Nftables: Not addressing VJ channels or userspace tcp

I agree if nftables is to get up Patrick will have to come up with some transition arrangement. Whether that be iptables and nftables co-existing for a while, or nftables emulating iptables rather like ifconfig is now an emulator is probably a matter of taste.

However, that is just my reading of the political wind. Personally I don't would not care if one day nftables just replaced iptables. It would not be a huge job to just replace my firewalls - if there was documentation.

As for speed, I think that is a minor issue compared to the code duplication. If you really want a fast firewall you could use a u32 ingress filter now for many purposes. And that is a problem. These layers all implementing similar functions bloat the kernel, slow things down and complicate things immensely. Networking is hard enough without having several different ways of doing things.