Iptables performance is limited mainly by two reasons:
- Latency on the first packet of a connection caused by the linear search rule matching
- Latency on the programming latency caused by the need to save and restore all the lines to the kernel in each transaction
The kernel community moved to nftables as replacement of iptables, with the goal of removing the existing performance bottlenecks. Kubernetes has decided to implement a new nftables proxy because of this and another reasons explained in more detail in the corresponding KEP and during the Kubernetes Contributor Summit in Chicago 2023 on the session [Iptables, end of