Wayland protocol for "Sensitive" Areas? (passwords etc)
I'm curious if this is a thing, I came across this post showing how apple devices will just straight up not show areas of the screen that have information like your passwords if you take a screenshot or screen record. Some wayland compositors have the option to exclude entire windows from screen capture but I'm not sure if theres anything like this where a client could say "hey, there's a plaintext password in this box, don't display it in screen captures please :)".
https://redd.it/1lf57yg
@r_linux
I'm curious if this is a thing, I came across this post showing how apple devices will just straight up not show areas of the screen that have information like your passwords if you take a screenshot or screen record. Some wayland compositors have the option to exclude entire windows from screen capture but I'm not sure if theres anything like this where a client could say "hey, there's a plaintext password in this box, don't display it in screen captures please :)".
https://redd.it/1lf57yg
@r_linux
Reddit
From the notinteresting community on Reddit: Apple devices hide passkeys if you take a screenshot of them
Explore this post and more from the notinteresting community
Notification daemon for modern Wayland compositors
Last year, a friend and I started a project — a notification daemon designed specifically for modern Wayland compositors, built entirely in Rust. After about a year of work, we created something truly usable and with features we’re proud of. I’ve been running it as my daily notification daemon since early on, so it’s not just a prototype — it’s solid and practical.
But after pushing hard for so long, we hit a serious burnout a couple months ago. Since then, the project’s been quiet — no new updates, no big release. We wanted to finish all the core features and release a 0.1 version with a big announcement, but that never happened.
I’m sharing this now because, even if I can’t keep working on it, I want the community to know it exists. Maybe someone out there will find it useful, or maybe it’ll inspire others to do something similar or even pick it up.
If you’re interested, you can check it out here: https://github.com/noti-rs/noti.git
Thanks for reading — it’s tough to share something so personal and unfinished, but I hope it’s not the end for this project.
https://redd.it/1lf5bm5
@r_linux
Last year, a friend and I started a project — a notification daemon designed specifically for modern Wayland compositors, built entirely in Rust. After about a year of work, we created something truly usable and with features we’re proud of. I’ve been running it as my daily notification daemon since early on, so it’s not just a prototype — it’s solid and practical.
But after pushing hard for so long, we hit a serious burnout a couple months ago. Since then, the project’s been quiet — no new updates, no big release. We wanted to finish all the core features and release a 0.1 version with a big announcement, but that never happened.
I’m sharing this now because, even if I can’t keep working on it, I want the community to know it exists. Maybe someone out there will find it useful, or maybe it’ll inspire others to do something similar or even pick it up.
If you’re interested, you can check it out here: https://github.com/noti-rs/noti.git
Thanks for reading — it’s tough to share something so personal and unfinished, but I hope it’s not the end for this project.
https://redd.it/1lf5bm5
@r_linux
GitHub
GitHub - noti-rs/noti: Modern desktop notification daemon
Modern desktop notification daemon . Contribute to noti-rs/noti development by creating an account on GitHub.
Ban 'AI' generated posts
LLM generated posts are becoming the worst type of spam on here and it's only going to get worse.
We need a rule banning them. I stated this in a more polite way in my previous post but it was auto-deleted as breaking rule 1, which it did not.
LLM posts add nothing to the forum, take five seconds to generate with no thought or effort on the part of the OP and waste the time of people who don't recognise them for what they are. They're usually very lengthy as well, which compounds the issue.
https://redd.it/1lf6m6p
@r_linux
LLM generated posts are becoming the worst type of spam on here and it's only going to get worse.
We need a rule banning them. I stated this in a more polite way in my previous post but it was auto-deleted as breaking rule 1, which it did not.
LLM posts add nothing to the forum, take five seconds to generate with no thought or effort on the part of the OP and waste the time of people who don't recognise them for what they are. They're usually very lengthy as well, which compounds the issue.
https://redd.it/1lf6m6p
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
PSA: XWayland doesn't have to be blurry on GNOME
A lot of us who run GNOME Wayland try to avoid XWayland apps, because they're blurry when using DPI scaling.
