Hi, I'd like to propose switching from individual nft commands to nft -f in the nftables firewall backend — either as a new backend or as an extension of the existing one. The main motivation is performance. In benchmarking, nft -f is about 46% faster: The following commands are run on the .args files in the nwfilter nftables v6 patch. $ time for i in *.args; do n=$(echo $i | sed s/.args$//); sudo ./reset-tables.sh; sudo sh -e $i; done real 0m8.335s user 0m0.320s sys 0m0.564s $ time for i in *.output; do sudo ./reset-tables.sh skipvmap; sudo nft -f $i; done real 0m4.518s user 0m0.274s sys 0m0.498s On top of that, loading a full ruleset via nft -f is atomic for the whole set of changes, which allows us to remove the rollback logic and removes the need for tmp rules. One issue I see is that the current approach allows certain commands to fail silently, deleting something that doesn't exist won't abort the operation. That's not the case with nft -f, where a failure stops the whole load. One approach here is to only use nft -f for sections that don't contain ignore-errors commands, and run those separately as individual commands. As described earlier: to handle the current non-atomic nature, we have a few extra commands in place — a temporary jump rule, delete vmap entry, add vmap entry. The tmp jump can be replaced by running nft -f instead. I wonder what your opinions are about adding nft -f. Regards, Dion