Iptables is depreciated, replaced with nftables when?

Hi
Are there any plans to replace iptables with nftables?
iptables is depreciated.
nftables has been around since 2008 and included in the Linux Kernel since 2014.

Just asking.

We’re dealing with a small staff, who are underfunded and under appreciated. They are going above and beyond, in my estimation.

Mea culpa… I am but a poor person, who can’t send proper financial support. I try to help where I can.

“Patience, is needed. Appreciation, is necessary.” (/Yoda)

3 Likes

It sounds as you know this stuff, so if you know how to implement nftables maybe you can be part of the implementation and join the developers? Se wiki.ipfire.org - Development

2 Likes

Besides the priorities of a small team of developers are different from those of a user, I would say: network effect. nftables is not 10 times better than iptables. Roughly, you need an order of magnitude advantage on the incumbent or a very long time to displace a network that has grown due to network effects. Ask ipv6 how is it going, after it was published as a standard a quarter of a century ago.

EDIT: when I researched the topic, I came to the conclusion that nftables should be the way to go. No pre-configured tables, simpler and more efficient syntax, automatic support of ipv6 and ipv4 to name few. Not always as optimized as iptables, not all the features ported and the fact that it would require a substantial rewriting of the entire firewall from the developers is what is going to keep it there as a second fiddle for a very long time, unless it becomes at least an order of magnitude better or more compelling. Network effects are really powerful.

3 Likes

I would expect that there would be a huge amount of work to replace iptables with nftables because it is so tied up with the core function of IPFire and the big challenge would likely be how to migrate all users systems rules from one to the other without breaking such a core function.

Therefore my view is that it probably never occur in IPFire2.x

However looking in the IPFire3.x repo I find that nftables is there as a package and not iptables.

5 Likes

Hi
I am confused. Someone has marked as a solution that IPFire will probably never have nftables, but IPFire3.x already has nftables. Does that mean that work is already being done to include nftables in IPFire development roadmap?

I don’t know how ipFire is written or what language is used. I wouldn’t know where to start.

I do appreciate the work done by a small team to produce IPFire. My question was not a criticism.

The difficult part is converting the rules that constitute the entire firewall in iptables to a different syntax and rebuild the whole thing, making sure that the bugs will not be overwhelming. I am not sure if IPFire-3.X has this intention, could be that the plan is a complete rewriting of the rules and using only nftables, or keeping both together (which is possible) to gradually change from one to the other. No idea what will be the direction of the development. For sure, it’s going to be years in the future.

it was quite evident to me that this was the case, that’s why I spent some of my time trying to answer to your honest question, which it was very much appreciated, at list by me. By the way, criticism is not bad per se. What people that care about a project tend to not appreciate is an insistent criticism from a party that is not accompanied by the will to help and put skin in the game but it is clearly only driven by the desire to have ones own needs satisfied without any work outside arguing in a forum. Having said that, asking honest questions for me is always all right.

5 Likes

I marked it as “solved”

This was the question:


And this was the answer:

So “yes” there are plans!

5 Likes

A rewrite will definitely happen on the basis of nftables, but apart from being nicer to use for the developers, there won’t be any advantages for users.

The code that handles packets in the kernel is the same, whether you are using nftables or iptables. Things won’t be faster, or more secure or anything like this.

Therefore there are no plans to migrate away from iptables in IPFire 2.

9 Likes