
Performance Benchmark Analysis of Egress Filtering on Linux - simonpure
https://kinvolk.io/blog/2020/09/performance-benchmark-analysis-of-egress-filtering-on-linux/
======
2bluesc
Wow, amazed they have iptables (and ipsets) in the report but no mention of
nftables in 2020.

A 2017(!) test by RedHat[0] shows that nftables scales much better with more
complex rules then iptables. The original post shows the same, again surprised
someone doing this much work on testing hadn't mentioned nftables.

Modern firewall utilities such as firewalld (for better or worse if it
scratches your itch) have defaulted to nftables[1] when possible on platforms
like Arch and probably Ubuntu at this point.

Ultimately iptables is discouraged by Debian[2] and the netfilter project[3].

[0]
[https://developers.redhat.com/blog/2017/04/11/benchmarking-n...](https://developers.redhat.com/blog/2017/04/11/benchmarking-
nftables/)

[1] [https://firewalld.org/2018/07/nftables-
backend](https://firewalld.org/2018/07/nftables-backend)

[2]
[https://wiki.debian.org/nftables#Should_I_build_a_firewall_u...](https://wiki.debian.org/nftables#Should_I_build_a_firewall_using_a_nftables.3F)

[3] [https://wiki.nftables.org/wiki-
nftables/index.php/Why_nftabl...](https://wiki.nftables.org/wiki-
nftables/index.php/Why_nftables%3F)

~~~
TwoNineFive
nftables has a lot of problems once you get past the extreme basics. It only
got stateful support in like 2017/2018 and still can't do some important
features for tunnels and ipsec. Nobody with real-world experience is going to
using nftables yet, except as a proof of concept or for other esoteric
reasons.

The amount of paid blogverts pushing of nftables by Red Hat is pretty obvious.

nftables might be good some day, but it's not there yet.

~~~
hinkley
Any time someone says, "It's faster but it's missing important features," I
just want someone to wake me up when the feature is there and the benchmarks
are redone.

Lots of code is faster when it's feature-deficient, and gets slower once it
has covered the special cases.

------
jeffbee
At a large, well-known company where I once worked I dropped all the outbound
iptables rules on the basis of cost. ipt_do_table was using ~15% of their CPU
fleet. It was ridiculous. The important thing to know is that the length of
the non-matching rules is the scaling factor for iptables. If you have a rule
that would short-circuit most packets (such as allow to 10.0.0.0/8 or
whatever), put that as the first rule. But more importantly is to force the
person who thinks there should be an egress firewall to write down in complete
sentences a logical case for it. I found in my career that it's usually just
performative netsec, serves no actual purpose and protects nobody from
nothing, while costing a fortune.

