Page MenuHomePhabricator

Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables
Open, NormalPublic


nftables is the biggest change in the linux firewalling system in more than a decade.

It promises simplified rulesets, unification of IPv4/IPv6 rules and superior performance to iptables. It also allows backward compatibility with iptables rules. There may be benefits to switching but also reasons for not: if it ain't broke don't fix it. Nonetheless its some food for thought.

Supported in recent kernels 3.13+ and packaged in Debian for Jessie and up.

Or Berkeley Packet Filter (BPF)?

IPv6 is coming in Tor:




Event Timeline

Yes, one day, nftables may be a good idea. Also, one day, IPv6 support may not be avoided if it is so widespread that Whonix would stand out without having IPv6 support.

Whonix is still "essentially based on the wiki page".

ipv6 / nftables is not something I am looking forward to. At the moment Whonix is well leak tested. There are leaks as obscure as the following one:
FIN ACK / RST ACK - Leak Test

And I wouldn't know who would have the skills and time to create an nftables based Whonix firewall that works at first as good as our current one.

So I propose to avoid nftables / IPv6 as long as sanely possible.

I would like to finish other work in preparation. Namely, packaging corridor and enabling testers to easily set up it as leak testing gateway in front of Whonix-Gateway. (corridor is now ready.)

Patrick updated the task description. (Show Details)

Please note that Qubes 4.0 will use nftables (if available):

But it shouldn't be a problem to use iptables at the same time - thanks to compatibility layer. Using nftables in Qubes will allow to enable qubes-firewall in Whonix Gateway without breaking firewall installed by Whonix - at least in theory.

Patrick renamed this task from Consider nftables as a replacement for iptables to Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables.Dec 11 2019, 2:11 AM
Patrick added a subscriber: madaidan.

It looks like bpfilter is in rather early stages, and it's few years until we'll see it in Debian.