[Adding József] On Mon, 22 Jun 2020 15:34:24 +0200 Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > Am 22.06.20 um 14:42 schrieb Pablo Neira Ayuso: > > Hi Phil, > > > > On Fri, Jun 19, 2020 at 04:11:57PM +0200, Phil Sutter wrote: > >> Hi Pablo, > >> > >> I remember you once asked for the benchmark scripts I used to compare > >> performance of iptables-nft with -legacy in terms of command overhead > >> and caching, as detailed in a blog[1] I wrote about it. I meanwhile > >> managed to polish the scripts a bit and push them into a public repo, > >> accessible here[2]. I'm not sure whether they are useful for regular > >> runs (or even CI) as a single run takes a few hours and parallel use > >> likely kills result precision. > > > > So what is the _technical_ incentive for using the iptables blob > > interface (a.k.a. legacy) these days then? > > > > The iptables-nft frontend is transparent and it outperforms the legacy > > code for dynamic rulesets. > > it is not transparent enough because it don't understand classical ipset By the way, now nftables should natively support all the features from ipset. My plan (for which I haven't found the time in months) would be to write some kind of "reference" wrapper to create nftables sets from ipset commands, and to render them back as ipset-style output. I wonder if this should become the job of iptables-nft, eventually. -- Stefano
