[ANNOUNCE] nft-sync: nftables ruleset synchronization software

[ANNOUNCE] nft-sync: nftables ruleset synchronization software

[Pablo Neira Ayuso]

Hi!

We just finished the initial codebase for a new Netfilter project in
the frame of the nftables subproject, its name is nft-sync [1].

Basically, this software aims to support two different setups:

1) Rule-set repository server. The software serves the nft rule-set to
   clients that request the ruleset. Basically from the system that acts
   as repository, you have to run:

 # nft-sync -c ../contrib/nft-sync.conf.server

Then, from the client:

 # nft-sync -c ../contrib/nft-sync.conf.client --fetch

Which displays the nft rule-set in the standard output, so you can
inspect the nft rule-set.  Alternatively, the client can also retrieve
and apply the nft rule-set using the pull command instead:

 # nft-sync -c ../contrib/nft-sync.conf.client --pull

[ Note that this command above does not work in this bootstrap yet ]

2) Rule-set synchronization: In case of primary-backup and
   multiprimary firewall configurations, the software makes sure that the
   firewall cluster is deploying the same filtering policy. In this case,
   you have to launch the process:

 # nft-sync -c ../contrib/nft-sync.conf --sync

[ Note that this command above does not work in this bootstrap yet ]

This bootstrap provides the basic infrastructure as a
proof-of-concept. Many of the necessary features are still lacking:

* Implement --sync and --pull commands.
* SSL support, specifically the repository mode needs it to make sure
  nobody can evesdrop your filtering policy from the network too
  easily.
* IPv6 support.
* Allow to serve different rule-sets in the repository mode.

And many others that will be added progressively.

I would like to thank the NLnet Foundation [2] for sponsoring the
bootstrap of nft-sync.

[1] http://git.netfilter.org/nft-sync/
[2] http://nlnet.nl