Re: Network services fail on startup
Andrei POPESCU wrote:
> On Ma, 14 iul 20, 07:11:39, Dan Ritter wrote:
> > The way to handle a giant blocklist efficiently is ipset, which manipulates
> > large groups of IPs that will be matched for a particular rule.
>
> Disclaimer: I'm not an expert on either iptables or nftables, this is
> just based on some documentation I read.
>
> As far as I understand, while iptables (in buster) is indeed a frontend
> to nftables, nftables has new features that are not usable with iptables
> syntax.
> https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
> In particular regarding ipset, this page suggests manual translation is
> necessary:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_ipset_to_nftables
You are correct in all regards, but you are also not taking the
next, necessary step.
A firewall which is currently using iptables can be rewritten to
use iptables and ipset; or it can be rewritten to use nftables
with ipset. In either case, ipset is the correct tool, it just
changes syntax in between versions, so to avoid duplicating
effort, one might prefer to make one conversion rather than two.
-dsr-
Reply to: