Does it have _real_ subroutines?

Posted Mar 27, 2009 18:26 UTC (Fri) by kaber (guest, #18366)
In reply to: Does it have _real_ subroutines? by Yenya
Parent article: Nftables: a new packet filtering engine

Actually you should be able to do that, DROP is an absolute verdict and terminates ruleset evaluation. So is ACCEPT, but you can use CONTINUE or RETURN to continue in the calling chain. The goto option might also be useful if you want to return to a higher chain.

About performance: the current version is missing some optimizations and is noticably slower than iptables with linear classification. I have a few optimization patches that inline small aligned data loads and comparisons into the main evaluation loop, which results in about equal performace to iptables (it can't be compared directly).

Where nftables gives better performance is when you're able to restructure your rulesets to make use of sets and jump and data maps to reduce the amount of rules evaluated for each packet. Sets are pretty obvious I guess, with jump maps you can structure your ruleset as a tree and have efficient classification in the nodes. Data maps allow you collaps similar rules than differ only in the target, f.i.:

iptables ... -i vlan0 -j SNAT --to-source ip1
...
iptables ... -i vlanN -j SNAT --to-source ipN

becomes

nft ... snat map meta iif { vlan0 => ip1, ..., vlanN => ipN }

Does it have _real_ subroutines?

Posted Mar 27, 2009 21:00 UTC (Fri) by Yenya (subscriber, #52846) [Link]

What I would like to have is not a goto, RETURN or CONTINUE, but something like try { } catch { }. I.e., to be able to tell where to RETURN from the _calling_ side, not from the possibly deeply nested user chains. Only from the calling side I can be sure that some underlying rule cannot do something unexpected.