Howdy, So you've provided no hard numbers about the size of sets and the complexity of the rules you are using in either environment so I can't really argue any of the metrics you might like to see. That said, here is my personal opinion about the larger question you seem to be asking: "What makes NFTables attractive?" (1) Atomic ruleset and set-content replacement(s), so you never have momentary outages during updates. (depends on the practical frequency of update to determine how much of a win this is for you.) (2) Less "failed" or "repeated" tests per-packet. You could always skip some of this stuff by using sub-chains etc, but in nft the as-you-evaluation, where you can test, then act, then test some more and then act some more all in one directive can be a semantic and process win. psudocode example: some test, counter, mark packet, some other test, verdict map. The rules can have left-to-right complexity that isolates the expensive bits but still have actions applied from partial testing and acting. (3) Easy things, like interface group numbers, that let you have rules in force while interfaces are being initialized. For example I reject all packets except dhcp and such, for interface group zero, then when I've finished the setup and dhcp and such I move the interface into a trust group (example numbers are not the ones I actually use, one for external, two for internal, three for internally significant [like the bridge top-levels]) and I can filter by group greater, less, or equal to the various group numbers-as-thresholds. --- So ntf is more of a "programming language" than the simple set of if-then singleton predicates of iptables. As such it seems a little front-loaded in terms of expense. So if you've just translated your iptables rules and usages into nft you are probably not going to see any significant win. But once you start stacking actions and chaining predicates I _think_ you'll see that your performance goes up. In particular you should be able to optimize the heck out of your "missed rules expense". That is, the timing for a match will tend to be a push, but the cost for a non-match even in nft should go down. The hidden expense of iptables has always been the number of rules a packet is subjected to but which are not applicable to the packet itself. That is, the amount of times a UDP packet is compared to a TCP rule, or the number of times a UDP packet fails a match by port number, etc. Now being "more of a programming language", nft seems susceptible to "bad programmer penalties. The increase in options and the width of possible uses for a given directive, can really cost you. It's possible to make a bigger mess in nft than anything you can bone up in iptables. There are also a lot of things I'd like to see added in, such as the ability to specify the no-match match for a set. E.g. "otherwise" value, and a verb for "every protocol with a port number" (e.g. UDP, TCP, SCTP, and UDPlite (And at least one other protocol) all have their source and destination ports in the same offset, so I'd like to be able to filter all of those with one verb instead of many.) === So there are reasons, but the question of whether those reasons apply to you is personal. Nobody is going to beg you to switch, or "miss you" if you don't. You are free to act or not as you see fit. === But As An Aside: Flouncing in and saying "I don't know why I should even join you" is never a move that wins friends or influences people. I've been as non-critical of your apparent stance as possible, but nobody needs that kind of drama. If you are actively looking for help then you need to give metrics and examples. If you are just trying to assert some sort of social superiority then the open source community will have one heck of an immune response to you. You haven't paid anybody to support your interests here, and nobody answers to you. So announcing how all these people's work is just not something you appreciate is a great way to become unwelcome. Next time you might want to provide metrics, and show some appreciation for the work since it's also the same people who brought you the iptables as well. "Why should I even switch, this stuff sucks" is a great way to be told to go away instead of even a passable way to ask "what am I missing here". I mean you eventually got to that "what am I missing" but by then you'd already pissed the bed. --Rob White. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
