On Fri, Apr 10, 2015 at 12:21:06AM +0100, Patrick McHardy wrote: > On 10.04, Pablo Neira Ayuso wrote: > > On Thu, Apr 09, 2015 at 10:51:35PM +0200, Florian Westphal wrote: > > > Why would I want to re-write a working nft+compat ruleset to one > > > that only uses native expressions? > > > > The fact is that we cannot push users to use nf_tables, but we can > > provide good reasons to adopt the native replacements and tools to > > migrate easily. > > We actually can by translating their iptables ruleset transparently. Users' ruleset can be very sophisticated, some of them may just not move forward because only one single feature that they need is missing. So they will postpone migration. That is not good. The translation is a complementary thing, not a replacement of the compatibility layer. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
