nftables is the biggest change in the linux firewalling system in more than a decade.
It promises simplified rulesets, unification of IPv4/IPv6 rules and superior performance to iptables. It also allows backward compatibility with iptables rules. There may be benefits to switching but also reasons for not: if it ain't broke don't fix it. Nonetheless its some food for thought.
Supported in recent kernels 3.13+ and packaged in Debian for Jessie and up.
https://en.wikipedia.org/wiki/Nftables
http://wiki.nftables.org/wiki-nftables/index.php/Main_Page
http://netfilter.org/projects/nftables/
http://ral-arturo.org/2018/06/16/nfws2018.html
Or Berkeley Packet Filter (BPF)?
https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
IPv6 is coming in Tor:
- https://trac.torproject.org/projects/tor/ticket/21269
- more importantly: https://trac.torproject.org/projects/tor/ticket/17217
TODO:
- Work at upstream Tor: An older version of https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy page was the origin of Whonix. Update that page for nftables / IPv6 support without mentioning Whonix. Then discuss that on the tor-talk mailing list for wider input. - https://trac.torproject.org/projects/tor/ticket/21397
- implement corridor feature request add IPv6 support / port to nftables - https://github.com/rustybird/corridor/issues/39
- port whonix-gw-firewall to nftables
- port whonix-ws-firewall to nftables
- make connections to IPv6 Tor relays work
- make connections to IPv6 destinations work