NFTables
This means that when a packet comes in, the time it takes the kernel to check it against all of the Service rules is O(n) in the number of Services. As the number of Services increases, both the average and the worst-case latency for the first packet of a new connection increases (with the difference between best-case, average, and worst-case being mostly determined by whether a given Service IP address appears earlier or later in the KUBE-SERVICES chain).
https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy
NFTables are an alternative to iptables in kubernetes that should be better for high load clusters. There’s obvious difficulties with replacing such a critical piece of functionality for kubernetes so it definitely needs a lot more testing in the real world before it is put into production systems. But the benefits are there and are clear. It is far faster, especially at high scale. For packet routing iptables is O(n) whereas NFTables should be closer to constant time. As for inserting and making changes, iptables often has to make changes to everything, whereas NFTables can make much more incremental updates such as only to what has changed
Read Full Post...With both iptables and nftables, the total size of the ruleset as a whole (actual rules, plus associated data) is O(n) in the combined number of Services and their endpoints. Originally, the iptables backend would rewrite every rule on every update, and with tens of thousands of Services, this could grow to be hundreds of thousands of iptables rules. Starting in Kubernetes 1.26, we began