Improving Network Performance with Linux Flowtables

Showing the netfilter <i>with</i> the OSI layer on the left, after all these years is absolutely clutch and as an educator, I&#x27;m thankful the author made such a thing. It&#x27;s beautiful.<p>I feel like from an abstraction standpoint, a lot of these concepts get lost when you transition to Windows and in either direction, these pre&#x2F;post chains never quite made sense to me on the surface. Though, I&#x27;m positive it&#x27;s because I&#x27;m not a developer or sysadmin in linux daily. I imagine there&#x27;s some fascinating stuff you can do.

&gt; In Ubicloud’s case, enabling flowtables just took seven lines of code!<p>Could have been six lines by combining these two lines:<p><pre><code> ip protocol tcp counter flow offload @ubi_flowtable ip protocol udp counter flow offload @ubi_flowtable </code></pre> into:<p><pre><code> meta l4proto { tcp, udp } flow offload @ubi_flowtable </code></pre> Also, their changes only work for IPv4. The above would work for both IPv4 and IPv6.

Hello from the author, here! I wanted to explain that we use Nftables for NATing, Firewall Rules and some spoofing avoidance tasks at the moment. Enabling Flowtables benefit the full networking stack for any connections. Give it a try!<p>Also, happy to answer if there are any questions.

Another article about flowtables:<p><a href="https:&#x2F;&#x2F;firewalld.org&#x2F;2023&#x2F;05&#x2F;nftables-flowtable" rel="nofollow">https:&#x2F;&#x2F;firewalld.org&#x2F;2023&#x2F;05&#x2F;nftables-flowtable</a><p>Documentation:<p><a href="https:&#x2F;&#x2F;wiki.nftables.org&#x2F;wiki-nftables&#x2F;index.php&#x2F;Flowtables" rel="nofollow">https:&#x2F;&#x2F;wiki.nftables.org&#x2F;wiki-nftables&#x2F;index.php&#x2F;Flowtables</a>

Gave this a shot on my Home server that&#x27;s running a bunch of docker containers. It certainly feels like it&#x27;s improved performance over the network. Next step is to run a bunch of benchmarks.

If more performance is better, why isn&#x27;t this the default in the Linux networking stack? What are the drawbacks of using this and are there security implications?

A little more info:<p><a href="https:&#x2F;&#x2F;www.kernel.org&#x2F;doc&#x2F;Documentation&#x2F;networking&#x2F;nf_flowtable.txt" rel="nofollow">https:&#x2F;&#x2F;www.kernel.org&#x2F;doc&#x2F;Documentation&#x2F;networking&#x2F;nf_flowt...</a>

Nicely written article, and now I know about Ubicloud.

Presumably the best way is to skip the kernel all together.. are there any decent ways to run the network stack in userspace yet?<p>-edit- I know userspace networking may not be relevant in the authors case but it is of interest to me.

&gt; an opensource alternative to AWS<p>Just putting out there that OpenStack is open source, already exists, very feature complete, and there are even hosting providers that will give you your own OpenStack control plane and only bill you for the resources you use. Only one provider in the US, but several in Europe.<p>No need to deploy and manage your own clusters on bare metal. They do it all for you and just give you an API, same as AWS. Way better than managing your own stack. The fact that more providers aren&#x27;t doing this kind of blows my mind. But they probably prefer the proprietary walled garden, easier to keep customers from moving.

Should I really read about these tables, or will the Linux kernel replace them with yet another set of tables in a few years, with almost-but-not-quite-the-same semantics, a different command-line tool, different column order etc. ?<p>-- disgruntled user