nftables vs bpfilter

macleod

Well-Known Member
Aug 3, 2017
66
8
48
46
Disclaimer: I'm not trying to start a religious war :-P

As probably everyone knows, there is a generally "goodbye iptables (in fact netfilter), you served as well" fashion movement in the linux community. Redhat integrated nftables in their firewalld, Debian introduced nftables in latest buster release (on which Proxmox 6 is based) ... etc.

I was intrigued that Proxmox choose to "build" their firewall solution on bpfilter for their 6th release. I must confess that, except the part already included in tcpdump & friends, I am not very familiar with this "solution". And the general opinion (as far as I understood) is like "it should be the next successor - like ipchains > iptables > nftables > bpfilter, but it is not quite ready for full production, not necessarily because of stability, but the not-yet-implemented features".

Would you be so kind to give a little feedback about "why this decision" ? Thank you!
 
Hi,

Maybe you can start from this link.

Regards,

Ricardo Jorge

already read that article, also many other articles related to bpfilter, but still not enough feedback; this "feature" is not (yet) documented as it should be (i.e. like nftables is)
because proxmox 6 is the first big project I know to use bpfilter, I am really curious about the reasons of this choice
 
Hi,

There is another one here

The article states "... all while guaranteeing a non-disruptive transition for Linux users".

Let's wait for the response from the Proxmox staff.

Regards,

Ricardo Jorge
 
our firewall is (currently still) iptables based..
 
The new Debian 10 (stretch) has still iptables as main (and default installed) firewall tool, but with nftables support included by default. So even the old firewall will probably work without any change. And you can export as nft list ruleset (after installing nft utility). It's the best solution for compatibility, probably not the best solution for performance (YMMV, depending on the ruleset), but for that you are free to rewrite your firewall as nftables ruleset and load it with the proper tool.

As for proxmox 6, I was digging a little bit and indeed, the bpfilter modules is loaded, but unused, and old netfilter system is "in charge" (iptables is iptables-legacy). But why that "Starting bpfilter" message on the console which intrigued me initially and made me make false assumptions ? Especially because I couldn't pinpoint the source of that message (configuration or start-up scripts).

May I ask what's the roadmap for the proxmox firewall ? (no information of that kind was found on the proxmox roadmap wiki page).
Thank you!
 
our kernel ships the bpfilter module, that's where the startup message comes from. as for our plans, like @spirit said nftables is not yet there unfortunately, but once it is we will re-evaluate and possibly switch over. maybe bpfilter is already advanced and stable enough at that point to skip nftables altogether, who knows ;)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!