Xtables2 vs. nftables
Posted Jan 13, 2013 11:50 UTC (Sun) by malor
Parent article: Xtables2 vs. nftables
while nftables defines a new virtual machine to process packets.
Hmm. While conceptually nice, what's that going to do to throughput? Are they going to be JIT-compiling it? And, if so, has anyone thought about security implications?
It seems to me that iptables, even with its internal warts, is one of the best features in Linux, both powerful and extremely fast. Throwing away a good design because it's old has a strong flavor of NIH. Doing a virtual machine just to do one seems pretty silly to me; what would the specific advantages be? If it's for weird packet mangling, is the overhead of a virtual machine worth carrying around to handle those corner cases better? Or would they be better served by userspace code of some kind?
to post comments)