Well, it turns out that since GNOME 47 (I think), GNOME has had a fix for this, it's just disabled by default. To enable the fix, follow these steps:
1. Open Terminal and run:
2. Log out and back in again
Your XWayland apps like Electron apps, Steam, LMMS, etc etc. should now work great.
Note: if text in Steam is too small, go to Steam Settings -> Interface and enable "Scale text and icons to match monitor settings".
You can check what version of GNOME you're using by going to Settings -> System -> About -Y System Details. It should have an entry called "GNOME Version". For me, it shows GNOME Version: 48, and Windowing System: Wayland.
If you're on KDE, you don't need to do anything, since KDE has had this fix implemented and enabled by default for ages now. I'm hoping GNOME will enable it by default soon.
https://redd.it/1lf8taf
@r_linux
A lot of us who run GNOME Wayland try to avoid XWayland apps, because they're blurry when using DPI scaling.
Well, it turns out that since GNOME 47 (I think), GNOME has had a fix for this, it's just disabled by default. To enable the fix, follow these steps:
1. Open Terminal and run:
gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer', 'xwayland-native-scaling']"2. Log out and back in again
Your XWayland apps like Electron apps, Steam, LMMS, etc etc. should now work great.
Note: if text in Steam is too small, go to Steam Settings -> Interface and enable "Scale text and icons to match monitor settings".
You can check what version of GNOME you're using by going to Settings -> System -> About -Y System Details. It should have an entry called "GNOME Version". For me, it shows GNOME Version: 48, and Windowing System: Wayland.
If you're on KDE, you don't need to do anything, since KDE has had this fix implemented and enabled by default for ages now. I'm hoping GNOME will enable it by default soon.
https://redd.it/1lf8taf
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
'It’s True, “We” Don’t Care About Accessibility on Linux' — TheEvilSkeleton
https://tesk.page/2025/06/18/its-true-we-dont-care-about-accessibility-on-linux/
https://redd.it/1lfbsij
@r_linux
https://tesk.page/2025/06/18/its-true-we-dont-care-about-accessibility-on-linux/
https://redd.it/1lfbsij
@r_linux
TheEvilSkeleton
It’s True, “We” Don’t Care About Accessibility on Linux
What do concern trolls and privileged people without visible or invisible disabilities who share or make content about accessibility on Linux being trash without contributing anything to projects have in common? They don’t actually really care about the group…
The danish also decided to move to Linux
Recently, The Danish Ministry of Digitilisation has decided to move to linux, and abandon windows.
The reasoning behind this move is because the DMD (Danish Ministry of Digitilisation) wanted better control, "independant sovereignty" & a less annoying experience of their Operating System.
Primarily, they wanted to have better control of their operating system and decided to switch to an open source alternative. They are specificaly switching to LibreOffice's branch, as it "just fits their needs" for their work. The DMD primarily want more control of their Data, Cloud services and Data infrastructure.
https://redd.it/1lfd6h7
@r_linux
Recently, The Danish Ministry of Digitilisation has decided to move to linux, and abandon windows.
The reasoning behind this move is because the DMD (Danish Ministry of Digitilisation) wanted better control, "independant sovereignty" & a less annoying experience of their Operating System.
Primarily, they wanted to have better control of their operating system and decided to switch to an open source alternative. They are specificaly switching to LibreOffice's branch, as it "just fits their needs" for their work. The DMD primarily want more control of their Data, Cloud services and Data infrastructure.
https://redd.it/1lfd6h7
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Slow NVMe Write speed with BTRFS and Kernel 6.15.2
I recently bought a NVMe M.2 SSD and well, it works great, except that the writing speed is EXTREMELY LOW. Doing tests I noted that this is a bug with the latest kernel 5.12.2 with BTRFS.
