However, +1 for Literal Maps for NAT. But, I think working on functionalities of ipset (like make ipset of any combination of net,port,iface,etc. with results also stored in it like nat,accept,reject,etc.) might have given similar results. On Wed, Mar 7, 2018 at 12:59 AM, Akshat Kakkar <akshat.1984@xxxxxxxxx> wrote: > I know I am sounding naive, but I am still unable to find even a > single reason to switch to nft. > > Not even the simple syntax, as I am comfortable with iptables and > ipset fo r last 13 years. > > Even its performance is at times worst than iptables when simple rules > are tested. > > When inline sets are used, then also performance is subpar as compared > with iptables+ipset. > > Even dictionaries can be be managed with ipset + skbmark and give better result. > > I am unable to find a use-case, in my limited thinking, where nft > outperforms iptables+ipset. > > Is it like we are meanwhile focusing on features and performance is a > secondary aspect as of now and will be seen later > OR > I am simply missing an obvious thing?? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html