From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7036C43603 for ; Tue, 10 Dec 2019 17:12:52 +0000 (UTC) Received: from krantz.zx2c4.com (krantz.zx2c4.com [192.95.5.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 37B072053B for ; Tue, 10 Dec 2019 17:12:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 37B072053B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=romanrm.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=wireguard-bounces@lists.zx2c4.com Received: from krantz.zx2c4.com (localhost [IPv6:::1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 273a2d63; Tue, 10 Dec 2019 17:12:20 +0000 (UTC) Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id ed982dab for ; Tue, 10 Dec 2019 17:12:17 +0000 (UTC) Received: from len.romanrm.net (len.romanrm.net [IPv6:2001:41d0:1:8b3b::1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id d93f2112 for ; Tue, 10 Dec 2019 17:12:17 +0000 (UTC) Received: from natsu (natsu.40.romanrm.net [IPv6:fd39:aa:c499:6515:e99e:8f1b:cfc9:ccb8]) by len.romanrm.net (Postfix) with SMTP id 05FBA401C3; Tue, 10 Dec 2019 17:12:14 +0000 (UTC) Date: Tue, 10 Dec 2019 22:12:15 +0500 From: Roman Mamedov To: "Jason A. Donenfeld" Subject: Re: [PATCH] wg-quick: linux: add support for nft and prefer it Message-ID: <20191210221215.56c2f30d@natsu> In-Reply-To: References: <20191210154850.577745-1-Jason@zx2c4.com> MIME-Version: 1.0 Cc: "jwollrath@web.de" , "wireguard@lists.zx2c4.com" X-BeenThere: wireguard@lists.zx2c4.com X-Mailman-Version: 2.1.15 Precedence: list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: wireguard-bounces@lists.zx2c4.com Sender: "WireGuard" On Tue, 10 Dec 2019 17:54:49 +0100 "Jason A. Donenfeld" wrote: > iptables rules and nftables rules can co-exist just fine, without any > translation needed. Indeed if your iptables is symlinked to > iptables-nft, then you'll insert nftables rules when you try to insert > iptables rules, but it really doesn't matter much either way (AFAIK). > I figured I'd prefer nftables over iptables if available because I > presume, without any metrics, that nftables is probably faster and > slicker or something. nftables is slower than iptables across pretty much every metric[1][2]. It only wins where a pathological case is used for the iptables counterpart (e.g. tons of single IPs as individual rules and without ipset). It is a disaster that it is purported to be the iptables replacement, just for the syntax and non-essential whistles such as updating rules in place or something. And personally I don't prefer the new syntax either. It's the systemd and pulseaudio story all over again, where something more convoluted, less reliable and of lower quality is passed for a replacement of stuff that actually worked, but was deemed "unsexy" and arbitrarly declared as deprecated. [1] http://www.diva-portal.org/smash/get/diva2:1212650/FULLTEXT01.pdf [2] https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/ -- With respect, Roman _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard