Hi, On Tue, Jan 30, 2024 at 05:57:21PM +0000, Kerin Millar wrote: > It is easy to say that it is pointless if not the one to be responsible for implementing and maintaining the code and trying to take into account diverse - and occasionally conflicting - user desires. There have been various set-related bugs in nftables over the years. Complexity surely matters to someone. There are multiple open bugs now that concern both performance and memory usage. Efficiency surely matters to someone. That responsibility should have been considered before taking the decision to dump iptables. iptables is used everywhere and elsewhere, while nftables is the new kid on the block. Currently, changing over from iptables to nftables needs not only dropping all your know-how, but also dropping nearly all of your available tooling. This is a considerable step backwards regarding ease of use, and not having an easy way to write dual-stack rules hits the early adopters who have been using IPv6 for decades. Those would also be the early adopters for nftables, but making their lives harder in writing firewall rules will prevent nftables migrations. > > Nftables now has inet family, that is great step from iptables. But still > > requires to maintain separate rules in it for anything with network layer > > address, eg. mentioned sets (and for icmp/icmp6 too). I hope, that it > > is temporary state only and will be improved soon. > > For it to improve, you could put forward a concrete suggestion as to how it might be improved, be it supporting logical disjunctions in rules, supporting a generic address type in sets or whatever else. That would, at least, be a step along the road to (potentially) convincing whoever is going to do the work that it is justified. My suggestion would be to allow IPv4 and IPv6 addresses mixed in definition and sets, and disregard invalid combinations in rule generation. At least that's what existing iptables tools do, and emulating this behavior would probably ease the transition. I am open to other discussions, but I doubt that I would be helpful because I don't know enough about nftables at the moment. > On my part, and despite having been a user of nftables for many years > now, I would prefer to see its QA and documentation improve ahead of - > though not wholly at the expense of - new features being added. QA and documentation is important, of course. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
