Talk:Nftables/Examples

From Gentoo Wiki
Jump to:navigation Jump to:search
Note
This is a Talk page - please see the documentation about using talk pages. Add newer comments below older ones, sign comments using four tildes (~~~~), and indent successive comments with colons (:). Add new sections at the bottom of the page, under a heading (== ==). Please remember to mark sections as "open for discussion" using {{talk|open}}, so they will show up in the list of open discussions.

Which directory should hold nftables rules

Talk status
This discussion is done.

I guess that /etc/nftables is the suitable directory for nftables rules instead of /etc/conf.d/ as suggested in the examples. I am happy to modify the path if this is the case. Joan (Mimosinnet) --Mimosinnet 20:59, 4 August 2017 (UTC)

Sounds wonderful. Please update. --Grknight (talk) 17:42, 8 November 2018 (UTC)
Done! Joan (Mimosinnet) --Mimosinnet 00:22, 13 April 2019 (UTC)
I disagree with a glimpse to other distributions as well as nftables wiki. Current rule set is stored to /var/lib/nftables/rules_save when using OpenRC/ /etc/init.d/nftables. This is controlled through conf.d/nftables. So either users choose their favorite location or the default of the init script (and systemd variant) are changed upstream. (added this comment after the talk was marked done) --Onkobu (talk) 18:40, 22 October 2021 (UTC)

nftables scripting

Talk status
This discussion is still ongoing.

Some scripting examples in the document use bash. Nevertheless, nftables suggets to use its own native scripting environment. Is it all right to change the Stateful router example to nftables scripting syntax? Joan (Mimosinnet) Mimosinnet 11:55, 2 November 2019 (UTC)

And the current init script uses numeric mode to store the current rule set. This translates user-written verbose rules and strips off all variables by replacing them with their values (sets remain intact). I can't think of any sane firewall maintainer getting his rules mangled to something very technical. (Some rules change dramatically to very sophisticated expressions the average IP-blocker wouldn't come up with.)

nftables in 2021

Examples lack netdev family for early package dropping to mitigate (D)DoS with light load impact. It is also very uncomfortable to write down a human readable rule set that gets mangled to numeric mode by default (see comment above regarding scripting). Some updating needs to be done as well as consolidation of package defaults.