Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    iptables vs nftables vs bpfilter
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    iptables vs nftables vs bpfilter

    SplitIceSplitIce Member, Provider

    Fight!

    --

    No but seriously, predictions people? Technology thoughts?

    Is it just me or does nftables seem a bit like IPv5? I guess that makes bpfilter IPv6 (when it rolls out).

    X4B - DDoS Protection: Affordable DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
    Latest Offer: $14 in Asia DDoS mitigation

    Comments

    • JarryJarry Member

      No fight there, just natural evolution (ipfwadm > ipchains > netfilter/iptables/ip6tables/arptables > nftables/nft > bpfilter/bpt). Just bear in mind bpfilter is in very early stages of development. The most optimistic guess I have seen somewhere on kernel mailing list is it needs at least 3 more years till being production ready. Probably much more...

    • SplitIceSplitIce Member, Provider

      @Jarry

      re; bpfilter eBPF via tc and XDP is available now. I'm betting it will be fairly interchangable (just a different hook point). many years is my concern too. Although it should be easier than nftables ever was to implement. Apparently you can also do eBPF in xt_BPF (within iptables) although I'm yet to try it.

      nftables is a poorly designed replacement for iptables IMHO. Sure they fixed many iptables issues, but they created new ones. One of the big ones no extensibility of targets without patching multiple projects, low readability of complex rules ("tcp" means different things depending on what precedes it - or doesnt). I really hate it. I do wish I could do verdict maps in iptables though.... It was also slower than iptables per rule last I checked (indirection is a bitch), it only excels due to rule reduction (e.g maps).

      I wonder if you can run both iptables and nftables (i.e run nftables after an IPTABLES prerouting raw hook). That would be cool.

      Thanked by 1desperand
      X4B - DDoS Protection: Affordable DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
      Latest Offer: $14 in Asia DDoS mitigation
    • eva2000eva2000 Member

      Guess we shall see with RHEL/CentOS 8 using nftables :)

      * Centmin Mod Project (HTTP/2 support + ngx_pagespeed + Nginx Lua + Vhost Stats)
      * Centmin Mod LEMP Stack Quick Install Guide
    • SplitIceSplitIce Member, Provider

      @eva2000 I don't suppose you have benchmarked them for for Centmin mod (only 'cause you benchmark near everything). I'd be really curious to see a modern comparison (post spectre etc).

      X4B - DDoS Protection: Affordable DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
      Latest Offer: $14 in Asia DDoS mitigation
    • sinsin Member

      I like nftables, I started using it with Debian Stretch and now it looks like it's default in Buster.

    • Shot2Shot2 Member

      I dislike nftables. Idiotic and contorted.

      Providing less than /64 means "we are clueless about IPv6". I haz Aruba, IonSwitch, OneProv, Veesp.

    • eva2000eva2000 Member

      @SplitIce said:
      @eva2000 I don't suppose you have benchmarked them for for Centmin mod (only 'cause you benchmark near everything). I'd be really curious to see a modern comparison (post spectre etc).

      haven't touched nftables yet as Centmin Mod uses CSF Firewall (iptables wrapper) so will have to see how CSF Firewall handles CentOS/RHEL 8 nftables. CSF Firewall folks said wait and see as they also need to get their hands on CentOS 8.

      * Centmin Mod Project (HTTP/2 support + ngx_pagespeed + Nginx Lua + Vhost Stats)
      * Centmin Mod LEMP Stack Quick Install Guide
    • rm_rm_ Member

      iptables works.

      Thanked by 1rajprakash
    • FHRFHR Member, Provider
      edited June 11

      XDP looks great from the description, it seems it can process millions of packets per second on a single core. eBPF with XDP is a superiour method of filtering to anything else.

      SplitIce said: I wonder if you can run both iptables and nftables (i.e run nftables after an IPTABLES prerouting raw hook). That would be cool.

      AFAIK no.

      SkylonHost - affordable hourly-billed KVM VPS in Prague, CZ!
      Featuring own high performance network AS202297 | RIPE NCC member | Contact us for IPs/ASNs

    • ehabehab Member
      edited June 11

      ++nftables

      • do not prepay > 1 year and check for reviews/support
      • only use monthly from a provider operating < 1 year 🍆
    • LTnigerLTniger Member

      @Shot2 said:
      I dislike nftables. Idiotic and contorted.

      Care to elaborate? Nft seems way more human readable than iptables.

      Wordpress Hosting - Home made!

    • SplitIceSplitIce Member, Provider

      @LTniger I assume he means contextual problems e.g what "tcp" means varies given it's location in the rule for example.

      BTW to anyone looking to play with eBPF as a result of this thread you need a damn new kernel. None of this >3.9 or even 4.1 as quoted elsewhere. For most features >4.16.

      X4B - DDoS Protection: Affordable DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
      Latest Offer: $14 in Asia DDoS mitigation
    Sign In or Register to comment.