* Fwd: nftables
[not found] <BANLkTikT_ETuEE2e7Khip9xJKFiDgBe7Qg@mail.gmail.com>
@ 2011-04-29 9:33 ` Juraj Gabčík
2011-04-29 10:06 ` nftables Jan Engelhardt
0 siblings, 1 reply; 2+ messages in thread
From: Juraj Gabčík @ 2011-04-29 9:33 UTC (permalink / raw)
To: netfilter
Hi people!
First, I would like to introduce myself to you. My name is Juraj
Gabèík and I am a student at the Faculty of Informatics at the
University of ®ilina, Slovakia. My reason for writing to you is that I
would like to ask you for a favour. Now I am writing my bachelor's
theses about nftables and I would be grateful to you for some
information I need concerning this issue. I found something on the
internet but it wasn't enough.
I am interested in the background of the processing of packet after
it's received by NIC: what queues it passes, where the rules can be
applied etc. Neither I could find any information about whether
nftables have the same structure of classes INPUT, OUTPUT and FORWARD
as iptables.
I need to compare the efficiency of the firewall created by iptables
and nftables and I would be very grateful if you could explain to me
the main differences between the processing of packet by means of
iptables and nftables. Also a demonstration of some rules written by
means of iptables and nftables (rules of the same meaning in both
cases) would be very helpful.
How to compile kernel supporting nftables?
If you would come up with something more that would help me or that
would be useful for my theses I would highly appreciate it. As I have
already mentioned, I am mainly concerned about the information related
to the background of the processing of the packet and the comparison
of the efficiency of iptables and nftables.
Hope to hear from you soon,
Juraj Gabèík
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: nftables
2011-04-29 9:33 ` Fwd: nftables Juraj Gabčík
@ 2011-04-29 10:06 ` Jan Engelhardt
0 siblings, 0 replies; 2+ messages in thread
From: Jan Engelhardt @ 2011-04-29 10:06 UTC (permalink / raw)
To: Juraj Gabčík; +Cc: netfilter
On Friday 2011-04-29 11:33, Juraj Gabčík wrote:
>
>I am interested in the background of the processing of packet after
>it's received by NIC: what queues it passes, where the rules can be
>applied etc. Neither I could find any information about whether
>nftables have the same structure of classes INPUT, OUTPUT and FORWARD
>as iptables.
>
>I need to compare the efficiency of the firewall created by iptables
>and nftables and I would be very grateful if you could explain to me
>the main differences between the processing of packet by means of
>iptables and nftables.
Differences:
iptables (or more precisely the Xtables collective) uses a packed
table and no "indirect interpreter" - a module like xt_u32 is
optional -, which yields the speediest execution environment. This
packing is important the larger the ruleset becomes, and the smaller
the CPU caches are. It also has no limits on call depth.
Xtables does not use the Netlink protocol yet for conveying changes
to the kernel, but it is being pondered how to get it there. Netlink
attributes have some worrying limitations and no consensus was yet
reached on the packet format. The much-sought nlattr32 patches have
not appeared yet either, so the protocol effort is staggering, but I
hold high hopes someone is on nla32 - meanwhile, I utilize the time
by doing precursor work on the userspace components instead (the
option parsing patches posted - a large part of the code is reusable
for a Netlink variant).
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-04-29 10:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <BANLkTikT_ETuEE2e7Khip9xJKFiDgBe7Qg@mail.gmail.com>
2011-04-29 9:33 ` Fwd: nftables Juraj Gabčík
2011-04-29 10:06 ` nftables Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).