| ▲ | simoncion a day ago | |
As someone who recently switched over from iptables to nftables on one of my machines, the only thing that's better with nftables are sets and maps... And, like, maybe I'm missing something, but I've found that sets are insufficiently powerful and maps are insufficiently well-documented. You can't have nested sets... that is sets that are defined (partially or completely) in terms of other sets. You also can't share sets across tables (or have "global" sets)... so that list of interfaces that'd be really good to apply to all of your rules? Yeah, you've gotta duplicate it in every damn table. And maps? My big beef with them is that the documentation makes two things very unclear: 1) What part of the nftables rule is going to do a lookup of the key in the map and what part will get the value. Like, seriously. Check out the nft(8) man page and look at their mapping examples. The k:v selection and insertion logic is clear as mud. I can guess a couple of possible interpretations, but if they explicitly state the logic, I must have skipped over it. 2) If it's even possible to have a multi-component key, to -for example- cook up a "verdict map" that fills out the statements: "The CLIs are much less nice to use" is kind of a theme I've noticed with some of these replacement networking-management tools. 'bridge' is way less nice to use than 'brctl' [0], 'ss' is quite a bit more obnoxious than 'netstat', etc, etc. Though, to be clear, I find 'ip' to be a much better tool than 'ifconfig'... at least the Linux version of 'ifconfig'. Maybe the BSD version is great. [0] It doesn't help at all that you have to use both 'ip' and 'bridge' to manage bridges. | ||