Thanks Lisa, just to clarify:
I am compiling EVERYTHING from the kernel up, either 32 or 64, so the
'64-in-32-userland' issue does not apply.
This box will have everything freshly compiled from source from day one.
It will be a 'pure' 64 (or 32) box.
Now, from distant times I remember that 16 bit processors were generally
faster than 8 bit, 32 were faster than 16, how come the 64 bit processor is
slower than the 32?
In a 'pure 64' environment does that still apply?
I can understand that iptables has not been thoroughly tested in a 'pure 64'
environment, but why would it run slower?
Inquiring minds would like to know...
ET
Lisa Kachold writes:
Hi!
Great question:
On Sun, Jul 22, 2012 at 4:04 AM, [email protected] <
[email protected]> wrote:
Hello World:
I run my firewall on a LFS box.
You might also consider a hardened kernel with:
http://grsecurity.net/
Everything on it is compiled from source.
No bells and whistles, only the essential software is installed.
The hardware is 64 bits but I've been running 32 bit OS.
32-bit iptables doesn't work on a machine running amd64 kernel, when run
it reports:
===
# iptables -L
iptables v1.2.11: can't initialize iptables table `filter': Module is
wrong version Perhaps iptables or your kernel needs to be upgraded
iptables has to be 64bit to talk to a 64bit kernel due to an alignment
issue in the kernel structures for iptables. So you do need at least
the 64bit iptables binary and associated libs.
This time around I am wondering...
The question is:
Is there any advantage to compiling the whole iptables enchilada in 64
bits?
- 32 bit is faster than 64 bit
- 32 bit is well tested, 64 bit isn't tested at all
- 2039 is still long way off
The only reasons to compile anything in 64bit architecture:
- It needs to access more than 4GB of memory. In the real world this
only applies to huge databases.
- It needs to talk to the kernel directly. Some applications, like
iptables, contain ugly hacks to support the 64 bit kernel/32 bit
userland thing.
- It is a kernel.
For you to talk with your 64bit kernel, you need 64bit iptables!
Should it be avoided?
Please note that the 'normal' rules like 'more than 4GB and/or
32-bit-adobe' do not apply here, what I am looking for is whether
filtering/marking will be faster/slower and (if known) why.
Any ideas?
Tnx
ET
--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
<http://it-clowns.com>Safeway.com
Automation Engineer
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