Arch Linux with kernel 6.15.2 and 6.12.33 LTS, Windows 11 24H2
My tests with KDiskMark 3.1.4 (FIO 3.35) and CrystalDiskMark 9.0.0 resulted on:
Kernel 6.15.2
Reading speed: an average of 4700 MB/s
Writing speed: an average of 770 MB/s
Kernel 6.12.33 LTS
Reading speed: an average of 4800 MB/s
Writing speed: 4200 MB/s
Windows 11
Reading speed: an average of 5200 MB/s
Writing speed: an average of 4800 MB/s
All these tests I did using the preset SEQ1M Q8T1, both on KDiskMark and CrystalDiskMark. I also ran more tests with a separated 10gb partition on this NVMe with different file systems and the results where: (All tests bellow was made with the kernel 6.15.2)
NTFS Partition (The same I used to run the test on Windows)
Reading: 4500 MB/s
Writing: 4400 MB/s
EXT4 Partition
Reading: 4900 MB/s
Writing: 4600 MB/s
BTRFS Partition
Reading: 4500 MB/s
Writing: 760 MB/s
More info:
Since this SSD I use for my system all these tests except for the separated partition where made in my home directory, Windows I use on another SATA SSD so Windows isn't installed on the NVMe, this might or might not make an advantage in favor of Windows, idk, this is not a comparison to blame Linux or something like this as I daily drive Linux and not Windows. Anyways, I hope this gets fixed soon! Also sorry if something in this post is confusing or wrong, English is not my primary language!
My PC specs in case that matters:
CPU: AMD Ryzen 5 5600
GPU: RX 7600
RAM: 32GB 2666 Mhz
Disks: NVME KOOTION X16 1TB 5000MB/S, SSD SanDisk Ultra, HDD Seagate 2TB
MOBO: Gigabyte Aorus Elite B550M
https://redd.it/1lfbijg
@r_linux
I recently bought a NVMe M.2 SSD and well, it works great, except that the writing speed is EXTREMELY LOW. Doing tests I noted that this is a bug with the latest kernel 5.12.2 with BTRFS.
Arch Linux with kernel 6.15.2 and 6.12.33 LTS, Windows 11 24H2
My tests with KDiskMark 3.1.4 (FIO 3.35) and CrystalDiskMark 9.0.0 resulted on:
Kernel 6.15.2
Reading speed: an average of 4700 MB/s
Writing speed: an average of 770 MB/s
Kernel 6.12.33 LTS
Reading speed: an average of 4800 MB/s
Writing speed: 4200 MB/s
Windows 11
Reading speed: an average of 5200 MB/s
Writing speed: an average of 4800 MB/s
All these tests I did using the preset SEQ1M Q8T1, both on KDiskMark and CrystalDiskMark. I also ran more tests with a separated 10gb partition on this NVMe with different file systems and the results where: (All tests bellow was made with the kernel 6.15.2)
NTFS Partition (The same I used to run the test on Windows)
Reading: 4500 MB/s
Writing: 4400 MB/s
EXT4 Partition
Reading: 4900 MB/s
Writing: 4600 MB/s
BTRFS Partition
Reading: 4500 MB/s
Writing: 760 MB/s
More info:
Since this SSD I use for my system all these tests except for the separated partition where made in my home directory, Windows I use on another SATA SSD so Windows isn't installed on the NVMe, this might or might not make an advantage in favor of Windows, idk, this is not a comparison to blame Linux or something like this as I daily drive Linux and not Windows. Anyways, I hope this gets fixed soon! Also sorry if something in this post is confusing or wrong, English is not my primary language!
