nftables and future direction for development
Inspired by aports#14058 (closed), I am opening this issue to collect feedback from
awall
users to decide on its future direction.
The Linux kernel has a new firewall subsystem called nftables
, which is
intended to replace the old iptables
over time. awall
was created ten years
ago as an abstraction layer on top of iptables
to address its
shortcomings. Some
of these have been addressed by the newer nftables
and the corresponding
user-space tool nft
. For example, it is possible to define variables and
combined IPv4/6 rules, as well as split rules into modules. On the other hand,
it is not possible to define e.g. zones, inter-module dependencies, nor fall
back to the previous configuration.
So I would like to hear your opinions on whether awall
still has value
despite the introduction of nftables
and what is the best way forward. At
least the following alternatives come to my mind:
-
Co-exist with
nftables
with minimal changes leveraging the compatibleiptables
tools -
Convert
awall
to interface withnft
instead ofiptables
, retaining compatibility onawall
policy file level -
Implement a more lightweight layer on top of
nft
, providing the missing abstractions that are deemed useful -
Address the gaps by working with upstream to have the essential features implemented in
nft