When examining Linux firewall performance, there is a second aspect to packet processing—namely, the cost of firewall setup manipulations. In a world of containers, distinct network nodes spawn quickly enough for firewall ruleset adjustment delay to become a significant factor. At the same time, rulesets tend to become huge given the number of containers even a moderately specced server might host.
In the past, considerable effort was put into legacy
iptables to speed up the handling of large rulesets. With the recent push upstream and downstream to establish
iptables-nft as the standard variant, a reassessment of this quality is in order. To see how bad things really are, I created a bunch of benchmarks to run with both variants and compare the results.
Continue reading “Optimizing iptables-nft large ruleset performance in user space”
Firewalld, the default firewall management tool in Red Hat Enterprise Linux and Fedora, has gained long sought support for nftables. This was announced in detail on firewalld’s project blog. The feature landed in the firewalld 0.6.0 release as the new default firewall backend.
The benefits of nftables have been outlined on the Red Hat Developer Blog:
There are many longstanding issues with firewalld that we can address with nftables that were not possible with the old iptables backend. The nftables backend allows the following improvements:
Continue reading “Firewalld: The Future is nftables”
Since I’ve learned about nftables, I heard numerous times that it would provide better performance than its designated predecessor, iptables. Yet, I have never seen actual figures of performance comparisons between the two and so I decided to do a little side-by-side comparison.
Continue reading “Benchmarking nftables”
Wanting to become familiar with nftables, I decided to jump in at the deep end and just use it on my local workstation. The goal was to replace the existing iptables setup, ideally without any drawbacks. The following essay will guide you through what I have done in order to achieve that.
Continue reading “Migrating my iptables setup to nftables”