Re: [PATCH nft v2 3/3] src: add xt compat support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: Florian Westphal <fw@strlen.de>,
	netfilter-devel@vger.kernel.org, arturo.borrero.glez@gmail.com
Subject: Re: [PATCH nft v2 3/3] src: add xt compat support
Date: Fri, 10 Apr 2015 02:36:32 +0200	[thread overview]
Message-ID: <20150410003632.GB6929@salvia> (raw)
In-Reply-To: <20150410001151.GH13473@acer.localdomain>

On Fri, Apr 10, 2015 at 01:11:52AM +0100, Patrick McHardy wrote:
> On 10.04, Pablo Neira Ayuso wrote:
[...]
> > The user will run translation and will notice than some feature is
> > missing. Bad luck, he will retry months later. It will keep repeating
> > the process until it gets the features it needs. No matter how nice
> > nftables features are, because he still don't have access to what it
> > needs.
> 
> How are things missing in the translation layer? That one already
> supports compat and that is fine.
> 
> Its nft that might be missing features for him. So if it doesn't suit
> him, he'll try a different time. What's the big deal? Or ideally, he'll
> let us know. This is exactly how iptables gained in features.

ipchains was way more simple tool, and even though we needed *more
than 10 years* to get rid of that code.

> > > And actually if you consider what the majority of users are, its people
> > > using distro provided firewalls, the translation layer will actually
> > > get us the huge majority of users.
> > >
> > > People who actively want to switch won't mind changing their ruleset,
> > > so they might as well tell us if some feature is missing and we can
> > > then discuss how to implement it in nftables.
> > 
> > They will tell us what they need, then they will sit down waiting
> > until distributors start packaging the new feature, which means
> > another wait of ~2 years. Most people rely on Linux distributions, not
> > bleeding edge kernels. You know how behind people can remain from
> > mainstream to feel -stable.
> 
> Some distributions are *a lot* faster than that. I don't buy that
> argument, this is how development has always worked, people state
> what they need, it gets done.

Even most skilled sysadmin that I know tend to stick to conservative
distributions to relieve their workload, specially when they have to
maintain hundred, thousands of systems.

Propagation timing of nftables to production will take quite some time
and will have to coexist with iptables for long time.

Fact is that we won't be able to get rid of iptables for years.

next prev parent reply	other threads:[~2015-04-10  0:32 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-09 16:55 [PATCH nft v2 1/3] include: cache ip_tables.h, ip6_tables.h, arp_tables.h and ebtables.h Pablo Neira Ayuso
2015-04-09 16:55 ` [PATCH nft v2 2/3] src: expose delinearize/linearize structures and stmt_error() Pablo Neira Ayuso
2015-04-09 16:55 ` [PATCH nft v2 3/3] src: add xt compat support Pablo Neira Ayuso
2015-04-09 20:36   ` Patrick McHardy
2015-04-09 20:51     ` Florian Westphal
2015-04-09 22:34       ` Pablo Neira Ayuso
2015-04-09 22:36         ` Florian Westphal
2015-04-09 22:56           ` Pablo Neira Ayuso
2015-04-09 23:23             ` Patrick McHardy
2015-04-09 23:40               ` Pablo Neira Ayuso
2015-04-09 23:45                 ` Patrick McHardy
2015-04-09 23:59                   ` Pablo Neira Ayuso
2015-04-10  0:05                     ` Patrick McHardy
2015-04-10  0:26                       ` Pablo Neira Ayuso
2015-04-10  0:33                         ` Patrick McHardy
2015-04-09 23:22           ` Patrick McHardy
2015-04-09 23:21         ` Patrick McHardy
2015-04-09 23:44           ` Pablo Neira Ayuso
2015-04-09 23:48             ` Patrick McHardy
2015-04-10  0:07               ` Pablo Neira Ayuso
2015-04-10  0:11                 ` Patrick McHardy
2015-04-10  0:36                   ` Pablo Neira Ayuso [this message]
2015-04-10  0:36                     ` Patrick McHardy
2015-04-10  1:00                       ` Pablo Neira Ayuso
2015-04-09 22:33     ` Pablo Neira Ayuso
2015-04-09 23:18       ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150410003632.GB6929@salvia \
    --to=pablo@netfilter.org \
    --cc=arturo.borrero.glez@gmail.com \
    --cc=fw@strlen.de \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.