Adoption: Difference between revisions
(→others: add nftables golang library by google) |
(Edited page intro for clarity.) |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
The Netfilter project and community is focused on replacing the iptables framework with nftables, adding new features and refreshing some workflows along the way. | |||
Many upstream projects use iptables to handle filtering, NAT, mangling and other networking tasks. This page tracks '''nftables adoption''' in the wider community. | |||
= Cases = | = Cases = | ||
Line 13: | Line 11: | ||
== system / firewalling / management == | == system / firewalling / management == | ||
* | === Supporting nftables === | ||
* | |||
The following projects are known to either directly support nftables or have authors actively working on nftables integration. | |||
* https://www.fail2ban.org/ -- the fail2ban tool already includes native support for nftables. | |||
* https://firewalld.org/ -- firewalld by RedHat is currently developing a native integration with nftables. | |||
* https://suricata-ids.org/ -- suricata can work natively with nftables ([https://home.regit.org/2014/02/suricata-and-nftables/ link]) | * https://suricata-ids.org/ -- suricata can work natively with nftables ([https://home.regit.org/2014/02/suricata-and-nftables/ link]) | ||
* https://keepalived.org/ -- keepalived works natively with nftables ([https://github.com/acassen/keepalived/issues/924]) | |||
=== Supporting iptables only === | |||
The following projects are known to only support iptables/iptables-nft, with no plans to support nftables in the future. | |||
* http://ferm.foo-projects.org/ -- [https://github.com/MaxKellermann/ferm/issues/35#issuecomment-386091563 citation] | |||
* https://shorewall.org/ -- [https://sourceforge.net/p/shorewall/mailman/message/35458915/ citation] | |||
== virtualization / cloud / infrastructure == | == virtualization / cloud / infrastructure == | ||
* https://github.com/zevenet/nftlb -- nftlb by Zevenet is a nftables-based loadbalancer which can outperform LVS by 10x | * https://github.com/zevenet/nftlb -- nftlb by Zevenet is a nftables-based loadbalancer which can outperform LVS by 10x | ||
* https://www.docker.com/ -- Some discussion happened in the Docker community regarding a native integration with nftables, which could ease some of their use cases ([https://github.com/moby/moby/issues/26824 link]) ([https://github.com/robbertkl/docker-ipv6nat/issues/17 link]) | * https://www.docker.com/ -- Some discussion happened in the Docker community regarding a native integration with nftables, which could ease some of their use cases ([https://github.com/moby/moby/issues/26824 link]) ([https://github.com/robbertkl/docker-ipv6nat/issues/17 link]) ([https://stephank.nl/p/2017-06-05-ipv6-on-production-docker.html running docker with IPv6 using nftables]) | ||
* https://kubernetes.io/ -- Kubernetes does not support nftables yes, but some discussion happened already ([https://github.com/kubernetes/kubernetes/issues/45385 link]). Compat tools may be used to trick kubernetes into using nftables transparently. | * https://kubernetes.io/ -- Kubernetes does not support nftables yes, but some discussion happened already ([https://github.com/kubernetes/kubernetes/issues/45385 link]). Compat tools may be used to trick kubernetes into using nftables transparently. | ||
* http://openstack.org/ -- Openstack does not support nftables yet. Compat tools may be used to trick neutron and other components into using nftables transparently. | * http://openstack.org/ -- Openstack does not support nftables yet. Compat tools may be used to trick neutron and other components into using nftables transparently. |
Latest revision as of 19:07, 17 February 2021
The Netfilter project and community is focused on replacing the iptables framework with nftables, adding new features and refreshing some workflows along the way.
Many upstream projects use iptables to handle filtering, NAT, mangling and other networking tasks. This page tracks nftables adoption in the wider community.
Cases
Known cases and examples we could heard of. TODO: extend with more current data.
All major Linux distributions contains the nftables framework ready to use. Check Nftables from distributions.
system / firewalling / management
Supporting nftables
The following projects are known to either directly support nftables or have authors actively working on nftables integration.
- https://www.fail2ban.org/ -- the fail2ban tool already includes native support for nftables.
- https://firewalld.org/ -- firewalld by RedHat is currently developing a native integration with nftables.
- https://suricata-ids.org/ -- suricata can work natively with nftables (link)
- https://keepalived.org/ -- keepalived works natively with nftables ([1])
Supporting iptables only
The following projects are known to only support iptables/iptables-nft, with no plans to support nftables in the future.
virtualization / cloud / infrastructure
- https://github.com/zevenet/nftlb -- nftlb by Zevenet is a nftables-based loadbalancer which can outperform LVS by 10x
- https://www.docker.com/ -- Some discussion happened in the Docker community regarding a native integration with nftables, which could ease some of their use cases (link) (link) (running docker with IPv6 using nftables)
- https://kubernetes.io/ -- Kubernetes does not support nftables yes, but some discussion happened already (link). Compat tools may be used to trick kubernetes into using nftables transparently.
- http://openstack.org/ -- Openstack does not support nftables yet. Compat tools may be used to trick neutron and other components into using nftables transparently.
- https://libvirt.org/ -- there are reports of people running libvirt with nftables for bridge filtering for virtual machines
- https://saltstack.com/ -- SaltStack includes native support for nftables (link).
- https://coreos.com/ -- the CoreOS ecosystem includes native support for nftables (link)
others
- https://openwrt.org/ -- there are reports of people running nftables rather than iptables in openwrt systems
- https://www.cica.es/ -- this regional NREN uses nftables in the datacenter for their perimetral firewalls (slides)
- Nftables from distributions -- all major Linux distribution already include nftables ready to use
- https://www.nano-editor.org/ -- The nano editor includes syntax highlighting for nftables in files with .nft name extension or nft shebang
- https://github.com/nfnty/vim-nftables -- the VIM editor includes syntax highlighting for nftables
- Institut de Physique de Rennes -- this french research entity seems to be using nftables with ansible (link)
- VPN -- nftables can be combined with other software packages like OpenVPN to build great VPN solutions (link)
- netlink golang package -- the Golang Netlink package got batching support to be able to work with nftables (link)
- nftables golang library -- This nftables golang integration library was made by Google