Hi David,

On Mon, Feb 19, 2018 at 01:41:29PM -0500, David Miller wrote:
> From: Phil Sutter <p...@nwl.cc>
> Date: Mon, 19 Feb 2018 19:05:51 +0100
> > On Mon, Feb 19, 2018 at 12:22:26PM -0500, David Miller wrote:
> >> From: Phil Sutter <p...@nwl.cc>
> >> Date: Mon, 19 Feb 2018 18:14:11 +0100
> >> 
> >> > OK, so reading between the lines you're saying that nftables project
> >> > has failed to provide an adequate successor to iptables?
> >> 
> >> Whilst it is great that the atomic table update problem was solved, I
> >> think the emphasis on flexibility often at the expense of performance
> >> was a bad move.
> > 
> > I don't see a lack of performance in nftables when being compared to
> > iptables (as we have now). From my point of view, it's quite the
> > contrary: nftables did a great job in picking up iptables performance
> > afterthoughts (e.g. ipset) and leveraging that to the max(TM) (verdict
> > maps, concatenated set entries). Assuming the virtual machine design
> > principle isn't just marketing but sets the course for JIT ruleset
> > optimizations, there's some margin as well.
> > 
> > So from my perspective, one should say nftables increased flexibility
> > without sacrificing performance.
> I did not say nftables adjusted performance one way or another.  It kept
> it on the same order of magnitude.  And this is a design decision.

Oh, seems I missed your point then. What subject did you have in mind
when you wrote "emphasis on flexibility often at the expense of
performance"? I thought you were talking about nftables.

> > Yes, even with my limited experience I noticed that there is quite some
> > demand for even faster packet processing in Linux, mostly for rather
> > custom scenarios like forwarding into containers/VMs. Though my point
> > was about general purpose firewalling abilities in Linux, say people
> > securing their desktop or maintaining networks with less demands on
> > performance.
> I've always stated that low power, low end, systems are just a good
> place for high performance filtering as high end ones.

Do you think these systems are likely to receive a NIC (or some sort of
co-processor) which allows for offloading eBPF to? Maybe I miss the
point again, but this is the only argument for bpfilter over nftables -
and that only if one ignores the option to implement an eBPF backend for
nftables VM). OK, maybe this clarifies once I know what you had in mind
when you wrote that reply.

Cheers, Phil

Reply via email to