[ale] rsync without ssh quick tutorial

Michael B. Trausch mbt at naunetcorp.com
Tue Jan 20 23:57:24 EST 2015


On 01/20/2015 07:55 PM, Jim Lynch wrote:
> I'm with you.  Systemd and now this?  When will it end?
>
> I'm all for making things better, but isn't this just making things
> different? 

No... this reduces the code size of the kernel, and reduces the
userspace complexity required for implementation. It also enables the
kernel to be in an embedded device, with the rules on some very small
storage that is more easily updated.  100% of the filtering capabilities
required for all protocols that have ever existed or will exist in the
future are already supported by nftables, because nftables is *just* a
filtering engine.

The current iptables/ip6tables/ebtables/arptables tools require
extensions to implement common functionality: connection tracking (used
for stateful firewall rules), masquerading/NAT, and more complex things.

A new RFC which provides a standardized method of dealing with a complex
filtering problem can be implemented *the same day* it is published with
nftables.  With iptables/ip6tables/ebtables/arptables, that's an
unknown—what if the RFC talks about an implementation which provides
IPX<->IP protocol translation?  Or IP6<-->IP10?  The kernel already
makes it possible to implement a new Layer 3 in userspace, why not the
ability to filter it without updating the kernel as well?

    — Mike




More information about the Ale mailing list