David Miller <da...@davemloft.net> wrote: > From: Florian Westphal <f...@strlen.de> > Date: Mon, 19 Feb 2018 15:59:35 +0100 > > > David Miller <da...@davemloft.net> wrote: > >> It also means that the scope of developers who can contribute and work > >> on the translater is much larger. > > > > How so? Translator is in userspace in nftables case too? > > Florian, first of all, the whole "change the iptables binary" idea is > a non-starter. For the many reasons I have described in the various > postings I have made today. > > It is entirely impractical.
??????? You suggest: iptables -> setsockopt -> umh (xtables -> ebpf) -> kernel How is this different from iptables -> setsockopt -> umh (Xtables -> nftables -> kernel ? EBPF can be placed within nftables either userspace or kernel, there is nothing that prevents this. > Anything designed in that nature must be distributed completely in the > kernel tree, so that the iptables kernel ABI is provided without any > externel dependencies. Would you be willing to merge nftables into kernel tools directory then?