My PC specs in case that matters:
CPU: AMD Ryzen 5 5600
GPU: RX 7600
RAM: 32GB 2666 Mhz
Disks: NVME KOOTION X16 1TB 5000MB/S, SSD SanDisk Ultra, HDD Seagate 2TB
MOBO: Gigabyte Aorus Elite B550M
https://redd.it/1lfbijg
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
13 Useful GNOME Shell Extensions for a Better Desktop Experience (Available in the official Debian repositories or on the GNOME Extensions website for other distributions)
https://www.jamescherti.com/gnome-shell-extensions-to-install-from-apt-debian-repositories/
https://redd.it/1lfgcep
@r_linux
https://www.jamescherti.com/gnome-shell-extensions-to-install-from-apt-debian-repositories/
https://redd.it/1lfgcep
@r_linux
Liberux Nexx: An interview with Liberux about their made-in-EU OSHW Linux Phone
https://linmob.net/liberux-nexx-an-interview-with-liberux/
https://redd.it/1lfmitn
@r_linux
https://linmob.net/liberux-nexx-an-interview-with-liberux/
https://redd.it/1lfmitn
@r_linux
LINux on MOBile
Liberux Nexx: An interview with Liberux about their made-in-EU OSHW Linux Phone
As you may have heard or rather read, the Spanish company Liberux recently launched a crowdfunder for their new mainline Linux
Fwupd 2.0.12 Released With More Intel Battlemage GPUs & HP USB-C Hub Supported
https://www.phoronix.com/news/Fwupd-2.0.12-Released
https://redd.it/1lfpach
@r_linux
https://www.phoronix.com/news/Fwupd-2.0.12-Released
https://redd.it/1lfpach
@r_linux
Phoronix
Fwupd 2.0.12 Released With More Intel Battlemage GPUs & HP USB-C Hub Supported
Richard Hughes of Red Hat just released Fwupd 2.0.12 as the newest version of this open-source firmware updating utility that pairs with the Linux Vendor Firmware Service (LVFS) for a nice Linux system/device firmware updating experience.
Where does this fit in the Linux stack?
So I was reading the issue-thread about KDE Plasma adapting to the recent EU requirements about accessibility. And avoiding users accidentally creating situations that could trigger photosensitive epilepsy sounded difficult.
This made me think - hypothetically speaking - in which part of a modern (e.g. KDE-based) Linux distro could an OS-level universal photo sensitivity filter be implemented 🤔? I.e. an optional tool where successive frames are analyzed and if a danger level threshold is crossed, a mitigation procedure is triggered. That procedure could be freezing/skipping frames, morphing between frames more slowly, or displaying a warning overlay/watermark).
Can this be a regular user app? Does it require changes to some part of the rendering stack?
Based on googling for 5 min, I found:
[this](https://trace.umd.edu/peat/) mention of University of Maryland having a fully open-source detection tool in the works:
>We are working on a new fully-open-source version that will be updated for new technologies (the current version is open-source except for a proprietary analysis engine we purchased the rights to use). It will also be free to use. No ETA for it as yet.
some Github repo searches: 1 2
one of the more promising results: [3](https://github.com/Pi-0r-Tau/Epilepsy-Active-protection-Extension-)
that searching for "epilepsy detection" gives a lot of "noise" in projects doing health tracking for detection of an epileptic fit.
I'm hoping someone is inspired to dig into making this or I get pointers which issue tracker or forum to take this towards 🙏
Maybe Linux can get another trailblazer win, Apple can copy it and get admired as innovative for it, and we get the smug "um akshually ☝️". But the world would still be better than before 😌
https://redd.it/1lfuhgm
@r_linux
So I was reading the issue-thread about KDE Plasma adapting to the recent EU requirements about accessibility. And avoiding users accidentally creating situations that could trigger photosensitive epilepsy sounded difficult.
This made me think - hypothetically speaking - in which part of a modern (e.g. KDE-based) Linux distro could an OS-level universal photo sensitivity filter be implemented 🤔? I.e. an optional tool where successive frames are analyzed and if a danger level threshold is crossed, a mitigation procedure is triggered. That procedure could be freezing/skipping frames, morphing between frames more slowly, or displaying a warning overlay/watermark).
Can this be a regular user app? Does it require changes to some part of the rendering stack?
Based on googling for 5 min, I found:
[this](https://trace.umd.edu/peat/) mention of University of Maryland having a fully open-source detection tool in the works:
>We are working on a new fully-open-source version that will be updated for new technologies (the current version is open-source except for a proprietary analysis engine we purchased the rights to use). It will also be free to use. No ETA for it as yet.
some Github repo searches: 1 2
one of the more promising results: [3](https://github.com/Pi-0r-Tau/Epilepsy-Active-protection-Extension-)
that searching for "epilepsy detection" gives a lot of "noise" in projects doing health tracking for detection of an epileptic fit.
