2025-02-03, 17:15–17:40, B.Con (Overflow + Main)
As nftables becomes the standard for Linux packet filtering, we can efficiently automate Linux firewalls across multiple protocol layers. This session introduces a Rust-based SDK for nftables automation, covering programmatic options, practical applications, and insights from real-world implementations. Attendees will learn about nftables’ capabilities, common challenges in automation, and how lessons from Rust can apply across other languages and automation frameworks.
With nftables now serving as the default packet filtering framework in modern Linux systems, the landscape of network and firewall automation is undergoing significant transformation. This session delves into the current state of programmatically directing nftables, highlighting the development of a Rust-based SDK for firewall automation.
We will explore the various options available for automating nftables, discussing their capabilities and limitations. Drawing from the experience of building an SDK and an experimental network security appliance in Rust, we'll share insights on the challenges faced and lessons learned, including how these concepts can be adapted to other programming languages.
The talk will feature real-world applications such as "pixel walls," container engine integrations, and authenticated port knockers, demonstrating the practical potential of nftables automation. We'll also address common pitfalls encountered in this space and provide strategies to navigate them effectively.
Jasper Wiegratz is a Solution Architect at SVA System Vertrieb Alexander GmbH with a background in network security and a strong focus on automation.
With experience developing OpenWRT-based security appliances in academia, Jasper has been working with containers since 2015 and specializing in OpenShift since 2018. Passionate about simplifying complex systems, Jasper is dedicated to advancing network automation and firewall management in Linux environments.
https://www.linkedin.com/in/wiegratz/