From: Phil Sutter <phil@nwl.cc>
To: Reindl Harald <h.reindl@thelounge.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: iptables user space performance benchmarks published
Date: Mon, 22 Jun 2020 16:04:50 +0200 [thread overview]
Message-ID: <20200622140450.GZ23632@orbyte.nwl.cc> (raw)
In-Reply-To: <faf06553-c894-e34c-264e-c0265e3ee071@thelounge.net>
Hi Harald,
On Mon, Jun 22, 2020 at 03:34:24PM +0200, Reindl Harald wrote:
> Am 22.06.20 um 14:42 schrieb Pablo Neira Ayuso:
> > Hi Phil,
> >
> > On Fri, Jun 19, 2020 at 04:11:57PM +0200, Phil Sutter wrote:
> >> Hi Pablo,
> >>
> >> I remember you once asked for the benchmark scripts I used to compare
> >> performance of iptables-nft with -legacy in terms of command overhead
> >> and caching, as detailed in a blog[1] I wrote about it. I meanwhile
> >> managed to polish the scripts a bit and push them into a public repo,
> >> accessible here[2]. I'm not sure whether they are useful for regular
> >> runs (or even CI) as a single run takes a few hours and parallel use
> >> likely kills result precision.
> >
> > So what is the _technical_ incentive for using the iptables blob
> > interface (a.k.a. legacy) these days then?
> >
> > The iptables-nft frontend is transparent and it outperforms the legacy
> > code for dynamic rulesets.
>
> it is not transparent enough because it don't understand classical ipset
It does! You can use ipsets with iptables-nft just as before. If your
experience differs, that's a bug we should fix.
> my shell scripts creating the ruleset, cahins and ipsets can be switched
> from iptables-legacy to iptables-nft and before the reboot despite the
> warning that both are loaded it *looked* more or less fine comparing the
> rulset from both backends
>
> i gave it one try and used "iptables-nft-restore" and "ip6tables-nft",
> after reboot nothing worked at all
Not good. Did you find out *why* nothing worked anymore? Would you maybe
care to share your script and ruleset with us?
> via console i called "firewall.sh" again wich would delete all rules and
> chains followed by re-create them, no success and errors that things
> already exist
That sounds weird, if it reliably drops everything why does it complain
with EEXIST?
> please don't consider to drop iptables-legacy, it just works and im miss
> a compelling argument to rework thousands of hours
I'm not the one to make that call, but IMHO the plan is for
iptables-legacy to become irrelevant *before* it is dropped from
upstream repositories. So as long as you are still using it (and you're
not an irrelevant minority ;) nothing's at harm.
Cheers, Phil
next prev parent reply other threads:[~2020-06-22 14:04 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 14:11 iptables user space performance benchmarks published Phil Sutter
2020-06-22 12:42 ` Pablo Neira Ayuso
2020-06-22 13:34 ` Reindl Harald
2020-06-22 14:04 ` Phil Sutter [this message]
2020-06-22 14:11 ` Reindl Harald
2020-06-22 14:54 ` Phil Sutter
2020-06-22 15:19 ` Reindl Harald
2020-06-22 15:44 ` Phil Sutter
2020-06-22 16:29 ` Reindl Harald
2020-06-22 16:45 ` Phil Sutter
2020-06-22 16:59 ` Reindl Harald
2020-06-22 16:23 ` Stefano Brivio
2020-06-22 16:38 ` Reindl Harald
2020-06-22 13:40 ` Phil Sutter
2020-06-22 14:04 ` Jan Engelhardt
2020-06-22 14:35 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200622140450.GZ23632@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=h.reindl@thelounge.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).