[PATCH] wg-quick: linux: add support for nft and prefer it

Jason A. Donenfeld Jason at zx2c4.com
Tue Dec 10 18:36:06 CET 2019 

Hi Roman,

On Tue, Dec 10, 2019 at 6:12 PM Roman Mamedov <rm at romanrm.net> wrote:
>
> On Tue, 10 Dec 2019 17:54:49 +0100
> "Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
>
> > iptables rules and nftables rules can co-exist just fine, without any
> > translation needed. Indeed if your iptables is symlinked to
> > iptables-nft, then you'll insert nftables rules when you try to insert
> > iptables rules, but it really doesn't matter much either way (AFAIK).
> > I figured I'd prefer nftables over iptables if available because I
> > presume, without any metrics, that nftables is probably faster and
> > slicker or something.
>
> nftables is slower than iptables across pretty much every metric[1][2]. It
> only wins where a pathological case is used for the iptables counterpart (e.g.
> tons of single IPs as individual rules and without ipset). It is a disaster
> that it is purported to be the iptables replacement, just for the syntax and
> non-essential whistles such as updating rules in place or something. And
> personally I don't prefer the new syntax either. It's the systemd and
> pulseaudio story all over again, where something more convoluted, less reliable
> and of lower quality is passed for a replacement of stuff that actually worked,
> but was deemed "unsexy" and arbitrarly declared as deprecated.
>
> [1] http://www.diva-portal.org/smash/get/diva2:1212650/FULLTEXT01.pdf
> [2] https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/

That bachelors thesis says in the abstract, "Latency was measured
through the round-trip time of ICMP packets while throughput was
measured by generating UDP traffic using iPerf3. The results showed
that, when using linear look-ups, nftables performs worse than
iptables when using small frame sizes and when using large rulesets.
If the frame size was fairly large and rule-set fairly small, nftables
was often performed slightly better both in terms of latency and in
terms of throughput. When using indexed data structures, performance
of both firewalls was very similar regardless of frame size or
rule-set size. Minor, but statistically significant, differences were
found both in favour of and against nftables, depending on the exact
parameters used." So maybe it doesn't actually matter?

On the other hand, if what you say is actually true in our case, and
nftables is utter crap, then perhaps we should scrap this nft(8) patch
all together and just keep pure iptables(8). DKG - you seemed to want
nft(8) support, though. How would you feel about that sort of
conclusion?

Jason

More information about the WireGuard mailing list