I'm hoping someone is inspired to dig into making this or I get pointers which issue tracker or forum to take this towards 🙏
Maybe Linux can get another trailblazer win, Apple can copy it and get admired as innovative for it, and we get the smug "um akshually ☝️". But the world would still be better than before 😌
https://redd.it/1lfuhgm
@r_linux
GitLab
Demonstrate compliance with EU Directive 2019/882 (#30) · Issues · Teams / Accessibility / Collaboration · GitLab
What it is This thing: https://www.legislation.gov.uk/eudr/2019/882#:~:text=This%20Directive%20promotes%20full%20and,needs%20of%20persons%20with%20disabilities In a nutshell, it says that your...
is there any use for TPM on Linux?
Like the noscript suggests, I’m curious if there is any need or use for a TPM module. I’ve read enough that the module provides encryption. Is there any difference between TPM encryption and something like LUKS? And would TPM provide as much use as any other form of encryption?
https://redd.it/1lfvklv
@r_linux
Like the noscript suggests, I’m curious if there is any need or use for a TPM module. I’ve read enough that the module provides encryption. Is there any difference between TPM encryption and something like LUKS? And would TPM provide as much use as any other form of encryption?
https://redd.it/1lfvklv
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Is it just me or is using a tiling window manager on a laptop painful without an external keyboard?
Hey folks,
I've been trying to get into tiling window managers (i3, Hyprland, etc.) because I love the idea of efficiency, keyboard-driven control, and a minimal setup. But honestly, using them on a laptop feels like a struggle.
My biggest issue? The keyboard is right up against the screen, and I constantly find myself hunched over or hitting the wrong keys because of the cramped layout. It feels awkward trying to do all these hotkey combos without a proper distance between me and the screen. And don't get me started on using Super + arrow or Super + shift + something combos while squished up against a 14-inch display.
It almost feels like tiling WMs are made for desktops with external keyboards and big monitors. Anyone else feel the same? Am I missing some ergonomic trick, or is an external keyboard just mandatory for a good experience?
Would love to hear how you laptop-only users manage it.
https://redd.it/1lg06ec
@r_linux
Hey folks,
I've been trying to get into tiling window managers (i3, Hyprland, etc.) because I love the idea of efficiency, keyboard-driven control, and a minimal setup. But honestly, using them on a laptop feels like a struggle.
My biggest issue? The keyboard is right up against the screen, and I constantly find myself hunched over or hitting the wrong keys because of the cramped layout. It feels awkward trying to do all these hotkey combos without a proper distance between me and the screen. And don't get me started on using Super + arrow or Super + shift + something combos while squished up against a 14-inch display.
It almost feels like tiling WMs are made for desktops with external keyboards and big monitors. Anyone else feel the same? Am I missing some ergonomic trick, or is an external keyboard just mandatory for a good experience?
Would love to hear how you laptop-only users manage it.
https://redd.it/1lg06ec
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Looking for Linux smartphone for tinkering and maybe daily use. (EU)
So I want to try Linux smartphone, but I don't which one I should pick. I want to use it as tinkering phone and maybe use it daily. I also like to try out thinks. I only like to have a phone that I can with € and not the too overpriced. But it's also ok if not € or too expensive.
Edit: Also I found the OnePlus 6 and 6 and google pixel 3a and now I don't which is the best.
https://redd.it/1lg4cjm
@r_linux
So I want to try Linux smartphone, but I don't which one I should pick. I want to use it as tinkering phone and maybe use it daily. I also like to try out thinks. I only like to have a phone that I can with € and not the too overpriced. But it's also ok if not € or too expensive.
Edit: Also I found the OnePlus 6 and 6 and google pixel 3a and now I don't which is the best.
https://redd.it/1lg4cjm
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Shoutout to nftables. Finally switched and never looking back.
Most people in the linux space has heard of nftables, or are vaguely aware of it's existence. If you're like me you probably thought something like "One day I'll go see what that's about". Recently I did that. I had to set up a router-like VM with some some fairly non standard firewalling. Nftables made this incredibly easy to do and understand. But before I continue singing it's praises, I'm not advocating anyone switching if whatever you are using is working. If your ufw/shorewall/firewalld/iptables setup is working and you are happy, keep on winning!
