On 10.04, Pablo Neira Ayuso wrote: > On Thu, Apr 09, 2015 at 10:51:35PM +0200, Florian Westphal wrote: > > Why would I want to re-write a working nft+compat ruleset to one > > that only uses native expressions? > > The fact is that we cannot push users to use nf_tables, but we can > provide good reasons to adopt the native replacements and tools to > migrate easily. We actually can by translating their iptables ruleset transparently. > > Whats the point of providing a 'native' replacement for an existing xtables > > target if we can just use the xtables version? > > Have a look a hashlimit, multiport and all of our existing combo > match/targets. They are a mess. We're now going towards a way more > flexible and generic (lego fashion) framework that will provide all > kind of combos without relying on this kind of Frankenstein > extensions. The thing is, my adding missing features we can make a case by case decision of whether it makes sense and how to implement it properly. The "whether it makes sense" decision is taken away from us by providing the xt compat thing. It might very well not make sense to have a 1:1 mapping in nft but to express things differently. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
