LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-01-2014, 01:10 PM   #1
kikilinux
Member
 
Registered: Sep 2012
Posts: 125

Rep: Reputation: Disabled
Question what is advantage of nftables over iptables packet filter ?


Hi
I want to know does iptables can completely replaced with nftables?
Does nftables have great advantages over the iptables?
I have some question about "Pseudo-state machine in kernel-space" and "Fast lookups through performance data structures"
what is exactly advantage the first one?
and the second one "fast lookups", does it appropriate for large rule set with thousand of rules?
 
Old 10-01-2014, 03:26 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by kikilinux View Post
I want to know does iptables can completely replaced with nftables?
The idea is it eventually will, yes.


Quote:
Originally Posted by kikilinux View Post
Does nftables have great advantages over the iptables?
http://wiki.nftables.org/wiki-nftabl..._with_iptables
https://home.regit.org/2014/01/why-y...love-nftables/
*Also see the rule set in comment #20.


Quote:
Originally Posted by kikilinux View Post
I have some question about "Pseudo-state machine in kernel-space" and "Fast lookups through performance data structures"
what is exactly advantage the first one?
I think http://www.tcpdump.org/papers/bpf-usenix93.pdf (chapter 3) explains this best: it's about how you express a human readable rule set as code the kernel (the virtual state machine) understands and can use efficiently (think binary decision tree).


Quote:
Originally Posted by kikilinux View Post
and the second one "fast lookups", does it appropriate for large rule set with thousand of rules?
I think you can sort of compare that with how ipset works. For example some apps / users dump all sort of blocking rules in the filter table INPUT chain but with ipset you'd only use one iptables rule and have all the IP addresses or ranges in one set: very efficient.
 
2 members found this post helpful.
  


Reply

Tags
iptables, netfilter


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -t filter INPUT first rule counter not updating on incoming packet zhjim Linux - Networking 6 09-07-2012 05:38 AM
LXer: This week at LWN: Nftables: a new packet filtering engine LXer Syndicated Linux News 0 04-09-2009 09:40 AM
A packet filter using libipq which uses ether type field to capture the packet can26_manish Programming 2 10-16-2007 05:35 AM
How to filter this packet using iptables? montyleesam Linux - Security 1 05-12-2007 12:22 PM
Packet Filter to redirect a packet to a user level process akawale Linux - Networking 3 09-01-2006 12:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration