> It should be possible to update iptables-nft to use nft_log from > userspace (instead of xt_LOG) which removes this limitation, there is > no need for a kernel upgrade. We have been able to migrate some parts of this workload to the nftables subsystem by treating network namespaces sort of like VRFs. Unfortunately, we have not been able to use nftables to handle all traffic, since it does not have an equivalent for xt_bpf. Alex Forster
