From: Phil Sutter <phil@nwl.cc>
To: Reindl Harald <h.reindl@thelounge.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: iptables user space performance benchmarks published
Date: Mon, 22 Jun 2020 17:44:12 +0200 [thread overview]
Message-ID: <20200622154412.GC23632@orbyte.nwl.cc> (raw)
In-Reply-To: <eef37fef-0e6c-b948-7195-76ce2e2be93b@thelounge.net>
Harald,
On Mon, Jun 22, 2020 at 05:19:53PM +0200, Reindl Harald wrote:
> Am 22.06.20 um 16:54 schrieb Phil Sutter:
> > On Mon, Jun 22, 2020 at 04:11:06PM +0200, Reindl Harald wrote:
> >> Am 22.06.20 um 16:04 schrieb Phil Sutter:
> >>>> i gave it one try and used "iptables-nft-restore" and "ip6tables-nft",
> >>>> after reboot nothing worked at all
> >>>
> >>> Not good. Did you find out *why* nothing worked anymore? Would you maybe
> >>> care to share your script and ruleset with us?
> >>
> >> i could share it offlist, it's a bunch of stuff including a managament
> >> interface written in bash and is designed for a /24 1:1 NETMAP
> >
> > Yes, please share off-list. I'll see if I can reproduce the problem.
> >
> >> basicaly it already has a config-switch to enforce iptables-nft
> >>
> >> FILE TOTAL STRIPPED SIZE
> >> tui.sh 1653 1413 80K
> >> firewall.sh 984 738 57K
> >> shared.inc.sh 578 407 28K
> >> custom.inc.sh 355 112 13K
> >> config.inc.sh 193 113 6.2K
> >> update-blocked-feed.sh 68 32 4.1K
> >
> > Let's hope I don't have to read all of that. /o\
>
> to see the testing implemented please scroll at the bottom :-)
>
> that whole stuff lives in a demo-setup at home reacting slightly
> different when $HOSTNAME is "firewall.vmware.local"
>
> surely, you can have the scripts alone but it's likely easier to get the
> ESXi started somehow and have a fully working network reflecting
> produtkin just with different LAN/WAN ranges
Sorry, no thanks. If your setup is so complicated you rather send me an
image of the machine(s?) running it, you're in dire need to simplify
things in order to prepare for me helping out. Assuming that
'firewall.sh' is also really 57KB in size, I'll probably have a hard
time even making it do what it's supposed to, let alone reproduce the
problem.
Let's go another route: Before and after switching from legacy to nft
backend, please collect the current ruleset by recording the output of:
- iptables-save
- ip6tables-save
- nft list ruleset
- ipset list
Cheers, Phil
next prev parent reply other threads:[~2020-06-22 15:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 14:11 iptables user space performance benchmarks published Phil Sutter
2020-06-22 12:42 ` Pablo Neira Ayuso
2020-06-22 13:34 ` Reindl Harald
2020-06-22 14:04 ` Phil Sutter
2020-06-22 14:11 ` Reindl Harald
2020-06-22 14:54 ` Phil Sutter
2020-06-22 15:19 ` Reindl Harald
2020-06-22 15:44 ` Phil Sutter [this message]
2020-06-22 16:29 ` Reindl Harald
2020-06-22 16:45 ` Phil Sutter
2020-06-22 16:59 ` Reindl Harald
2020-06-22 16:23 ` Stefano Brivio
2020-06-22 16:38 ` Reindl Harald
2020-06-22 13:40 ` Phil Sutter
2020-06-22 14:04 ` Jan Engelhardt
2020-06-22 14:35 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200622154412.GC23632@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=h.reindl@thelounge.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).