iptables. 32 or 64?

Lisa Kachold lisakachold at obnosis.com
Sun Jul 22 07:18:35 MST 2012 

Hi!

Great question:

On Sun, Jul 22, 2012 at 4:04 AM, kitepilot at kitepilot.com <
kitepilot at kitepilot.com> wrote:

> Hello World:
> I run my firewall on a LFS box.
>

You might also consider a hardened kernel with:

http://grsecurity.net/


> Everything on it is compiled from source.
> No bells and whistles, only the essential software is installed.
> The hardware is 64 bits but I've been running 32 bit OS.
>

32-bit iptables doesn't work on a machine running amd64 kernel, when run
it reports:
===
# iptables -L
iptables v1.2.11: can't initialize iptables table `filter': Module is
wrong version Perhaps iptables or your kernel needs to be upgraded

iptables has to be 64bit to talk to a 64bit kernel due to an alignment
issue in the kernel structures for iptables.  So you do need at least
the 64bit iptables binary and associated libs.


This time around I am wondering...
> The question is:
> Is there any advantage to compiling the whole iptables enchilada in 64
> bits?
>


   - 32 bit is faster than 64 bit
   - 32 bit is well tested, 64 bit isn't tested at all
   - 2039 is still long way off

The only reasons to compile anything in 64bit architecture:

   - It needs to access more than 4GB of memory. In the real world this
   only applies to huge databases.
   - It needs to talk to the kernel directly. Some applications, like
   iptables, contain ugly hacks to support the 64 bit kernel/32 bit
   userland thing.
   - It is a kernel.

For you to talk with your 64bit kernel, you need 64bit iptables!


> Should it be avoided?
> Please note that the 'normal' rules like 'more than 4GB and/or
> 32-bit-adobe' do not apply here, what I am looking for is whether
> filtering/marking will be faster/slower and (if known) why.
> Any ideas?
> Tnx
> ET
>

-- 
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
<http://it-clowns.com>Safeway.com
Automation Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120722/90e8158a/attachment.html>

More information about the PLUG-discuss mailing list