LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Xtables2 vs. nftables

Xtables2 vs. nftables

Posted Feb 4, 2013 20:35 UTC (Mon) by jengelh (subscriber, #33263)
In reply to: Xtables2 vs. nftables by intgr
Parent article: Xtables2 vs. nftables

>Right now each firewall rule has to stand on its own and you get no control over which order certain terms are evaluated.

Rule evaluation order is very well defined, it follows the usual left-to-right evaluation with short-circuit semantics like the && operator in C.

>It would be a lot more flexible to provide an abstract virtual machine in the kernel and let the user space generate whatever code it needs to support the protocol it wants. That's how bpf already works in the kernel,

iptables is already a VM of sorts. In addition, remember that xt_u32 has been in the kernel for a long time, and it looks like we will be gaining xt_bpf shortly as well.

But none of them is meant to deal with low-performing rules. If you test a condition multiple times, BPF should be doing it. If there is any static optimization such as common subexpression elimination to be done, then, I.M.H.O., userspace should be doing that before passing on the filter data to the kernel.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds