Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
iptables vs nftables vs bpfilter
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

iptables vs nftables vs bpfilter

SplitIceSplitIce Member, Provider

Fight!

--

No but seriously, predictions people? Technology thoughts?

Is it just me or does nftables seem a bit like IPv5? I guess that makes bpfilter IPv6 (when it rolls out).

Thanked by 1Janevski
X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
Latest Offer: Black Friday 2019 Offer

Comments

  • JarryJarry Member

    No fight there, just natural evolution (ipfwadm > ipchains > netfilter/iptables/ip6tables/arptables > nftables/nft > bpfilter/bpt). Just bear in mind bpfilter is in very early stages of development. The most optimistic guess I have seen somewhere on kernel mailing list is it needs at least 3 more years till being production ready. Probably much more...

  • SplitIceSplitIce Member, Provider

    @Jarry

    re; bpfilter eBPF via tc and XDP is available now. I'm betting it will be fairly interchangable (just a different hook point). many years is my concern too. Although it should be easier than nftables ever was to implement. Apparently you can also do eBPF in xt_BPF (within iptables) although I'm yet to try it.

    nftables is a poorly designed replacement for iptables IMHO. Sure they fixed many iptables issues, but they created new ones. One of the big ones no extensibility of targets without patching multiple projects, low readability of complex rules ("tcp" means different things depending on what precedes it - or doesnt). I really hate it. I do wish I could do verdict maps in iptables though.... It was also slower than iptables per rule last I checked (indirection is a bitch), it only excels due to rule reduction (e.g maps).

    I wonder if you can run both iptables and nftables (i.e run nftables after an IPTABLES prerouting raw hook). That would be cool.

    Thanked by 1desperand
    X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
    Latest Offer: Black Friday 2019 Offer
  • Guess we shall see with RHEL/CentOS 8 using nftables :)

    * Centmin Mod Project (HTTP/2 support + ngx_pagespeed + Nginx Lua + Vhost Stats)
    * Centmin Mod LEMP Stack Quick Install Guide
  • SplitIceSplitIce Member, Provider

    @eva2000 I don't suppose you have benchmarked them for for Centmin mod (only 'cause you benchmark near everything). I'd be really curious to see a modern comparison (post spectre etc).

    X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
    Latest Offer: Black Friday 2019 Offer
  • sinsin Member

    I like nftables, I started using it with Debian Stretch and now it looks like it's default in Buster.

  • Shot2Shot2 Member

    I dislike nftables. Idiotic and contorted.

    Providing less than /64 means "we are clueless about IPv6". My geekbench results. I haz BuyVM, OneProv, Servarica, Veesp.

  • @SplitIce said:
    @eva2000 I don't suppose you have benchmarked them for for Centmin mod (only 'cause you benchmark near everything). I'd be really curious to see a modern comparison (post spectre etc).

    haven't touched nftables yet as Centmin Mod uses CSF Firewall (iptables wrapper) so will have to see how CSF Firewall handles CentOS/RHEL 8 nftables. CSF Firewall folks said wait and see as they also need to get their hands on CentOS 8.

    * Centmin Mod Project (HTTP/2 support + ngx_pagespeed + Nginx Lua + Vhost Stats)
    * Centmin Mod LEMP Stack Quick Install Guide
  • rm_rm_ Member

    iptables works.

  • FHRFHR Member, Provider
    edited June 2019

    XDP looks great from the description, it seems it can process millions of packets per second on a single core. eBPF with XDP is a superiour method of filtering to anything else.

    SplitIce said: I wonder if you can run both iptables and nftables (i.e run nftables after an IPTABLES prerouting raw hook). That would be cool.

    AFAIK no.

    SkylonHost - affordable hourly-billed KVM VPS in Prague, CZ!
    Featuring own high performance network AS202297 | RIPE NCC member | Contact us for IPs/ASNs

  • ehabehab Member
    edited June 2019

    ++nftables

    • do not prepay > 1 year and check for reviews/support
    • only use monthly from a provider operating < 1 year 🍆
  • @Shot2 said:
    I dislike nftables. Idiotic and contorted.

    Care to elaborate? Nft seems way more human readable than iptables.

    Thanked by 1darkimmortal

    hostWP.net - Wordpress Hosting Platform.

  • SplitIceSplitIce Member, Provider

    @LTniger I assume he means contextual problems e.g what "tcp" means varies given it's location in the rule for example.

    BTW to anyone looking to play with eBPF as a result of this thread you need a damn new kernel. None of this >3.9 or even 4.1 as quoted elsewhere. For most features >4.16.

    X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
    Latest Offer: Black Friday 2019 Offer
  • SplitIceSplitIce Member, Provider

    Blast from the past, I thought I'd share something.

    Back when I opened this I was disappointed with the lack of verdict maps in iptables. So I set out to research different ways a similar technology could be introduced into iptables/xtables.

    A prototype is now out: https://github.com/splitice/xt_DYNJMP/

    Requires a kernel patch, since iptables by default doesn't let you do such dangerous things (and yes this IS dangerous).

    Thanked by 2Clouvider eva2000
    X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
    Latest Offer: Black Friday 2019 Offer
  • iptable : it is a command line utility to configure firewall rules
    nftable : it is package filtering framework.

    Thanked by 1Janevski
  • SplitIceSplitIce Member, Provider

    cloudminister said: nftable : it is package filtering framework.

    netfilter: is a package filtering framework.

    FTFY

    X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the US, EU and Asia.
    Latest Offer: Black Friday 2019 Offer
Sign In or Register to comment.