From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4FA8C43603 for ; Tue, 10 Dec 2019 20:30:42 +0000 (UTC) Received: from krantz.zx2c4.com (krantz.zx2c4.com [192.95.5.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8D08820652 for ; Tue, 10 Dec 2019 20:30:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=protonmail.ch header.i=@protonmail.ch header.b="FkdA+LfN" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8D08820652 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=protonmail.ch Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=wireguard-bounces@lists.zx2c4.com Received: from krantz.zx2c4.com (localhost [IPv6:::1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 087a0672; Tue, 10 Dec 2019 20:30:24 +0000 (UTC) Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id bd1093ca for ; Tue, 10 Dec 2019 20:30:22 +0000 (UTC) Received: from mail-40137.protonmail.ch (mail-40137.protonmail.ch [185.70.40.137]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id d4a3d063 for ; Tue, 10 Dec 2019 20:30:22 +0000 (UTC) Date: Tue, 10 Dec 2019 20:30:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=default; t=1576009821; bh=gOhm0AjwU/SpSpCY4oRHJR+iA7uHInJjfPDS0lXvJKY=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=FkdA+LfNrzzqf0NmdhicLKsLdRQRV8RoczjRSQA+wXHOs393GZ/6NzpFF/nNMS50y IE52nk5yZ4aIjfpUm+RjLBrL4T7b6jxR64mSM7ETKD5igXCovJRPEVYbmpM5Pscpd/ lwDg3y1X4wtLGzXLXgzeja1km73NBlhfzvWkCF4k= To: "Jason A. Donenfeld" From: Jordan Glover Subject: Re: [PATCH] wg-quick: linux: add support for nft and prefer it Message-ID: <5hY57KNFlbEgS6fAPnw9YbBwTENsSKiWsoofsA7UBa0C1cnN1eg_yB2egr01M3gGsAmOlJ9AS9CBg5vuZOi8Zw7p0luFqaAkQoNKzTNoV5Q=@protonmail.ch> In-Reply-To: References: <20191210154850.577745-1-Jason@zx2c4.com> <20191210221215.56c2f30d@natsu> Feedback-ID: QEdvdaLhFJaqnofhWA-dldGwsuoeDdDw7vz0UPs8r8sanA3bIt8zJdf4aDqYKSy4gJuZ0WvFYJtvq21y6ge_uQ==:Ext:ProtonMail MIME-Version: 1.0 Cc: "jwollrath@web.de" , "wireguard@lists.zx2c4.com" X-BeenThere: wireguard@lists.zx2c4.com X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Jordan Glover List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: wireguard-bounces@lists.zx2c4.com Sender: "WireGuard" On Tuesday, December 10, 2019 7:15 PM, Jason A. Donenfeld wrote: > On Tue, Dec 10, 2019 at 7:58 PM Jordan Glover > Golden_Miller83@protonmail.ch wrote: > > > On Tuesday, December 10, 2019 5:36 PM, Jason A. Donenfeld Jason@zx2c4.com wrote: > > > > > On the other hand, if what you say is actually true in our case, and > > > nftables is utter crap, then perhaps we should scrap this nft(8) patch > > > all together and just keep pure iptables(8). DKG - you seemed to want > > > nft(8) support, though. How would you feel about that sort of > > > conclusion? > > > Jason > > > > The only scenario where you really want to use nft is where iptables command > > doesn't exist. I don't know how realistic scenario it is but I assume it can > > happen in the wild. Otherwise calling iptables will take care of both iptables > > and nftables automatically if those are supported on system. That's why I > > proposed to invert current patch logic. > > I reason about things a bit differently. For me, the decision is > between these two categories: > > A) iptables-nft points to iptables and is available for people who > want a nft-only system. So, code against the iptables API, and mandate > that users either have iptables or iptables-nft installed, which isn't > unreasonable, considering the easy availability of each. > > B) nft is the future and should be used whenever available. Support > iptables as a fallback though for old systems, and remove it as soon > as we can. > > Attitudes that fall somewhere between (A) and (B) are much less > interesting to me. Isn't future goal to drop those firewall hacks altogether? The future of nft may be irrelevant then and effort should go for iptables which works on more systems Jordan _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard