Thanks Lisa, just to clarify: I am compiling EVERYTHING from the kernel up, either 32 or 64, so the '64-in-32-userland' issue does not apply. This box will have everything freshly compiled from source from day one. It will be a 'pure' 64 (or 32) box. Now, from distant times I remember that 16 bit processors were generally faster than 8 bit, 32 were faster than 16, how come the 64 bit processor is slower than the 32? In a 'pure 64' environment does that still apply? I can understand that iptables has not been thoroughly tested in a 'pure 64' environment, but why would it run slower? Inquiring minds would like to know... ET Lisa Kachold writes: > Hi! > > Great question: > > On Sun, Jul 22, 2012 at 4:04 AM, kitepilot@kitepilot.com < > kitepilot@kitepilot.com> wrote: > >> Hello World: >> I run my firewall on a LFS box. >> > > You might also consider a hardened kernel with: > > http://grsecurity.net/ > > >> Everything on it is compiled from source. >> No bells and whistles, only the essential software is installed. >> The hardware is 64 bits but I've been running 32 bit OS. >> > > 32-bit iptables doesn't work on a machine running amd64 kernel, when run > it reports: > === > # iptables -L > iptables v1.2.11: can't initialize iptables table `filter': Module is > wrong version Perhaps iptables or your kernel needs to be upgraded > > iptables has to be 64bit to talk to a 64bit kernel due to an alignment > issue in the kernel structures for iptables. So you do need at least > the 64bit iptables binary and associated libs. > > > This time around I am wondering... >> The question is: >> Is there any advantage to compiling the whole iptables enchilada in 64 >> bits? >> > > > - 32 bit is faster than 64 bit > - 32 bit is well tested, 64 bit isn't tested at all > - 2039 is still long way off > > The only reasons to compile anything in 64bit architecture: > > - It needs to access more than 4GB of memory. In the real world this > only applies to huge databases. > - It needs to talk to the kernel directly. Some applications, like > iptables, contain ugly hacks to support the 64 bit kernel/32 bit > userland thing. > - It is a kernel. > > For you to talk with your 64bit kernel, you need 64bit iptables! > > >> Should it be avoided? >> Please note that the 'normal' rules like 'more than 4GB and/or >> 32-bit-adobe' do not apply here, what I am looking for is whether >> filtering/marking will be faster/slower and (if known) why. >> Any ideas? >> Tnx >> ET >> > > -- > (503) 754-4452 Android > (623) 239-3392 Skype > (623) 688-3392 Google Voice > ** > Safeway.com > Automation Engineer --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss