[OpenWrt-Devel] moving firewall package to nftables

Michael Richardson mcr at sandelman.ca
Mon Feb 11 09:58:51 EST 2019

There are some features in nft that we'd like to use in CIRALabs'
SecureHomeGateway project.  In particular, it's much easier to get
statistics out of nft in JSON.  nft is easy to install, but it seemed
that we really needed the updated iptables commands, and I upgraded
that (and libnftnl, which seems to require a git head to work with iptables
iptables 1.8.2. 1.1.2 is not new enough)

I had a small hope that /sbin/fw3 was shelling out to /sbin/iptables to do
it's work, but I see now that it's not the case.  It uses libiptc and ip6tc
directly.    I have not yet investigated how hard it will be to upgrade
to the nft libraries to do this.

Before I continue, I wanted to check if someone else has been down this path
already and determined it is premature, or if there are larger architectural
issues that need to be resolved of which I am ignorant.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20190211/67407620/attachment.sig>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list