But if you're like me when you have to deal with firewalling and you always get a little feeling of "I am fairly sure I did this right, but I'm not super confident that it's precisely doing what I want." Or you set some firewall up and you aren't sure if it really is totally protecting you, then nftables is for you. Of course you can still make an insecure firewall setup with nftables, but what I am getting at is it makes the configuration a lot easier, and has much less of a mental burden for me, personally.
If you've done a bit of firewalling, particularly iptables, you can pick it up fairly quickly. I'd recommend going through their wiki in it's entirety, and the Red Hat docs on nftables is also pretty good.
But what I like about it is that it looks like most distro's I've checked it comes with a config file and a systemd unit that loads it on startup. A config file is nice for me because it makes life easier for me when I am using configuration management.
The config file also in my opinion seems simpler than what you'd get with iptables-save and the UFW files. Shorewall just confused me, but that's just a me problem. I haven't personally tried firewalld.
nftables has atomic config reloading. `nft -f /file/name`. If your config is valid, it will apply it. If not, it will keep the old config, no weird states. I know this isn't particularly spectacular, but It's nice.
nftables is pretty simple but it is incredibly powerful in my experience. Which means for me if I want a simple firewall setup, the config is going to be easy to read, and if I've got something complex, I don't have to reach for any other tools to get the job done.
Possibly the best feature in my limited opinion so far is sets and maps, and the ability to put expiry on them. These allow you to dynamically alter your firewall's behavior at "runtime" without reloading the firewall config. You can have lists of IPs in an allow list, or invert it and you have a deny list. You can do all kinds of crazy things with maps and sets.
For instance we had a client who wanted things blacklisted and whitelisted. Easy enough, with almost any firewall tech, but I like the fact that I could define a set in my config, and then the actual rule looks something like
You can then modify the set using code or cli commands, and your firewall's behavior will change accordingly, and you don't have to worry about possibly messing up a rule.
What sold me though was when the client came up with the requirement to have allowlists based on hostnames. As most of us know these days, and sort of large website is littered with CDN's for loading assets, JS, and all sorts of things. And CDN DNS usually has a TTL of 10s, their IPs change constantly and this would just be a pain to manage with most firewalling things I've used. But nftables made it a breeze. I set up a set of ip addresses, with a few minutes expiry, and just made a simple cron job to resolve the CDN hostnames and put the IPs in the set with an expiry. If IPs are added again, the expiry is refreshed. If they aren't seen again, eventually they are evicted from the list. This worked flawlessly and even the most wild CDNs are still accessible, giving our clients a very much not broken website to work with.
I had a similar setup with some of their hosts going through the routing VM that have to have different firewall rules based on what groups they
Most people in the linux space has heard of nftables, or are vaguely aware of it's existence. If you're like me you probably thought something like "One day I'll go see what that's about". Recently I did that. I had to set up a router-like VM with some some fairly non standard firewalling. Nftables made this incredibly easy to do and understand. But before I continue singing it's praises, I'm not advocating anyone switching if whatever you are using is working. If your ufw/shorewall/firewalld/iptables setup is working and you are happy, keep on winning!
But if you're like me when you have to deal with firewalling and you always get a little feeling of "I am fairly sure I did this right, but I'm not super confident that it's precisely doing what I want." Or you set some firewall up and you aren't sure if it really is totally protecting you, then nftables is for you. Of course you can still make an insecure firewall setup with nftables, but what I am getting at is it makes the configuration a lot easier, and has much less of a mental burden for me, personally.
If you've done a bit of firewalling, particularly iptables, you can pick it up fairly quickly. I'd recommend going through their wiki in it's entirety, and the Red Hat docs on nftables is also pretty good.
But what I like about it is that it looks like most distro's I've checked it comes with a config file and a systemd unit that loads it on startup. A config file is nice for me because it makes life easier for me when I am using configuration management.
