|
|
Log in / Subscribe / Register

Nftables: a new packet filtering engine

Nftables: a new packet filtering engine

Posted Mar 26, 2009 17:06 UTC (Thu) by samroberts (subscriber, #46749)
In reply to: Nftables: a new packet filtering engine by gdt
Parent article: Nftables: a new packet filtering engine

BPF as used by tcpdump is already a byte-code interpreter in the kernel,
and pre-existed iptables. It does matching, but doesn't have actions.

I find it interesting that the lwn article and what little info I saw
about nftables doesn't either. It seems sufficiently similar, why isn't
it being used as a basis for the opcode interpreter? NIH?

And why the firewalling didn't take a BPF-like approach with an opcode
interpreter and user-space compiler from the start is beyond me.

to post comments

Nftables: why it isn't based on BPF

Posted Mar 27, 2009 6:55 UTC (Fri) by speedster1 (guest, #8143) [Link]

From Patrick's blog entry (mentioned in article)
http://people.netfilter.org/kaber/weblog/2008/08/20/

A very important feature, one that is missing from all other filters that are built similar in the kernel (like BPF, TC u32 filter, ...), is reconstruction of high level constructs from the representation within the kernel. TC u32 for example allows you to specify "ip daddr X", but when dumping the filter rules it will just display an offset and length.

Nftables: a new packet filtering engine

Posted Mar 27, 2009 18:14 UTC (Fri) by kaber (guest, #18366) [Link] (1 responses)

The BPF interpreter isn't too useful for this case since you can't update an BPF program incrementally and the filter size is limited to 64k. Its also too limited in many other aspects.

Nftables: a new packet filtering engine

Posted Mar 28, 2009 17:21 UTC (Sat) by yoduh (guest, #38527) [Link]

Can you elaborate on these differences for us fresh readers of the bpf-usenix93 paper? Your VM sounds close enough to BPF++ to perhaps describe it in those terms. Both limitations you cite (no incremental update, 64k) sound like implementation decisions made when the goal was picking 1 in 100000 packets, not disposition of every one of them; ie not hard limits.

Nftables: a new packet filtering engine

Posted Apr 3, 2009 18:22 UTC (Fri) by trasz (guest, #45786) [Link]

Actually, at least in FreeBSD, bpf is not just a bytecode interpreter - it employs JIT.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds