Hello,
On Wed, 9 Apr 2014 16:00:56 +0200
Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx>
wrote:
On 9 April 2014 14:10, Daniel Tiebler
<daniel.tiebler@xxxxxxxxxxxxxxxxxxxx> wrote:
[...]
* Is something similar possible with nftables?
In nftables, you can know a low-level (netlink)
representation of all nftables objects (tables,
sets, chains, rules...) in userspace (using
libnftnl).
Userspace is great.
Is it necessary to load the rules into the kernel
beforehand?
It would be nice to operate in userspace completely to be
able to compare two sets of rules.
This representation is either XML or JSON, where DNS
name resolution, service name resolution and friends
are translations to the internal kernel data structures.
If every exported or generated data has the same format,
that is okay.
Tracking FQDNs changes is another, different issue.
That's right.
The normalization has a higher priority for us.
At the moment we are using iptables, but if nftables will
replace iptables, it would be nice, if it would have the
requested features.
With kind regards,
Daniel Tiebler
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
