LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: NFTables To Replace iptables In the Linux Kernel
From:	Mark Stodola <[log in to unmask]>
Reply To:	Mark Stodola <[log in to unmask]>
Date:	Mon, 21 Oct 2013 10:48:45 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (72 lines)

On 10/21/2013 10:34 AM, Yasha Karant wrote:
> On 10/21/2013 01:07 AM, Steven Haigh wrote:
>> On 21/10/2013 4:09 AM, Henrique C. S. Junior wrote:
>>> As reported in Slashdot[1] in the near future iptables is going to be
>>> replaced by NFTables in the linux kernel. The project[2] is said to be a
>>> new and best package filtering framework.
>>> Have any of you, guys, tried it already and have some experiences to
>>> share?
>>
>> Does it matter? EL6 won't ever have NFTables support.
>>
>> EL7 probably won't either. Don't stress and keep doing what you're doing.
>>
>
> Perhaps someone familiar with the choices made by TUV will clarify the
> above statement: EL7 probably won't either.
>
> SL and other TUV re-distributors of EL simply build and re-package the
> TUV product (removing the logos and non-open copyrighted material, but
> keeping all of the internal TUV developer statements -- the actual name
> of TUV, that evidently is taboo on this list, is plastered all over the
> source code for EL). Thus, the decision as to which family of Linux
> kernels to use is a TUV decision.
>
Redhat Enterprise Linux!  It isn't taboo, just takes longer to type than 
TUV.  Their trademarks must be removed from documentation and 
distributed materials.  Internet discussions really don't matter.

> However, as fundamental new functionality, or repackaging of existing
> functionality with a new API, is incorporated into the Linux kernel --
> not in an experimental way that may be removed, but in the "stable
> production" released version - the high reliability approach requires
> that the kernel receives extensive field testing (as happens with
> Fedora) as well as stress testing and internal hardening against threats
> and compromises that may not be as needed in an enthusiast distribution.
>
> Nonetheless, once a major change (e.g., NFTables replacing iptables) is
> done in the base source, the production enterprise version must reflect
> the change -- and in less than a decade. Why less than a decade? Unless
> there is a fully backward compatible set of APIs, new applications and
> revisions typically use the current not historical APIs. Presumably,
> there will be NFTables features that application developers will use
> that have no iptables backport.
>
If one takes the time to read up on NFTables (e.g. the articles 
previously linked), they would find that there is an iptables 
compatibility layer under development alongside this new project.

> Thus -- how long is the delay? Typically, are two major releases (e.g.,
> NFTables in EL8) the usual delay? Does anyone have historical data from
> EL/TUV?
>

Like was previously said.  I wouldn't get flustered or worked up over 
this.  NFTables has been in the works for 4 years and is just making it 
into forked development tree (not mainline) and will be some time before 
it trickles into the enterprise.  Look at how far ahead KDE, Gnome, and 
other technologies are from the current SL6 offering for comparison.

-Mark


-- 
Mr. Mark V. Stodola
Senior Control Systems Engineer

National Electrostatics Corp.
P.O. Box 620310
Middleton, WI 53562-0310 USA
Phone: (608) 831-7600
Fax: (608) 831-9591

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV