Re: iptables user space performance benchmarks published

[Phil Sutter <phil@nwl.cc>]

Hi Harald,

On Mon, Jun 22, 2020 at 06:29:05PM +0200, Reindl Harald wrote:
> Am 22.06.20 um 17:44 schrieb Phil Sutter:
> > Sorry, no thanks. If your setup is so complicated you rather send me an
> > image of the machine(s?) running it, you're in dire need to simplify
> > things in order to prepare for me helping out. Assuming that
> > 'firewall.sh' is also really 57KB in size, I'll probably have a hard
> > time even making it do what it's supposed to, let alone reproduce the
> > problem.
> 
> yeah, it's a corporate firewall with dos-protection, portscan-triggers
> and a ton of fancy stuff ending in 270 rules which are 100% needed (most
> are chains log something with -m limit and now do something using
> nflog/ulogd)
> 
> > Let's go another route: Before and after switching from legacy to nft
> > backend, please collect the current ruleset by recording the output of:
> > 
> > - iptables-save
> > - ip6tables-save
> > - nft list ruleset
> > - ipset list
> 
> *good news* with xtables-save v1.8.3 on Fedora 31
> 
> other than at the last try after switch to ip(6)tables-nft-(restore) and
> reboot the network seems to work now properly
> 
> not only that ssh behind a ipset-rule now works also my "test.php"
> confirms that ratelimits, portscan-trigger and the nat is working
> 
> iptables-legacy layer is for sure empty after reboot
> 
> -------------------------------
> 
> but what is the replacement for iterate "/proc/net/ip_tables_names" and
> "/proc/net/ip6_tables_names" in case "iptables-nft" is in use
> 
> that is not only used for reset but also on several places for status
> counters, display rulets in "-t filter", "-t mangle and "-t raw"
> 
> -------------------------------
> 
> missing that explains that everything is falling in pieces and add
> things which are supposed to be no longer there fails

Ah yes, that's an obvious change and there's nothing we can do about it.
Unlike legacy iptables, there are no dedicated modules supporting each
table in iptables-nft. For instance, nft_chain_filter.ko suffices for
raw, filter and security tables. For nat table you need nft_chain_nat.ko
and mangle needs nft_chain_route.ko (actually just for OUTPUT chain).

> $IPTABLES here is a macro within my application
> 
>  for TABLE in $(<'/proc/net/ip_tables_names'); do
>   hlp_rule_ipv4 "$IPTABLES -t $TABLE -F"
>   hlp_rule_ipv4 "$IPTABLES -t $TABLE -X"
>  done
>  if [ "$IPV6_LOADED" == 1 ]; then
>   for TABLE in $(<'/proc/net/ip6_tables_names'); do
>    hlp_rule_ipv6 "$IPTABLES -t $TABLE -F"
>    hlp_rule_ipv6 "$IPTABLES -t $TABLE -X"
>   done
>  fi

For iptables-services in Fedora, I simply hard-coded the table names.

Cheers, Phil