Eric Garver
Eric Garver's contributions
iptables: The two variants and their relationship with nftables
Eric Garver
Explore the relationship between iptables and nftables, and discover how iptables-nft gives you the best of both worlds without breaking legacy code.
Firewalld: The Future is nftables
Eric Garver
Firewalld, the default firewall management tool in Red Hat Enterprise Linux and Fedora, has gained long sought support for nftables. This was announced in detail on firewalld's project blog. The feature landed in the firewalld 0.6.0 release as the new default firewall backend. The benefits of nftables have been outlined on the Red Hat Developer Blog: What comes after iptables? Its successor, of course: nftables Benchmarking nftables Migrating my iptables setup to nftables There are many longstanding issues with firewalld...
Open vSwitch: QinQ Performance
Eric Garver
In a previous post, we introduced QinQ support for Open vSwitch. This post will investigate how QinQ performs relative to alternatives (VXLAN, GENEVE) in both throughput and CPU utilization. This will give us some understanding why we might consider QinQ over VXLAN or GENEVE. We're going to look at the following tunnel types and configurations: VXLAN-SW VXLAN in software only. No hardware offload. VXLAN-HW VXLAN with hardware offload. This includes UDP tunnel segmentation offload and receives side flow steering. GENEVE-SW...
Open vSwitch: Overview of 802.1ad (QinQ) Support
Eric Garver
Open vSwitch (OVS) recently gained support for 802.1ad (QinQ). It can be used as a lightweight alternative to tunnel technologies such as; VXLAN, GENEVE, GRE. A key advantage of QinQ is that it can make use of hardware offload features common in network interface cards (NICs). Only newer NICs support hardware offload for VXLAN and GENEVE. QinQ also incurs less frame processing and has a smaller encapsulation overhead. QinQ is an IEEE standard formally known an 802.1ad. It has been...
iptables: The two variants and their relationship with nftables
Eric Garver
Explore the relationship between iptables and nftables, and discover how iptables-nft gives you the best of both worlds without breaking legacy code.
Firewalld: The Future is nftables
Eric Garver
Firewalld, the default firewall management tool in Red Hat Enterprise Linux and Fedora, has gained long sought support for nftables. This was announced in detail on firewalld's project blog. The feature landed in the firewalld 0.6.0 release as the new default firewall backend. The benefits of nftables have been outlined on the Red Hat Developer Blog: What comes after iptables? Its successor, of course: nftables Benchmarking nftables Migrating my iptables setup to nftables There are many longstanding issues with firewalld...
Open vSwitch: QinQ Performance
Eric Garver
In a previous post, we introduced QinQ support for Open vSwitch. This post will investigate how QinQ performs relative to alternatives (VXLAN, GENEVE) in both throughput and CPU utilization. This will give us some understanding why we might consider QinQ over VXLAN or GENEVE. We're going to look at the following tunnel types and configurations: VXLAN-SW VXLAN in software only. No hardware offload. VXLAN-HW VXLAN with hardware offload. This includes UDP tunnel segmentation offload and receives side flow steering. GENEVE-SW...
Open vSwitch: Overview of 802.1ad (QinQ) Support
Eric Garver
Open vSwitch (OVS) recently gained support for 802.1ad (QinQ). It can be used as a lightweight alternative to tunnel technologies such as; VXLAN, GENEVE, GRE. A key advantage of QinQ is that it can make use of hardware offload features common in network interface cards (NICs). Only newer NICs support hardware offload for VXLAN and GENEVE. QinQ also incurs less frame processing and has a smaller encapsulation overhead. QinQ is an IEEE standard formally known an 802.1ad. It has been...