Netfilter logo

This weekend we had Netfilter Workshop 2018 in Berlin, Germany.

Lots of interesting talks happened, mostly surrounding nftables and how to move forward from the iptables legacy world to the new, modern nft framework.

In a nutshell, the Netfilter project, the FLOSS community driven project, has agreed to consider iptables as a legacy tool. This confidence comes from the maturity of the nftables framework, which is fairly fully-compliant with the old iptables API, including extensions (matches and targets).

Starting now, next iptables upstream releases will include the old iptables binary as /sbin/iptables-legacy, and the same for the other friends.

To summarize:

  • /sbin/iptables-legacy
  • /sbin/iptables-legacy-save
  • /sbin/iptables-legacy-restore
  • /sbin/ip6tables-legacy
  • /sbin/ip6tables-legacy-save
  • /sbin/ip6tables-legacy-restore
  • /sbin/arptables-legacy
  • /sbin/ebtables-legacy

The new binary will be using the nf_tables kernel backend instead, what was formely known as ‘iptables-compat’. Should you find some rough edges with the new binary, you could always use the old -legacy tools. This is for people who want to keep using the old iptables semantics, but the recommendation is to migrate to nftables as soon as possible.

Moving to nftables will add the benefits of improved performance, new features, new semantics, and in general, a modern framework. All major distributions will implement these changes soon, including RedHat, Fedora, CentOS, Suse, Debian and derivatives. We also had some talks regarding firewalld, the firewalling service in use by some rpm-based distros. They gained support for nftables starting with v0.6.0. This is great news, since firewalld is the main firewalling top-level mechanism in these distributions. Good news is that the libnftables high level API is in great shape. It recently gained a new high level JSON API thanks to Phil Sutter. The firewalld tool will use this new JSON API soon.

I gave a talk about the status of Netfilter software packages at Debian, and shared my plans to implement these iptables -> nftables changes in the near future.

We also had an interesting talk by a CloudFlare engineer about how they use the TPROXY Netfilter infraestructure to serve thousand customers. Some discussion happened about caveats and improvements and how nftables could be a better fit if it gains TPROXY-like features. In the field of networking at scale, some vmware engineers also joined the conversation for nft connlimit and nf_conncount, a new approach in nftables for rate-limiting/policing based on conntrack data. This was followed up by a presentation by Pablo Neira about the new flow offload infrastructure for nftables, which can act as a complete kernel bypass in case of packet forwarding.

The venue

Jozsef Kadlecsik shared a deep and detailed investigation on ipset vs nftables and how we could match both frameworks. He gave an overview of what’s missing, what’s already there and what could be a benefit from users migrating from ipset to nftables.

We had some space for load-balancing as well. Laura García shared the last news regarding the nftlb project, the nftables-based load balancer. She shared some interesting numbers about how reptoline affects Netfilter performance. She mentioned that the impact of reptoline is about 17% in nftables and 40% for iptables for her use cases.

Florian Westphal gave a talk regarding br_netfilter and how we could improve the linux kernel networking stack from the Netfilter point of view for bridge use cases. Right now all sorts of nasty things are done to store required information and context for packets traveling bridges (which may need to be evaluated by Netfilter). We have a lot of marging for improvement and Florian’s plan is to invest time in these.

We had a very interesting legal talk by Dr. Till Jaeger regarding GPL enforcement in Germany, related to the Patrick McHardly situation. Some good work is being done in this field to defend the community against activities which hurts the interest of all the Linux users and developers.

Harsha Sharma, 18 years old from India, gave a talk explaining her work on nftables to the rest of Netfilter contributors. This is possible thanks to internship programs like Outreachy and Google Summer of Code. Varsha and Harsha, both are so brave for traveling so far from home to join a mostly european-white-men-only meeting. We where joined by 3 women this workshop and I would like to believe this is a symbol of our inclusiveness, of being a healthy community.

The group

The workshop was sponsorized by vmware, zevenet, redhat, intra2net, oisf, stamus networks, and suricata.