THE Technical Conference on Linux Networking

Netdev 0.1

Sessions

BoF | Netfilter BoF

Josh Hunt, David Gervais, andPete Bohman
Provinces I

This BoF intends to bring together interested parties and stakeholders to discuss the current state of iptables, ipset, and nftables when used in a large-scale environment. The discussion will focus around the use and issues with the current netfilter tools in such an environment and what we can do to improve them.

Some examples of those topics are:

  • Supported Interfaces
    • The need for solid, supported development libraries for iptables, ipset, nftables allowing applications to fully take advantage of their features.
  • Improvements to existing components
    • Handling very large sets (1 million to 25 million entries). Discuss alternatives to ipset (such as nft set implementation).
    • Limitations in existing iptables functionality.
  • nftables considerations
    • Performance
    • Backwards compatibility
    • New features

slides: /docs/hunt-netfilter-bof.pdf
video: https://www.youtube.com/watch?v=e-U9yCE08Cg