realtek: remove firewall and other core components? [Was: Re: [PATCH 1/2] realtek: Use firewall4]

[Birger Koblitz]

Hi,

On 23/03/2022 21:09, Sander Vanheule wrote:
> Hi everyone,

> One extra argument in favour of keeping the firewall in the default config, is that the
> devices with more advanced stock FW also provide an ACL feature to filter out traffic
> based on MAC, IP, ethernet frame contents, etc. However, this is offloaded to a hardware
> engine in the switch, but I'm not up to date on how well this offloading currently works
> (with nftables). So, providing a firewall would put OpenWrt on the same feature level as
> more advanced vendor offerings.
The features are quite powerful, even on RTL838x devices. The problem is that they are not
usable with nftables at least in kernel 5.10 because netfilter offload is so limited. The offloading
works via tc flower, which has extensive offloading support. I don't really understand how
this flow offloading can be used via nftables. There is a lot of development ongoing,
it seems kernel 5.13 was a big step forward.

Supporting tc flower and offloading it requires however about a dozen kernel modules and user
space tools, which is really tricky to get right. It would be great to have these packets
on board by default, to make this feature more usable, also for people to test it.

I yesterday learned that someone was using an 838x device for OLSR with between 200 and 300 offloaded
next-hop routes, so the hardware offload is something that interests people who would normally
find this only in proprietary vendor solutions.

> 
>>
>>> Obviously users may still install them if they really want their switch to
>>> act as DHCP server and/or caching DNS resolver.
>>
>> This topic is about firewall4, so are you suggesting to post-install firewall4
>> package as well?
> 
> Dropping dnsmasq and odhcpd-ipv6only makes more sense to me, since these are not features
> that are normally provided on a managed switch AFAIK.
Agreed.

Cheers,
   Birger