The config file also in my opinion seems simpler than what you'd get with iptables-save and the UFW files. Shorewall just confused me, but that's just a me problem. I haven't personally tried firewalld.
nftables has atomic config reloading. `nft -f /file/name`. If your config is valid, it will apply it. If not, it will keep the old config, no weird states. I know this isn't particularly spectacular, but It's nice.
nftables is pretty simple but it is incredibly powerful in my experience. Which means for me if I want a simple firewall setup, the config is going to be easy to read, and if I've got something complex, I don't have to reach for any other tools to get the job done.
Possibly the best feature in my limited opinion so far is sets and maps, and the ability to put expiry on them. These allow you to dynamically alter your firewall's behavior at "runtime" without reloading the firewall config. You can have lists of IPs in an allow list, or invert it and you have a deny list. You can do all kinds of crazy things with maps and sets.
For instance we had a client who wanted things blacklisted and whitelisted. Easy enough, with almost any firewall tech, but I like the fact that I could define a set in my config, and then the actual rule looks something like
ip daddr \@blocklist drop You can then modify the set using code or cli commands, and your firewall's behavior will change accordingly, and you don't have to worry about possibly messing up a rule.
What sold me though was when the client came up with the requirement to have allowlists based on hostnames. As most of us know these days, and sort of large website is littered with CDN's for loading assets, JS, and all sorts of things. And CDN DNS usually has a TTL of 10s, their IPs change constantly and this would just be a pain to manage with most firewalling things I've used. But nftables made it a breeze. I set up a set of ip addresses, with a few minutes expiry, and just made a simple cron job to resolve the CDN hostnames and put the IPs in the set with an expiry. If IPs are added again, the expiry is refreshed. If they aren't seen again, eventually they are evicted from the list. This worked flawlessly and even the most wild CDNs are still accessible, giving our clients a very much not broken website to work with.
I had a similar setup with some of their hosts going through the routing VM that have to have different firewall rules based on what groups they
were assigned in a database. Unfortunately, these groups' clients don't nearly fall in any neat CIDR that I can cordon off to apply rules to (all of them were just spread across a /16 subnet), and hosts can be moved from groups at a moments notice. So again, I just made some sets for representing the groups, a little cron that queries the database and grabs the IPs, puts them in the appropriate set with a few minutes expiry. If the client moves a host from one group to another, it will be added to the other group and expired out of the other one. Of course you can have more complex logic to do this in a better way, but for our requirements this was sufficient.
I just had some rules. Group1 jumps to this chain, all of it's rules are there, group2 jumps to a different chain, and their rules are there. And the membership of these groups are constantly updated and in sync with our database.
TL;DR: If you aren't happy with how you are doing firewalling on linux, give nftables a shot. It turned firewalling from a fear inducing "will I open a vulnerability and bankrupt my company" process, to a "Bring it on, I can make this thing as complicated as you need without hurting my brain" process.
https://redd.it/1lg62i9
@r_linux
I just had some rules. Group1 jumps to this chain, all of it's rules are there, group2 jumps to a different chain, and their rules are there. And the membership of these groups are constantly updated and in sync with our database.
TL;DR: If you aren't happy with how you are doing firewalling on linux, give nftables a shot. It turned firewalling from a fear inducing "will I open a vulnerability and bankrupt my company" process, to a "Bring it on, I can make this thing as complicated as you need without hurting my brain" process.
https://redd.it/1lg62i9
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community
Did you switch to Linux because you loved it?
I've noticed a common sentiment from many Linux users of "I switched to Linux because Windows sucks," and I don't really share that. I switched because I decided to give Linux a shot because it seemed interesting, and I ended up loving it so much that I just sorta decided to daily-drive it.
Am I alone in this? Has anyone else switched solely because they liked Linux?
https://redd.it/1lgcnt1
@r_linux
I've noticed a common sentiment from many Linux users of "I switched to Linux because Windows sucks," and I don't really share that. I switched because I decided to give Linux a shot because it seemed interesting, and I ended up loving it so much that I just sorta decided to daily-drive it.
Am I alone in this? Has anyone else switched solely because they liked Linux?
https://redd.it/1lgcnt1
@r_linux
Reddit
From the linux community on Reddit
Explore this post and more from the linux community