Re: using nft & iptables nat in parallel

Pablo Neira Ayuso wrote: > On Wed, Jun 14, 2017 at 01:53:38PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > > > The extra hook has a performance impact though, is it something that > > > would just go away one x_tables is gone? What

Re: using nft & iptables nat in parallel

On Wed, Jun 14, 2017 at 07:13:12PM +0200, Pablo Neira Ayuso wrote: > On Wed, Jun 14, 2017 at 01:53:38PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > > > The extra hook has a performance impact though, is it something that > > > would just go away one

Re: using nft & iptables nat in parallel

On Wed, Jun 14, 2017 at 01:53:38PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > > The extra hook has a performance impact though, is it something that > > would just go away one x_tables is gone? What is your plan on this? > > Once we do it we can't remove

Re: using nft & iptables nat in parallel

On 14 June 2017 at 11:58, Florian Westphal wrote: > Arturo Borrero Gonzalez wrote: >> I'm curious, What is the use case of using both nftables and iptables >> at the same time? >> Some missing functionality in nft? >> Perhaps some ipt->nft partial migration

Re: using nft & iptables nat in parallel

Pablo Neira Ayuso wrote: > > That still means drastic change, swapping out xt_core for nftables > > rather than using "old" iptables is still a big difference... > > Not drastic. The idea is that compat provides same semantics. Did you > give it a try to evaluate the state

Re: using nft & iptables nat in parallel

On Wed, Jun 14, 2017 at 01:19:34PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Wed, Jun 14, 2017 at 11:58:03AM +0200, Florian Westphal wrote: > > > Arturo Borrero Gonzalez wrote: > > > > I'm curious, What is the use case of using both

Re: using nft & iptables nat in parallel

Pablo Neira Ayuso wrote: > On Wed, Jun 14, 2017 at 11:58:03AM +0200, Florian Westphal wrote: > > Arturo Borrero Gonzalez wrote: > > > I'm curious, What is the use case of using both nftables and iptables > > > at the same time? > > > Some missing

Re: using nft & iptables nat in parallel

On Wed, Jun 14, 2017 at 11:58:03AM +0200, Florian Westphal wrote: > Arturo Borrero Gonzalez wrote: > > I'm curious, What is the use case of using both nftables and iptables > > at the same time? > > Some missing functionality in nft? > > Perhaps some ipt->nft partial migration

Re: using nft & iptables nat in parallel

Arturo Borrero Gonzalez wrote: > I'm curious, What is the use case of using both nftables and iptables > at the same time? > Some missing functionality in nft? > Perhaps some ipt->nft partial migration procedure? Yes, partial migration. Right now there are an awful lot of

Re: using nft & iptables nat in parallel

On 14 June 2017 at 11:24, Florian Westphal wrote: > > Another side effect is that this avoids the need to add (in nft case) > the 'empty' nat base chains to take care of reply translation. > good! > Thoughts? > I'm curious, What is the use case of using both nftables and

using nft & iptables nat in parallel

Hi. As you might know its currently not possible to use iptables and nft nat at the same time. I had a look at this and think we should fix this as follows: 1. decouple nat rewrite from nat chain/iptable_nat iteration. Currently we do this from nf_nat_ipv4/6_fn, so first call (be it nft nat or