what is advantage of nftables over iptables packet filter ?
 

Hi
I want to know does iptables can completely replaced with nftables?
Does nftables have great advantages over the iptables?
I have some question about "Pseudo-state machine in kernel-space" and "Fast lookups through performance data structures"
what is exactly advantage the first one?
and the second one "fast lookups", does it appropriate for large rule set with thousand of rules?

The idea is it eventually will, yes.


http://wiki.nftables.org/wiki-nftabl..._with_iptables
https://home.regit.org/2014/01/why-y...love-nftables/
*Also see the rule set in comment #20.


I think http://www.tcpdump.org/papers/bpf-usenix93.pdf (chapter 3) explains this best: it's about how you express a human readable rule set as code the kernel (the virtual state machine) understands and can use efficiently (think binary decision tree).


I think you can sort of compare that with how ipset works. For example some apps / users dump all sort of blocking rules in the filter table INPUT chain but with ipset you'd only use one iptables rule and have all the IP addresses or ranges in one set: very efficient.