migrate from iptables to nftables

[NRGLine4Sec]

It is in your roadmap to migrate to nftables ?
And thanks for working on Opensnitch !

[gustavo-iniguez-goya]

Hi NRGLine4Sec,

Not for now, but I guess it's one of the next logical steps.

[q2dg]

Nftables is already used by default in Ubuntu and Fedora among others. So iptables's countdown has started

[NRGLine4Sec]

Maybe, it could be more interessant to migrate to bpfilter (powered by BPF) :
Why is the kernel community replacing iptables with BPF? — Cilium
BPF comes to firewalls [LWN.net]

[gustavo-iniguez-goya]

Yes, that's the future (/present). The only problem is that it's not available in all kernels/environments, and not all the features are supported.

So iptables won't be deleted for now. We only use 1 iptables rule, so the performance is not a problem in this case.
However if we wanted to add lists of IPs/domains to block, then yes, we should use nftables/XDP.

For that purpose ipset is another option, well supported in all kernels, and with netlink support, which is a plus for not depending on external binaries.
http://ipset.netfilter.org/index.html
https://github.com/firehol/blocklist-ipsets
https://iplists.firehol.org/

[NRGLine4Sec]

Thank you @gustavo-iniguez-goya for your quick response.
I don't know about ipset, I will take a look into it.