On Sun, Jul 22, 2012 at 4:04 AM,
kitepilot@kitepilot.com <kitepilot@kitepilot.com> wrote:
Hello World:
I run my firewall on a LFS box.
Everything on it is compiled from source.
No bells and whistles, only the essential software is installed.
The hardware is 64 bits but I've been running 32 bit OS.
32-bit iptables doesn't work on a machine running amd64 kernel, when run
it reports:
===
# iptables -L
iptables v1.2.11: can't initialize iptables table `filter': Module is
wrong version Perhaps iptables or your kernel needs to be upgraded
iptables has to be 64bit to talk to a 64bit kernel due to an alignment
issue in the kernel structures for iptables. So you do need at least
the 64bit iptables binary and associated libs.
This time around I am wondering...
The question is:
Is there any advantage to compiling the whole iptables enchilada in 64 bits?
- 32 bit is faster than 64 bit
- 32 bit is well tested, 64 bit isn't tested at all
- 2039 is still long way off
The only reasons to compile anything in 64bit architecture:
- It needs to access more than 4GB of memory. In the real world this only
applies to huge databases.
- It needs to talk to the kernel directly. Some applications, like iptables, contain ugly hacks to support the 64 bit
kernel/32 bit userland thing.
- It is a kernel.
For you to talk with your 64bit kernel, you need 64bit iptables!
Should it be avoided?
Please note that the 'normal' rules like 'more than 4GB and/or 32-bit-adobe' do not apply here, what I am looking for is whether filtering/marking will be faster/slower and (if known) why.
Any ideas?
Tnx
ET