I am trying to understand the pros/cons, use cases, performance etc. for packet filter, nftables, Netmap, ebpf xdp and dpdk. I am having trouble finding comparisons and benchmarks, so I’m curious if anyone here has hands on experience with some or all of these technologies that can share their knowledge.
I’m thinking of these technologies in the context of serving large websites and protecting them, whether it be from a DDoS attack or something else (network layer, of course.)
Correct me if I’m wrong, but FreeBSD packet filter is directly comparable to Linux nftables. According to some outdated benchmarks I found, nftables and packet filter have similar performance, but packet filter seems to have better performance when there are hundreds of rules. Will probably depend on what the rules are, but still, they generally seem to be equivalents in terms of performance.
Again, correct me if I’m wrong, FreeBSD Netmap is directly comparable to Linux eBPF XDP. They’re both used for packet manipulation in userspace (right?) and Netmap is older and superior in terms of performance and of course licensing where as eBPF XDP is new and still experimental, though companies like cloudflare are using it in production for their services, so it’s stable enoughhhhh…
And then DPDK. It works on Linux and FreeBSD. It allows users to run code directly on the network adapter hardware, which makes it the most efficient out of all of them, except it seems to be slightly limited in terms of functionality and is usually overkill, as Netmap/XDP do things efficiently enough and would be able to handle most things. (If you’re experiencing a DDoS, you can block with DPDK, but regardless, if your network ports are filled up, let’s say a 10Gbps port, whether you use dpdk or Netmap, people wont be able to access the server if the port is filled, right? Unless maybe the attack is millions of small packets per second, then maybe dpdk could handle with less stress?)
Anyways, sorry for any weird formatting (I’m on my phone right now) but I’d love to know more about these technologies.
I’m thinking of these technologies in the context of serving large websites and protecting them, whether it be from a DDoS attack or something else (network layer, of course.)
Correct me if I’m wrong, but FreeBSD packet filter is directly comparable to Linux nftables. According to some outdated benchmarks I found, nftables and packet filter have similar performance, but packet filter seems to have better performance when there are hundreds of rules. Will probably depend on what the rules are, but still, they generally seem to be equivalents in terms of performance.
Again, correct me if I’m wrong, FreeBSD Netmap is directly comparable to Linux eBPF XDP. They’re both used for packet manipulation in userspace (right?) and Netmap is older and superior in terms of performance and of course licensing where as eBPF XDP is new and still experimental, though companies like cloudflare are using it in production for their services, so it’s stable enoughhhhh…
And then DPDK. It works on Linux and FreeBSD. It allows users to run code directly on the network adapter hardware, which makes it the most efficient out of all of them, except it seems to be slightly limited in terms of functionality and is usually overkill, as Netmap/XDP do things efficiently enough and would be able to handle most things. (If you’re experiencing a DDoS, you can block with DPDK, but regardless, if your network ports are filled up, let’s say a 10Gbps port, whether you use dpdk or Netmap, people wont be able to access the server if the port is filled, right? Unless maybe the attack is millions of small packets per second, then maybe dpdk could handle with less stress?)
Anyways, sorry for any weird formatting (I’m on my phone right now) but I’d love to know more about these technologies.
