On Friday 2011-04-29 11:33, Juraj GabÄÃk wrote: > >I am interested in the background of the processing of packet after >it's received by NIC: what queues it passes, where the rules can be >applied etc. Neither I could find any information about whether >nftables have the same structure of classes INPUT, OUTPUT and FORWARD >as iptables. > >I need to compare the efficiency of the firewall created by iptables >and nftables and I would be very grateful if you could explain to me >the main differences between the processing of packet by means of >iptables and nftables. Differences: iptables (or more precisely the Xtables collective) uses a packed table and no "indirect interpreter"Â- a module like xt_u32 is optionalÂ-, which yields the speediest execution environment. This packing is important the larger the ruleset becomes, and the smaller the CPU caches are. It also has no limits on call depth. Xtables does not use the Netlink protocol yet for conveying changes to the kernel, but it is being pondered how to get it there. Netlink attributes have some worrying limitations and no consensus was yet reached on the packet format. The much-sought nlattr32 patches have not appeared yet either, so the protocol effort is staggering, but I hold high hopes someone is on nla32Â- meanwhile, I utilize the time by doing precursor work on the userspace components instead (the option parsing patches postedÂ- a large part of the code is reusable for a Netlink variant). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
