IMO Linux is significantly better than the *BSDs at this particular use case.

Check out https://blog.cloudflare.com/l4drop-xdp-ebpf-based-ddos-mitig...

and:

https://github.com/xdp-project/xdp-tools

But don’t have to cobble together a bunch of arcane iptables commands and then combine bpf and other userland tools … when one can just use the clean syntax of PF especially for home use that’s a clear win.

I've used both extensively and I find eBPF+iptables (and sometimes nft) significantly more flexible and easier to use in the real world (not just simple examples) than PF. shrug

Do you have a sample or blogpost of how your setup looks? I’m keen to see how folks are using eBPF in the personal firewall space

> But don’t have to cobble together a bunch of arcane iptables commands

If you did manage to figure out the iptables commands you now have to change them over to nftables. :)

No, iptables is a perfectly functional nftables frontend

Not having to manage two rulesets -- one for IPv4 and one for IPv6 -- is pretty well a killer feature in my mind.

nftables is now almost 10 years old! It's time to forget the bad experiences with iptables.

I have -- I let the OpenBSD firewalls take care of it :P

Seriously though it's something I need to get familiar with, I do still have plenty of Linux boxes that face the public Internet and are currently dependent on iptables/ip6tables rulesets. The problem is I'm currently masking that pain with Ansible.

Linux certainly offers much better functionality overall but the tooling for this is a poorly documented and inconsistent nightmare.

There is definite lack of a declarative tool that glues it all.

Typical hardware switches and routers just have one (sometimes expanded by includes/macros but still) config syntax to control every part of networking stack.

So you can configure interface and set its vlans all in one place instead of creating a dozen of ethX.Y devices then crerating a bunch of brY bridges and then attaching the interfaces to them

In linux instead you'd be using iproute2 set of tools to configure interfaces and static routing, iptables for IP ACLs, ebtables for ethernet ACLs (or now nftables I guess), without any tool to apply/revert changes at once

Many tried doing that but IMO haven't seen anything good.

Many also try to "simplify" iptables and all it ends up is me being annoyed coz I know which iptables commands I need to run but I need to translate it back into "higher" level config syntax. One exception being ferm ( http://ferm.foo-projects.org/ ), because it keeps iptables-like keywords just expands on that, but it is iptables only and kinda superseded by nftables syntax anyway.

iptables/ebtables is deprecated even in RHEL. While people are free to continue not to transition to nftables complaining about problems with iptables after a decade of its replacement is a bit silly.

I would trade firewalld for pf in an instant.

Thank you, I've heard of {e,}BPF but not so much applications - thank you again!

Makes sense why I haven't seen it, came out around the time I joined $CurrentEmployer, and we're stuck a couple decades behind.