search

we-are-mono / filesystem

The OS foundation for our upcoming router
MIT License
57 stars 2 forks source link

iptables | nftables | bpfilter #4

Open mandusm opened 2 months ago

mandusm commented 2 months ago

I believe an early consideration for this project should be which filtering (Firewall) mechanism will be chosen for this Linux Based Router. Traditionally, iptables has been the default, with nftables slated to be an official replacement, but there is also eBP and bpfilter

Personally, I believe the approach of eBPF might be appealing to this project, as it will also extend into other areas of functionality which does not include network packet filtering.

Here's my attempt at outlining some of the differences.

iptables

  1. Oldest of the three, introduced in Linux kernel 2.4 (around 2001).
  2. User-space utility for configuring the Linux kernel firewall.
  3. Uses chains and tables to process network packets.
  4. Widely used and well-established, but can be complex for large rulesets.
  5. Performance can degrade with many rules.

nftables

  1. Successor to iptables, introduced in Linux kernel 3.13 (2014).
  2. Aims to replace iptables, ip6tables, arptables, and ebtables.
  3. More efficient packet classification framework than iptables.
  4. Uses a single rule engine for all protocols, simplifying configuration.
  5. Better performance with large rulesets and more flexible rule definition.
  6. More modern and readable syntax compared to iptables.

bpfilter

  1. Newest of the three, still in development as of 2024.
  2. Designed to eventually replace both iptables and nftables.
  3. Uses eBPF (Extended Berkeley Packet Filter) technology under the hood.
  4. Aims to provide better performance and more flexibility than both iptables and nftables.
  5. Designed to be backwards compatible with iptables and nftables configurations.
  6. Still in experimental stages and not yet widely adopted or fully implemented.

Key differences:

  1. Age and Adoption: iptables is oldest and most widely used. nftables is newer and gaining adoption. bpfilter is the newest and still experimental.
  2. Performance: bpfilter aims to offer the best performance, followed by nftables, then iptables.
  3. Flexibility: bpfilter, leveraging eBPF, should offer the most flexibility, followed by nftables, then iptables.
  4. Ease of use: iptables is familiar but can be complex. nftables aims to simplify configuration. bpfilter aims to be backwards compatible while offering new capabilities.
  5. Implementation: iptables and nftables are primarily userspace tools configuring kernel features. bpfilter uses eBPF programs running in the kernel.
  6. Maturity: iptables is most mature, nftables is well-established, while bpfilter is still experimental.
  7. Future direction: bpfilter is intended to eventually replace both iptables and nftables, providing a unified framework for packet filtering in Linux.