From: Florian Westphal <>
Date: Mon, 19 Feb 2018 15:59:35 +0100

> David Miller <> wrote:
>> It also means that the scope of developers who can contribute and work
>> on the translater is much larger.
> How so?  Translator is in userspace in nftables case too?

Florian, first of all, the whole "change the iptables binary" idea is
a non-starter.  For the many reasons I have described in the various
postings I have made today.

It is entirely impractical.

So we are strictly talking about the code we are writing to translate
iptables ABI (in the kernel) into an eBPF based datapath.

Anything designed in that nature must be distributed completely in the
kernel tree, so that the iptables kernel ABI is provided without any
externel dependencies.

We could have done the translater in in the kernel, but instead we are
doing it with a userland component.

And that's what we are talking about.

Thank you.

