Optimizing iptables-nft large ruleset performance in user space

Optimizing iptables-nft large ruleset performance in user space

When examining Linux firewall performance, there is a second aspect to packet processing—namely, the cost of firewall setup manipulations. In a world of containers, distinct network nodes spawn quickly enough for firewall ruleset adjustment delay to become a significant factor. At the same time, rulesets tend to become huge given the number of containers even a moderately specced server might host.

In the past, considerable effort was put into legacy iptables to speed up the handling of large rulesets. With the recent push upstream and downstream to establish iptables-nft as the standard variant, a reassessment of this quality is in order. To see how bad things really are, I created a bunch of benchmarks to run with both variants and compare the results.

Continue reading “Optimizing iptables-nft large ruleset performance in user space”

Firewalld: The Future is nftables

Firewalld: The Future is nftables

Firewalld, the default firewall management tool in Red Hat Enterprise Linux and Fedora, has gained long sought support for nftables. This was announced in detail on firewalld’s project blog. The feature landed in the firewalld 0.6.0 release as the new default firewall backend.

The benefits of nftables have been outlined on the Red Hat Developer Blog:

There are many longstanding issues with firewalld that we can address with nftables that were not possible with the old iptables backend. The nftables backend allows the following improvements:

Continue reading “Firewalld: The Future is nftables”


CI Security on Red Hat Enterprise Linux from a Windows Perspective

The sheer number of tasks involved in building out automation infrastructure for a new organization never ceases to amaze me. One of the most often overlooked groups of tasks, however, is security. Though I am in no way a security expert, I know there are some basic steps we should take to protect ourselves and our precious systems.

I also know that not everyone who administers RHEL systems has an extensive background working with Linux. If, like me, you’re normally a Windows admin, yet you find yourself having to secure a RHEL system, fret not. Here are some tips for adapting what you already know about Windows security best practices to RHEL environments.

(Some of) The Basics

For our purposes here, I’m going to run through three things that I would do quickly on Windows and discuss their equivalent on RHEL. We’re in no danger of this becoming a comprehensive guide. As far as starting points go, it should be fair enough.

  • Software Updates
  • User/Group Isolation
  • Port Closings

Continue reading “CI Security on Red Hat Enterprise Linux from a Windows Perspective”