Hi Phil, On Fri, Jun 19, 2020 at 04:11:57PM +0200, Phil Sutter wrote: > Hi Pablo, > > I remember you once asked for the benchmark scripts I used to compare > performance of iptables-nft with -legacy in terms of command overhead > and caching, as detailed in a blog[1] I wrote about it. I meanwhile > managed to polish the scripts a bit and push them into a public repo, > accessible here[2]. I'm not sure whether they are useful for regular > runs (or even CI) as a single run takes a few hours and parallel use > likely kills result precision. So what is the _technical_ incentive for using the iptables blob interface (a.k.a. legacy) these days then? The iptables-nft frontend is transparent and it outperforms the legacy code for dynamic rulesets. Thanks. > [1] https://developers.redhat.com/blog/2020/04/27/optimizing-iptables-nft-large-ruleset-performance-in-user-space/ > [2] http://nwl.cc/cgi-bin/git/gitweb.cgi?p=ipt-sbs-bench.git;a=summary
