Hi, On Wed, Nov 27, 2019 at 04:50:56PM +0000, Serguei Bezverkhi (sbezverk) wrote: > According to api folks kube-proxy must sustain 5k or about test otherwise it will never see production environment. Implementing of numgen expression is relatively simple, thanks to "nft --debug all" once it's done, a user can use it as easily as with json __ > > Regarding concurrent usage, since my primary goal is kube-proxy I do not really care at this moment, as k8s cluster is not an application you co-locate in production with some other applications potentially altering host's tables. I agree firewalld might be interesting and more generic alternative, but seeing how quickly things are done in k8s, maybe it will be done by the end of 21st century __ I agree, in dedicated setup there's no need for compromises. I guess if you manage to reduce ruleset changes to mere set element modifications, you could outperform iptables in that regard. Run-time performance of the resulting ruleset will obviously benefit from set/map use as there are much fewer rules to traverse for each packet. > Once I get filter chain portion in the code I will share a link to repo so you could review. Thanks! I'm also interested in seeing whether there are any inconveniences due to nftables limitations. Maybe some problems are easier solved on kernel-side. Cheers, Phil