Disagree - practically every single kernel feature is configured from userland. Kernel provides filesystem, but userland calls "mount". Kernel routes packets, but userland sets up interfaces. Even something as direct as loading a device driver is now mediated by udev in userland. And yet, we say that filesystems, routing and device drives all live in the kernel.
(Also a note to the author on the post itself: it seems like the post is unsure what its purpose is. It could be a cool overview of how firewall config works, or a thought piece about configuration boundaries, or warning about unexpected interaction between kernel and privileged daemons... but right now it's kinda a mix of all of those and it makes it a bit hard to read. Maybe trust LLMs less and apply more human guidance when writing the posts?)
becker63•1h ago
This came out of building a structured fuzzer around libnftnl and trying to understand where firewall semantics actually get fixed in the stack.
Curious how this lines up with others’ mental models of nftables.