Nftables: why it isn't based on BPF
Nftables: why it isn't based on BPF
Posted Mar 27, 2009 6:55 UTC (Fri) by speedster1 (guest, #8143)In reply to: Nftables: a new packet filtering engine by samroberts
Parent article: Nftables: a new packet filtering engine
From Patrick's blog entry (mentioned in article)
http://people.netfilter.org/kaber/weblog/2008/08/20/
http://people.netfilter.org/kaber/weblog/2008/08/20/
A very important feature, one that is missing from all other filters that are built similar in the kernel (like BPF, TC u32 filter, ...), is reconstruction of high level constructs from the representation within the kernel. TC u32 for example allows you to specify "ip daddr X", but when dumping the filter rules it will just display an offset and length.