Quote:
Originally Posted by kikilinux
I want to know does iptables can completely replaced with nftables?
|
The idea is it eventually will, yes.
Quote:
Originally Posted by kikilinux
Does nftables have great advantages over the iptables?
|
http://wiki.nftables.org/wiki-nftabl..._with_iptables
https://home.regit.org/2014/01/why-y...love-nftables/
*Also see the rule set in comment #20.
Quote:
Originally Posted by kikilinux
I have some question about "Pseudo-state machine in kernel-space" and "Fast lookups through performance data structures"
what is exactly advantage the first one?
|
I think
http://www.tcpdump.org/papers/bpf-usenix93.pdf (chapter 3) explains this best: it's about how you express a human readable rule set as code the kernel (the virtual state machine) understands and can use efficiently (think binary decision tree).
Quote:
Originally Posted by kikilinux
and the second one "fast lookups", does it appropriate for large rule set with thousand of rules?
|
I think you can sort of compare that with how
ipset works. For example some apps / users dump all sort of blocking rules in the filter table INPUT chain but with ipset you'd only use one iptables rule and have all the IP addresses or ranges in one set: very efficient.