[libvirt] [RFC] Switch to nftables from netfilter
Michal Privoznik
mprivozn at redhat.com
Tue Jul 26 14:25:17 UTC 2016
Dear list,
I've came across nftables [1]. They look very promising, more than old
netfilter. It offers new features [2], from which I'd pick:
- better performance under high traffic workloads
- atomic filter/chain replacements
- transactions
I haven't investigated how much work will be required on our side if we
try to implement the switch (well, for starters, we can have two
subsystems living next to each other). I want to check what do you guys
think before actually digging into the code.
The nftables was merged into 3.13 Linux kernel and thus should be
available on all major distros. Well, since we will have both subsystems
available, we should be good to go.
BTW: it's a bit shame that this nifty project hasn't received much more
advertising. Looks cool so far.
Michal
1: https://en.wikipedia.org/wiki/Nftables
2: http://people.netfilter.org/kaber/nfws2008/nftables.odp
More information about the libvir-list
mailing list