Dear list, I've came across nftables [1]. They look very promising, more than old netfilter. It offers new features [2], from which I'd pick: - better performance under high traffic workloads - atomic filter/chain replacements - transactions I haven't investigated how much work will be required on our side if we try to implement the switch (well, for starters, we can have two subsystems living next to each other). I want to check what do you guys think before actually digging into the code. The nftables was merged into 3.13 Linux kernel and thus should be available on all major distros. Well, since we will have both subsystems available, we should be good to go. BTW: it's a bit shame that this nifty project hasn't received much more advertising. Looks cool so far. Michal 1: https://en.wikipedia.org/wiki/Nftables 2: http://people.netfilter.org/kaber/nfws2008/nftables.odp -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list