On Tue, 10 Dec 2019 17:54:49 +0100 "Jason A. Donenfeld" <ja...@zx2c4.com> wrote:
> iptables rules and nftables rules can co-exist just fine, without any > translation needed. Indeed if your iptables is symlinked to > iptables-nft, then you'll insert nftables rules when you try to insert > iptables rules, but it really doesn't matter much either way (AFAIK). > I figured I'd prefer nftables over iptables if available because I > presume, without any metrics, that nftables is probably faster and > slicker or something. nftables is slower than iptables across pretty much every metric[1][2]. It only wins where a pathological case is used for the iptables counterpart (e.g. tons of single IPs as individual rules and without ipset). It is a disaster that it is purported to be the iptables replacement, just for the syntax and non-essential whistles such as updating rules in place or something. And personally I don't prefer the new syntax either. It's the systemd and pulseaudio story all over again, where something more convoluted, less reliable and of lower quality is passed for a replacement of stuff that actually worked, but was deemed "unsexy" and arbitrarly declared as deprecated. [1] http://www.diva-portal.org/smash/get/diva2:1212650/FULLTEXT01.pdf [2] https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/ -- With respect, Roman _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard