On Tue, 10 Dec 2019 18:36:06 +0100 "Jason A. Donenfeld" <ja...@zx2c4.com> wrote:
> That bachelors thesis says in the abstract, "Latency was measured > through the round-trip time of ICMP packets while throughput was > measured by generating UDP traffic using iPerf3. The results showed > that, when using linear look-ups, nftables performs worse than > iptables when using small frame sizes and when using large rulesets. Smallest possible frame sizes are what matters the most when testing any router or firewall setup, because only then you will hit the packet-per-second limits of the actual firewalling/routing engine. Good performance at large frame sizes is not an impressive achievent, there you will just hit on-the-wire bandwidth limits sooner than the CPU toll of processing rulesets or routing lookups for each of those frames will begin to matter. > On the other hand, if what you say is actually true in our case, and > nftables is utter crap, then perhaps we should scrap this nft(8) patch > all together and just keep pure iptables(8). DKG - you seemed to want > nft(8) support, though. How would you feel about that sort of > conclusion? Even with my view of it I do not argue for removing nftables support from your tools, realistically it's probably not going anywhere, or at least not soon enough, just thought I should point out that "nftables is faster" should not be so naturally assumed to be the case, and if I dare to say that everyone should decide for themselves what tools they prefer, and to carefully weigh all benefits and downsides of the proposed alternatives -- not just come along obediently with some external party that "knows what is best for you" and declares something deprecated out of their own arbitrary reasons. -- With respect, Roman _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard