From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4523DC43603 for ; Tue, 10 Dec 2019 18:01:02 +0000 (UTC) Received: from krantz.zx2c4.com (krantz.zx2c4.com [192.95.5.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CDCF220828 for ; Tue, 10 Dec 2019 18:01:01 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CDCF220828 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=romanrm.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=wireguard-bounces@lists.zx2c4.com Received: from krantz.zx2c4.com (localhost [IPv6:::1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 6ce65997; Tue, 10 Dec 2019 18:01:00 +0000 (UTC) Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 4c60296d for ; Tue, 10 Dec 2019 18:00:59 +0000 (UTC) Received: from len.romanrm.net (len.romanrm.net [91.121.86.59]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 34dacef6 for ; Tue, 10 Dec 2019 18:00:59 +0000 (UTC) Received: from natsu (natsu.40.romanrm.net [IPv6:fd39:aa:c499:6515:e99e:8f1b:cfc9:ccb8]) by len.romanrm.net (Postfix) with SMTP id 8BE7541226; Tue, 10 Dec 2019 18:00:58 +0000 (UTC) Date: Tue, 10 Dec 2019 23:00:58 +0500 From: Roman Mamedov To: "Jason A. Donenfeld" Subject: Re: [PATCH] wg-quick: linux: add support for nft and prefer it Message-ID: <20191210230058.51f602f2@natsu> In-Reply-To: References: <20191210154850.577745-1-Jason@zx2c4.com> <20191210221215.56c2f30d@natsu> MIME-Version: 1.0 Cc: "jwollrath@web.de" , "wireguard@lists.zx2c4.com" X-BeenThere: wireguard@lists.zx2c4.com X-Mailman-Version: 2.1.15 Precedence: list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: wireguard-bounces@lists.zx2c4.com Sender: "WireGuard" On Tue, 10 Dec 2019 18:36:06 +0100 "Jason A. Donenfeld" wrote: > That bachelors thesis says in the abstract, "Latency was measured > through the round-trip time of ICMP packets while throughput was > measured by generating UDP traffic using iPerf3. The results showed > that, when using linear look-ups, nftables performs worse than > iptables when using small frame sizes and when using large rulesets. Smallest possible frame sizes are what matters the most when testing any router or firewall setup, because only then you will hit the packet-per-second limits of the actual firewalling/routing engine. Good performance at large frame sizes is not an impressive achievent, there you will just hit on-the-wire bandwidth limits sooner than the CPU toll of processing rulesets or routing lookups for each of those frames will begin to matter. > On the other hand, if what you say is actually true in our case, and > nftables is utter crap, then perhaps we should scrap this nft(8) patch > all together and just keep pure iptables(8). DKG - you seemed to want > nft(8) support, though. How would you feel about that sort of > conclusion? Even with my view of it I do not argue for removing nftables support from your tools, realistically it's probably not going anywhere, or at least not soon enough, just thought I should point out that "nftables is faster" should not be so naturally assumed to be the case, and if I dare to say that everyone should decide for themselves what tools they prefer, and to carefully weigh all benefits and downsides of the proposed alternatives -- not just come along obediently with some external party that "knows what is best for you" and declares something deprecated out of their own arbitrary reasons. -- With respect, Roman _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard