← Back to context

Comment by shanemhansen

9 years ago

I took a quick look at github, didn't see an option to compile to iptables. That would be an interesting use case for me.

One of the key advantages of p4 is that you don't have to use iptables. Instead p4 would compile down to a binary packet processor in either machine language, something like eBPF, or directly onto a hardware coprocessor on your NIC.

Compiling to iptables would be incredibly slow and miss the advantages. Plus, p4 is more general than iptables so many p4 programs could not be expressed as iptables.

  • A possibility for it's use is directly in a application then.

    For very high performance packet generation and processing the Linux kernel is sub-par because it's extremely complex and general purpose. There is just too much going on.

    example:

    https://blog.cloudflare.com/kernel-bypass/

    • There is work going on upstream to allow bypassing the entire network stack in the kernel using eBPF. Kernel bypass techniques though have been the gold standard in performance for quite a while, but they don't work well for container networking, so kernel networking is starting to become more relevant to people who care about performance.