Re: ipset vs. nftables set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12. novembra 2024 20:23:27 UTC, Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:

>If my interpretation was incorrect, then my post can be disregarded. However, I would still be none the wiser as to what you were instructing Slavko not to do.

My intent was, that when coming from iptables, one is using
the same tables in nft as he had in iptables, and that results
in four (or more) nft's tables -- raw, nat, mangle and filter.

But in nft one can take all (needed) iptables's chains and
place them into one nft's table (per protocol or in common
inet table), as one is free to set appropriate chain's hooks
and priority. That wasn't possible in iptables, as its hooks
and priorities was hardcoded. In other words, the iptables's
tables have different purpose as nft's tables (only grouping).

And as one is free to set chain's/hook's priority, he even
can set the same priority (and hook) for multiple chains in
the same table and it will not be error, but often it is not what
one want, as its order is then undefined.

regards


-- 
Slavko
https://www.slavino.sk/





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux