On Mon, Dec 30, 2013 at 1:04 PM, James <wirel...@tampabay.rr.com> wrote: > shawn wilson <ag4ve.us <at> gmail.com> writes: > > >> Also see nftables: http://netfilter.org/projects/nftables/ > > Interesting read. > > http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg > > http://upload.wikimedia.org/wikipedia/commons/d/dd/Netfilter-components.svg > > Where is the diagram for nftables, in some detail? > > > How secure is nftables, currently? I could not find any results of > published penetration testing against nftables vs ip,eb,x(tables)?. Any > published results against an array of penetration testing? >
First, I don't know what they mean by xtables vs iptables: # whereis iptables iptables: /sbin/iptables /usr/include/iptables /usr/include/iptables.h /usr/share/man/man8/iptables.8.bz2 # readlink /sbin/iptables xtables-multi # whereis xtables-multi xtables-multi: /sbin/xtables-multi Right? So, that's just being neadlessly verbose. Per testing. As long as they didn't do anything stupid (I seriously doubt that): http://www.cvedetails.com/product/1656/Netfilter-Core-Team-Iptables.html?vendor_id=959 Would I convert a prime time server to using nftables right now? Hell no. Is it safe, probably. > Also, libmnl, seems to be a library looking for developers to use? > It seems very early stage to me, and not ready for prime-time, at > first glance? What did I miss? > No idea.
