* Fwd: nftables [not found] <BANLkTikT_ETuEE2e7Khip9xJKFiDgBe7Qg@mail.gmail.com> @ 2011-04-29 9:33 ` Juraj Gabčík 2011-04-29 10:06 ` nftables Jan Engelhardt 0 siblings, 1 reply; 2+ messages in thread From: Juraj Gabčík @ 2011-04-29 9:33 UTC (permalink / raw) To: netfilter Hi people! First, I would like to introduce myself to you. My name is Juraj Gabèík and I am a student at the Faculty of Informatics at the University of ®ilina, Slovakia. My reason for writing to you is that I would like to ask you for a favour. Now I am writing my bachelor's theses about nftables and I would be grateful to you for some information I need concerning this issue. I found something on the internet but it wasn't enough. I am interested in the background of the processing of packet after it's received by NIC: what queues it passes, where the rules can be applied etc. Neither I could find any information about whether nftables have the same structure of classes INPUT, OUTPUT and FORWARD as iptables. I need to compare the efficiency of the firewall created by iptables and nftables and I would be very grateful if you could explain to me the main differences between the processing of packet by means of iptables and nftables. Also a demonstration of some rules written by means of iptables and nftables (rules of the same meaning in both cases) would be very helpful. How to compile kernel supporting nftables? If you would come up with something more that would help me or that would be useful for my theses I would highly appreciate it. As I have already mentioned, I am mainly concerned about the information related to the background of the processing of the packet and the comparison of the efficiency of iptables and nftables. Hope to hear from you soon, Juraj Gabèík ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: nftables 2011-04-29 9:33 ` Fwd: nftables Juraj Gabčík @ 2011-04-29 10:06 ` Jan Engelhardt 0 siblings, 0 replies; 2+ messages in thread From: Jan Engelhardt @ 2011-04-29 10:06 UTC (permalink / raw) To: Juraj Gabčík; +Cc: netfilter On Friday 2011-04-29 11:33, Juraj Gabčík wrote: > >I am interested in the background of the processing of packet after >it's received by NIC: what queues it passes, where the rules can be >applied etc. Neither I could find any information about whether >nftables have the same structure of classes INPUT, OUTPUT and FORWARD >as iptables. > >I need to compare the efficiency of the firewall created by iptables >and nftables and I would be very grateful if you could explain to me >the main differences between the processing of packet by means of >iptables and nftables. Differences: iptables (or more precisely the Xtables collective) uses a packed table and no "indirect interpreter" - a module like xt_u32 is optional -, which yields the speediest execution environment. This packing is important the larger the ruleset becomes, and the smaller the CPU caches are. It also has no limits on call depth. Xtables does not use the Netlink protocol yet for conveying changes to the kernel, but it is being pondered how to get it there. Netlink attributes have some worrying limitations and no consensus was yet reached on the packet format. The much-sought nlattr32 patches have not appeared yet either, so the protocol effort is staggering, but I hold high hopes someone is on nla32 - meanwhile, I utilize the time by doing precursor work on the userspace components instead (the option parsing patches posted - a large part of the code is reusable for a Netlink variant). ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-04-29 10:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <BANLkTikT_ETuEE2e7Khip9xJKFiDgBe7Qg@mail.gmail.com>
2011-04-29 9:33 ` Fwd: nftables Juraj Gabčík
2011-04-29 10:06 ` nftables Jan Engelhardt
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).