On 10.04, Pablo Neira Ayuso wrote: > On Fri, Apr 10, 2015 at 12:48:44AM +0100, Patrick McHardy wrote: > > On 10.04, Pablo Neira Ayuso wrote: > > > On Fri, Apr 10, 2015 at 12:21:06AM +0100, Patrick McHardy wrote: > > > > On 10.04, Pablo Neira Ayuso wrote: > > > > > On Thu, Apr 09, 2015 at 10:51:35PM +0200, Florian Westphal wrote: > > > > > > Why would I want to re-write a working nft+compat ruleset to one > > > > > > that only uses native expressions? > > > > > > > > > > The fact is that we cannot push users to use nf_tables, but we can > > > > > provide good reasons to adopt the native replacements and tools to > > > > > migrate easily. > > > > > > > > We actually can by translating their iptables ruleset transparently. > > > > > > Users' ruleset can be very sophisticated, some of them may just not > > > move forward because only one single feature that they need is > > > missing. So they will postpone migration. That is not good. > > > > > > The translation is a complementary thing, not a replacement of the > > > compatibility layer. > > > > The difference is that the translation layer doesn't restrict us in > > future decisions, and this one does. > > The user will run translation and will notice than some feature is > missing. Bad luck, he will retry months later. It will keep repeating > the process until it gets the features it needs. No matter how nice > nftables features are, because he still don't have access to what it > needs. How are things missing in the translation layer? That one already supports compat and that is fine. Its nft that might be missing features for him. So if it doesn't suit him, he'll try a different time. What's the big deal? Or ideally, he'll let us know. This is exactly how iptables gained in features. > > And actually if you consider what the majority of users are, its people > > using distro provided firewalls, the translation layer will actually > > get us the huge majority of users. > > > > People who actively want to switch won't mind changing their ruleset, > > so they might as well tell us if some feature is missing and we can > > then discuss how to implement it in nftables. > > They will tell us what they need, then they will sit down waiting > until distributors start packaging the new feature, which means > another wait of ~2 years. Most people rely on Linux distributions, not > bleeding edge kernels. You know how behind people can remain from > mainstream to feel -stable. Some distributions are *a lot* faster than that. I don't buy that argument, this is how development has always worked, people state what they need, it gets done. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
