[PATCH] wg-quick: linux: add support for nft and prefer it

Roman Mamedov rm at romanrm.net
Tue Dec 10 18:12:15 CET 2019


On Tue, 10 Dec 2019 17:54:49 +0100
"Jason A. Donenfeld" <Jason at zx2c4.com> wrote:

> iptables rules and nftables rules can co-exist just fine, without any
> translation needed. Indeed if your iptables is symlinked to
> iptables-nft, then you'll insert nftables rules when you try to insert
> iptables rules, but it really doesn't matter much either way (AFAIK).
> I figured I'd prefer nftables over iptables if available because I
> presume, without any metrics, that nftables is probably faster and
> slicker or something.

nftables is slower than iptables across pretty much every metric[1][2]. It
only wins where a pathological case is used for the iptables counterpart (e.g.
tons of single IPs as individual rules and without ipset). It is a disaster
that it is purported to be the iptables replacement, just for the syntax and
non-essential whistles such as updating rules in place or something. And
personally I don't prefer the new syntax either. It's the systemd and
pulseaudio story all over again, where something more convoluted, less reliable
and of lower quality is passed for a replacement of stuff that actually worked,
but was deemed "unsexy" and arbitrarly declared as deprecated.

[1] http://www.diva-portal.org/smash/get/diva2:1212650/FULLTEXT01.pdf
[2] https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/

-- 
With respect,
Roman


More information about the WireGuard mailing list