[H-GEN] LWN: 'Nftables: a new packet filtering engine'
Daniel Devine
devine at ddevnet.net
Sun Oct 20 03:59:14 EDT 2013
On 2013-10-20 11:25 AM, Benjamin Fowler wrote:
> The idea of implementing a virtual machine in the kernel to handle firewall rules (and a new rule language and a compiler to translate the rules) strikes me as slight overkill.
Keep in mind that the virtual machine is quite small (and, for those
wondering - it is *not* a virtual machine in the sense that VMWare or
VirtualBox are) and the language and compiler (needed to generate
bytecode specific to the VM) are very application specific. Initial
tests have shown that it is faster than the code it is replacing.
In terms of total code, implementing these new things is less work than
maintaining the individual protocol-aware subsystems (IPv4, IPv6, ARP,
Ethernet Bridging - and I suspect there may be others). Taking these
points into account I don't think a small virtual machine is overkill at
all.
Apparently nftables was modelled on another system already in the kernel
called BPF which also uses a virtual machine. However the author of
nftables deemed it easier to start from scratch than to add nftables
features to BPF. It's said that nftables already surpasses BPF in terms
of features.
--
Daniel Devine
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20131020/c860962e/attachment.html>
More information about the General
mailing list