Linux 3.13 Released 141
diegocg writes "Linux kernel 3.13 has been released. This release includes nftables (the successor of iptables); a revamp of the block layer designed for high-performance SSDs; a framework to cap power consumption in Intel RAPL devices; improved squashfs performance; AMD Radeon power management enabled by default and automatic AMD Radeon GPU switching; improved NUMA and hugepage performance; TCP Fast Open enabled by default; support for NFC payments; support for the High-Availability Seamless Redundancy protocol; new drivers; and many other small improvements. Here's the full list of changes."
nftables (Score:2, Interesting)
There's a compatibility wrapper, right? Right? Because nftables is an awful terrible complicated pile of needless complexity. It should be possible to set up a simple deny-inbound firewall ruleset in just a few lines, or..........I'm just not going to upgrade! Yeah. That's the idea.
configuration languages (Score:4, Interesting)
This release includes nftables (the successor of iptables)
Why does every network management tool include their own ugly, broken little programming language for configuring it?
Why not just use an existing language?
Like, when I get a packet from the network, I can just use Python:
if packet.origin == "127.0.0.1":
packet.drop()
elif packet.port == 80:
packet.forward(port = 1024)
etcetera.
Support for NFC payments ? In the kernel ?? (Score:5, Interesting)
Just my luck... (Score:2, Interesting)
I FINNALY managed to wrap my head around how iptables work... Oh well, hopefully the new one will be easier.
Re:configuration languages (Score:4, Interesting)
Probably because of the extremely high performance requirements. There's a lot of packets going through a 10Gbit interface and if you run some Python code for each of them you're gonna choke the machine.
That would be true if it were impossible to compile Python code to something efficient.
And the style of code used above (and typical network configuration scripts) would compile to something very efficient. In fact, a compiler can compile that code to the current configuration language whenever possible.
Systems like IPTABLES are based on declarative syntax. When you "program" by declaration, you are working with a limited syntax to perform limited functions. That also limits your flexibility, but the tradeoff is that the functions that you can do are so well-defined that you can be assured that anything you compile will operate in a way that minimizes surprises. It also means that you can optimize things more precisely because you don't have to support many possibilities, only a few. The #1 feature of declarative programming is that you don't have lots of loops and decisions to debug. Or optimize.
The "tables" part of IPTABLES also contributes to that functionality. There are a limited set of table types pre-defined with specific uses. By compiling the rules into tables, very efficient processing can be done. After all, optimized table handling is one of the oldest and most intensively-studied disciplines of Computer Science.
Even IPTABLES wasn't totally restricted to table-driven functions, though. As an extendable architecture, if you really wanted to, you could define your own abilities to the system, including modules incorporating user-written code. It's just that they had pre-defined and fine-tuned the most commonly-used features.