Does it have _real_ subroutines?

Posted Mar 27, 2009 14:26 UTC (Fri) by Yenya (subscriber, #52846)
Parent article: Nftables: a new packet filtering engine

My biggest problem with IPtables is, that it does not support real subroutines. You can use user-defined chains to factor out most of the common code, but there is no way to make them "local". I.e. to be able to say "call this chain, and when the result is DROP, DROP the packet. Otherwise, (for every other decision including ACCEPT), continue further".

I have an IPtables firewall routing between about 9 vlans, some of which have the security status of "outside world", other having various levels of security (currently I have >1600 iptables rules, and some of the filtering - like blacklisting some IP address blocks - is done on the iproute2 "ip rule" level outside iptables). There is no way how can I say "treat such and such traffic outgoing from one of my VLANs as legal, but consult further the rules for the destination machine on the other VLAN", without replicating some of the rules and without being _extremely_ careful about not calling ACCEPT in some chains.

Also, would the interpreted filtering have any performance impact? I am currently able to route about 1.5 Gbit/s of traffic with those >1600 rules on a dual-CPU opteron box. Would nftables be able to handle it as well?

to post comments

Does it have _real_ subroutines?

Posted Mar 27, 2009 18:26 UTC (Fri) by kaber (guest, #18366) [Link] (1 responses)

Actually you should be able to do that, DROP is an absolute verdict and terminates ruleset evaluation. So is ACCEPT, but you can use CONTINUE or RETURN to continue in the calling chain. The goto option might also be useful if you want to return to a higher chain.

About performance: the current version is missing some optimizations and is noticably slower than iptables with linear classification. I have a few optimization patches that inline small aligned data loads and comparisons into the main evaluation loop, which results in about equal performace to iptables (it can't be compared directly).

Where nftables gives better performance is when you're able to restructure your rulesets to make use of sets and jump and data maps to reduce the amount of rules evaluated for each packet. Sets are pretty obvious I guess, with jump maps you can structure your ruleset as a tree and have efficient classification in the nodes. Data maps allow you collaps similar rules than differ only in the target, f.i.:

iptables ... -i vlan0 -j SNAT --to-source ip1
...
iptables ... -i vlanN -j SNAT --to-source ipN

becomes

nft ... snat map meta iif { vlan0 => ip1, ..., vlanN => ipN }

Does it have _real_ subroutines?

Posted Mar 27, 2009 21:00 UTC (Fri) by Yenya (subscriber, #52846) [Link]

What I would like to have is not a goto, RETURN or CONTINUE, but something like try { } catch { }. I.e., to be able to tell where to RETURN from the _calling_ side, not from the possibly deeply nested user chains. Only from the calling side I can be sure that some underlying rule cannot do something unexpected.