Hi, On Wed, Nov 27, 2019 at 03:35:04PM +0000, Serguei Bezverkhi (sbezverk) wrote: > No, I do not, nftableslib talks directly talk to netlink connection. > > nftableslib offers an API which allows create tables/chains/rules and exposes an interface which looks similar to k8s client-go. If you check https://github.com/sbezverk/nftableslib/blob/master/cmd/e2e/e2e.go > > It will give you a good idea how it operates. > > The reason for going in this direction is performance, for a relatively static applications like a firewall, json approach is great, but for applications like a kube-proxy where hundreds or even thousands of service/endpoint events happen, I do not believe json is a right approach. When I talked to api machinery folks I was given 5k events per second as a target. So you're bypassing both libnftables and libnftnl. Those 5k events per second are a benchmark, not an expected load, right? While you're obviously searching for the most performance, the drawback is complexity. Using JSON (and thereby libnftables and libnftnl as backends) a task like utilizing numgen expression is relatively simple. A problem you won't get rid of with the move from iptables to nftables is concurrent use: The "let's insert our rules on top" approach to dealing with an existing ruleset or other users is obviously not the best one. I guess you're aiming at dedicated applications where this is not an issue but for "general purpose" applications I guess a k8s backend communicating with firewalld would be a good approach of customizing host's firewall setup without stepping onto others' toes. Back to topic, you are creating a static ruleset based on the iptables one you got for simple comparison tests or are you already over that? If not, I guess it would be a good basis for high level ruleset optimization discussions. Cheers, Phil
