where is the diagram for nftables, in some detail? |
| 14 |
> |
| 15 |
> |
| 16 |
> How secure is nftables, currently? I could not find any results of |
| 17 |
> published penetration testing against nftables vs ip,eb,x(tables)?. Any |
| 18 |
> published results against an array of penetration testing? |
| 19 |
> |
| 20 |
|
| 21 |
First, I don't know what they mean by xtables vs iptables: |
| 22 |
# whereis iptables |
| 23 |
iptables: /sbin/iptables /usr/include/iptables /usr/include/iptables.h |
| 24 |
/usr/share/man/man8/iptables.8.bz2 |
| 25 |
# readlink /sbin/iptables |
| 26 |
xtables-multi |
| 27 |
# whereis xtables-multi |
| 28 |
xtables-multi: /sbin/xtables-multi |
| 29 |
|
| 30 |
Right? So, that's just being neadlessly verbose. |
| 31 |
|
| 32 |
Per testing. As long as they didn't do anything stupid (I seriously doubt that): |
| 33 |
http://www.cvedetails.com/product/1656/Netfilter-Core-Team-Iptables.html?vendor_id=959 |
| 34 |
|
| 35 |
Would I convert a prime time server to using nftables right now? Hell |
| 36 |
no. Is it safe, probably. |
| 37 |
|
| 38 |
> Also, libmnl, seems to be a library looking for developers to use? |
| 39 |
> It seems very early stage to me, and not ready for prime-time, at |
| 40 |
> first glance? What did I miss? |
| 41 |
> |
| 42 |
|
| 43 |
No idea. |
Archives
