[OpenWrt-Devel] nftables development and support in openwrt

Steven Barth cyrus at openwrt.org
Mon Dec 15 02:18:13 EST 2014

Hi Tomer,

> Regarding the firewall package - its probably a dumb question, but 
> isn't this the reason for nftables' compatibility layer? 
> (http://git.netfilter.org/iptables-nftables/)
afaik - and please correct me if I'm wrong - that works only for the 
iptables CLI command, however our firewall tool currently uses 
libiptables directly so I don't think it would work easily.



> Best Regards,
> Tomer
> On Dec 14, 2014 7:08 PM, "Steven Barth" <cyrus at openwrt.org 
> <mailto:cyrus at openwrt.org>> wrote:
>     Hi Tomer,
>         I am currently working on a kernel module which offloads
>         traffic from the Networking stack.
>         This is part of a project which optimizes IP forwarding for
>         low end routers that have weak CPU and low on memory.
>     Sounds interesting. Other approaches of speeding up forwarding are
>     btw. also investigated right now, see
>     https://dev.openwrt.org/changeset/43587
>         I saw that nftables and libnftables are not yet supported in
>         my openwrt codebase (I am working with attitude adjustment 14.07)
>     there is no attitude adjustment 14.07. attitude adjustment is
>     12.09, barrier breaker is 14.07.
>         - but saw that recently some nftables related patches were
>         added to the master branch by you.
>         Could you please share the current status of nftables support
>         in openwrt?
>     nftables is packaged, I added some patches so that it is a bit
>     more embedded friendly (some of those are upstream, some of them
>     aren't). I also packaged and reorganised the netfilter kernel
>     packages.
>     So you can select nftables in menuconfig and can play around with
>     it. You can also get rid of iptables and use nftables only by
>     deselecting the related packages.
>     Known Issues
>     * In general its not well tested. It might blow up here or there.
>     Help and bugreports are appreciated.
>     * We are aiming for kernel 3.14 for the next release which has
>     somewhat reasonable nftables support but lacks some useful things
>     e.g. devgroups, extended reject support among maybe other things
>     iirc. So it will be there to play around / get a first look at it
>     but thats it. I don't know how the following release will look but
>     I wouldn't keep my hopes up all too high there for it to change
>     that much.
>     * Which brings us to the main issue, our firewall abstraction (the
>     firewall package, all the /etc/config/firewall magic) is tied to
>     iptables at the moment, so if you want to use nftables right now
>     you get bare metal and have to write your own rulesets completely
>     from scratch, cannot use /etc/config/firewall or a gui.
>     Hopefully someone will put some effort into this next year and
>     refactor our firewall daemon to use nftables but thats a major
>     effort. Also at the moment its not very clear when the netfilter
>     team will create a high-level library to interact with nftables
>     which would probably be sort of a prerequisite for it depending on
>     how this rewritten daemon will work.
>         Regardless, I will be happy to participate with the
>         development and testing of nftables if needed, just let me
>         know if I can help,
>     Feel free to play around with it and send me bugreports etc.
>     If it looks like an nftables bug you should probably contact the
>     netfilter guys directly. If it looks like I messed up a patch or a
>     package definition then tell me.
>     Cheers,
>     Steven

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20141215/3b6a1a10/attachment.htm>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list