LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: NFTables To Replace iptables In the Linux Kernel
From:	Yasha Karant <[log in to unmask]>
Reply To:	Yasha Karant <[log in to unmask]>
Date:	Mon, 21 Oct 2013 08:34:58 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (44 lines)

On 10/21/2013 01:07 AM, Steven Haigh wrote:
> On 21/10/2013 4:09 AM, Henrique C. S. Junior wrote:
>> As reported in Slashdot[1] in the near future iptables is going to be
>> replaced by NFTables in the linux kernel. The project[2] is said to be a
>> new and best package filtering framework.
>> Have any of you, guys, tried it already and have some experiences to share?
>
> Does it matter? EL6 won't ever have NFTables support.
>
> EL7 probably won't either. Don't stress and keep doing what you're doing.
>

Perhaps someone familiar with the choices made by TUV will clarify the 
above statement:  EL7 probably won't either.

SL and other TUV re-distributors of EL simply build and re-package the 
TUV product (removing the logos and non-open copyrighted material, but 
keeping all of the internal TUV developer statements -- the actual name 
of TUV, that evidently is taboo on this list, is plastered all over the 
source code for EL).  Thus, the decision as to which family of Linux 
kernels to use is a TUV decision.

However, as fundamental new functionality, or repackaging of existing 
functionality with a new API, is incorporated into the Linux kernel -- 
not in an experimental way that may be removed, but in the "stable 
production" released version - the high reliability approach requires 
that the kernel receives extensive field testing (as happens with 
Fedora) as well as stress testing and internal hardening against threats 
and compromises that may not be as needed in an enthusiast distribution.

Nonetheless, once a major change (e.g., NFTables replacing iptables) is 
done in the base source, the production enterprise version must reflect 
the change -- and in less than a decade.  Why less than a decade? 
Unless there is a fully backward compatible set of APIs, new 
applications and revisions typically use the current not historical 
APIs.  Presumably, there will be NFTables features that application 
developers will use that have no iptables backport.

Thus -- how long is the delay?  Typically, are two major releases (e.g., 
NFTables in EL8) the usual delay?  Does anyone have historical data from 
EL/TUV?

Yasha Karant

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV