Page MenuHomePhabricator

Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables
Open, NormalPublic

Description

nftables is the biggest change in the linux firewalling system in more than a decade.

It promises simplified rulesets, unification of IPv4/IPv6 rules and superior performance to iptables. It also allows backward compatibility with iptables rules. There may be benefits to switching but also reasons for not: if it ain't broke don't fix it. Nonetheless its some food for thought.

Supported in recent kernels 3.13+ and packaged in Debian for Jessie and up.

https://en.wikipedia.org/wiki/Nftables
http://wiki.nftables.org/wiki-nftables/index.php/Main_Page
http://netfilter.org/projects/nftables/
http://ral-arturo.org/2018/06/16/nfws2018.html


Or Berkeley Packet Filter (BPF)?

https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/


IPv6 is coming in Tor:


TODO:

Details

Impact
Normal

Event Timeline

Patrick added a comment.EditedMay 12 2016, 12:30 AM

Yes, one day, nftables may be a good idea. Also, one day, IPv6 support may not be avoided if it is so widespread that Whonix would stand out without having IPv6 support.

Whonix is still "essentially based on the https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy wiki page".

ipv6 / nftables is not something I am looking forward to. At the moment Whonix is well leak tested. There are leaks as obscure as the following one:
FIN ACK / RST ACK - Leak Test

And I wouldn't know who would have the skills and time to create an nftables based Whonix firewall that works at first as good as our current one.

So I propose to avoid nftables / IPv6 as long as sanely possible.

EDIT:
I would like to finish other work in preparation. Namely, packaging corridor and enabling testers to easily set up it as leak testing gateway in front of Whonix-Gateway. (corridor is now ready.)

Patrick updated the task description. (Show Details)Jan 30 2017, 11:04 AM
Patrick updated the task description. (Show Details)

Please note that Qubes 4.0 will use nftables (if available):
https://github.com/QubesOS/qubes-issues/issues/974#issuecomment-251825457

But it shouldn't be a problem to use iptables at the same time - thanks to compatibility layer. Using nftables in Qubes will allow to enable qubes-firewall in Whonix Gateway without breaking firewall installed by Whonix - at least in theory.

Patrick updated the task description. (Show Details)Jan 31 2017, 9:23 PM
Patrick updated the task description. (Show Details)Feb 5 2017, 5:45 PM
Patrick updated the task description. (Show Details)Feb 5 2017, 5:56 PM
iry added a subscriber: iry.Jan 22 2018, 11:04 PM
Patrick updated the task description. (Show Details)Jun 18 2018, 4:23 PM

Starting with Bullseye nftables will be the default:

https://ral-arturo.org/2019/10/14/debian-netfilter.html

Patrick renamed this task from Consider nftables as a replacement for iptables to Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.Wed, Dec 11, 2:11 AM
Patrick added a subscriber: madaidan.

It looks like bpfilter is in rather early stages, and it's few years until we'll see it in Debian.