Hi Pablo, On Mon, Jun 22, 2020 at 02:42:07PM +0200, Pablo Neira Ayuso wrote: > On Fri, Jun 19, 2020 at 04:11:57PM +0200, Phil Sutter wrote: > > Hi Pablo, > > > > I remember you once asked for the benchmark scripts I used to compare > > performance of iptables-nft with -legacy in terms of command overhead > > and caching, as detailed in a blog[1] I wrote about it. I meanwhile > > managed to polish the scripts a bit and push them into a public repo, > > accessible here[2]. I'm not sure whether they are useful for regular > > runs (or even CI) as a single run takes a few hours and parallel use > > likely kills result precision. > > So what is the _technical_ incentive for using the iptables blob > interface (a.k.a. legacy) these days then? Mostly interoperability, I guess. Recent real-world scenario is host firewall management from inside a container (please don't ask me why): If the host uses legacy iptables (for legacy reasons ;) the top-notch state of the art container has to do so as well or hell freezes over. Apart from that, I can imagine there are users depending on one of the few missing features like e.g. broute table in ebtables. > The iptables-nft frontend is transparent and it outperforms the legacy > code for dynamic rulesets. Sadly, we can't claim the same for nft - its caching strategy is dumb compared to what iptables-nft does nowadays. I guess that should be my follow-up task. :) Cheers, Phil
