Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


iptables vs nftables vs bpfilter
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iptables vs nftables vs bpfilter

SplitIceSplitIce Member, Host Rep

Fight!

--

No but seriously, predictions people? Technology thoughts?

Is it just me or does nftables seem a bit like IPv5? I guess that makes bpfilter IPv6 (when it rolls out).

Thanked by 1Janevski

Comments

  • JarryJarry Member

    No fight there, just natural evolution (ipfwadm > ipchains > netfilter/iptables/ip6tables/arptables > nftables/nft > bpfilter/bpt). Just bear in mind bpfilter is in very early stages of development. The most optimistic guess I have seen somewhere on kernel mailing list is it needs at least 3 more years till being production ready. Probably much more...

  • SplitIceSplitIce Member, Host Rep

    @Jarry

    re; bpfilter eBPF via tc and XDP is available now. I'm betting it will be fairly interchangable (just a different hook point). many years is my concern too. Although it should be easier than nftables ever was to implement. Apparently you can also do eBPF in xt_BPF (within iptables) although I'm yet to try it.

    nftables is a poorly designed replacement for iptables IMHO. Sure they fixed many iptables issues, but they created new ones. One of the big ones no extensibility of targets without patching multiple projects, low readability of complex rules ("tcp" means different things depending on what precedes it - or doesnt). I really hate it. I do wish I could do verdict maps in iptables though.... It was also slower than iptables per rule last I checked (indirection is a bitch), it only excels due to rule reduction (e.g maps).

    I wonder if you can run both iptables and nftables (i.e run nftables after an IPTABLES prerouting raw hook). That would be cool.

    Thanked by 1desperand
  • eva2000eva2000 Veteran

    Guess we shall see with RHEL/CentOS 8 using nftables :)

  • SplitIceSplitIce Member, Host Rep

    @eva2000 I don't suppose you have benchmarked them for for Centmin mod (only 'cause you benchmark near everything). I'd be really curious to see a modern comparison (post spectre etc).

  • sinsin Member

    I like nftables, I started using it with Debian Stretch and now it looks like it's default in Buster.

  • Shot2Shot2 Member

    I dislike nftables. Idiotic and contorted.

  • eva2000eva2000 Veteran

    @SplitIce said:
    @eva2000 I don't suppose you have benchmarked them for for Centmin mod (only 'cause you benchmark near everything). I'd be really curious to see a modern comparison (post spectre etc).

    haven't touched nftables yet as Centmin Mod uses CSF Firewall (iptables wrapper) so will have to see how CSF Firewall handles CentOS/RHEL 8 nftables. CSF Firewall folks said wait and see as they also need to get their hands on CentOS 8.

  • rm_rm_ IPv6 Advocate, Veteran

    iptables works.

  • FHRFHR Member, Host Rep
    edited June 2019

    XDP looks great from the description, it seems it can process millions of packets per second on a single core. eBPF with XDP is a superiour method of filtering to anything else.

    SplitIce said: I wonder if you can run both iptables and nftables (i.e run nftables after an IPTABLES prerouting raw hook). That would be cool.

    AFAIK no.

  • ehabehab Member
    edited June 2019

    ++nftables

  • LeviLevi Member

    @Shot2 said:
    I dislike nftables. Idiotic and contorted.

    Care to elaborate? Nft seems way more human readable than iptables.

    Thanked by 1darkimmortal
  • SplitIceSplitIce Member, Host Rep

    @LTniger I assume he means contextual problems e.g what "tcp" means varies given it's location in the rule for example.

    BTW to anyone looking to play with eBPF as a result of this thread you need a damn new kernel. None of this >3.9 or even 4.1 as quoted elsewhere. For most features >4.16.

  • SplitIceSplitIce Member, Host Rep

    Blast from the past, I thought I'd share something.

    Back when I opened this I was disappointed with the lack of verdict maps in iptables. So I set out to research different ways a similar technology could be introduced into iptables/xtables.

    A prototype is now out: https://github.com/splitice/xt_DYNJMP/

    Requires a kernel patch, since iptables by default doesn't let you do such dangerous things (and yes this IS dangerous).

    Thanked by 2Clouvider eva2000
  • iptable : it is a command line utility to configure firewall rules
    nftable : it is package filtering framework.

    Thanked by 1Janevski
  • SplitIceSplitIce Member, Host Rep

    cloudminister said: nftable : it is package filtering framework.

    netfilter: is a package filtering framework.

    FTFY

Sign In or Register to comment.