[OpenWrt-Devel] nftables development and support in openwrt

Steven Barth cyrus at openwrt.org
Sun Dec 14 12:08:50 EST 2014


Hi Tomer,

> I am currently working on a kernel module which offloads traffic from 
> the Networking stack.
> This is part of a project which optimizes IP forwarding for low end 
> routers that have weak CPU and low on memory.
Sounds interesting. Other approaches of speeding up forwarding are btw. 
also investigated right now, see https://dev.openwrt.org/changeset/43587

>
>
> I saw that nftables and libnftables are not yet supported in my 
> openwrt codebase (I am working with attitude adjustment 14.07)
there is no attitude adjustment 14.07. attitude adjustment is 12.09, 
barrier breaker is 14.07.


> - but saw that recently some nftables related patches were added to 
> the master branch by you.
> Could you please share the current status of nftables support in openwrt?
nftables is packaged, I added some patches so that it is a bit more 
embedded friendly (some of those are upstream, some of them aren't). I 
also packaged and reorganised the netfilter kernel packages.

So you can select nftables in menuconfig and can play around with it. 
You can also get rid of iptables and use nftables only by deselecting 
the related packages.


Known Issues
* In general its not well tested. It might blow up here or there. Help 
and bugreports are appreciated.

* We are aiming for kernel 3.14 for the next release which has somewhat 
reasonable nftables support but lacks some useful things e.g. devgroups, 
extended reject support among maybe other things iirc. So it will be 
there to play around / get a first look at it but thats it. I don't know 
how the following release will look but I wouldn't keep my hopes up all 
too high there for it to change that much.

* Which brings us to the main issue, our firewall abstraction (the 
firewall package, all the /etc/config/firewall magic) is tied to 
iptables at the moment, so if you want to use nftables right now you get 
bare metal and have to write your own rulesets completely from scratch, 
cannot use /etc/config/firewall or a gui.
Hopefully someone will put some effort into this next year and refactor 
our firewall daemon to use nftables but thats a major effort. Also at 
the moment its not very clear when the netfilter team will create a 
high-level library to interact with nftables which would probably be 
sort of a prerequisite for it depending on how this rewritten daemon 
will work.

>
> Regardless, I will be happy to participate with the development and 
> testing of nftables if needed, just let me know if I can help,
Feel free to play around with it and send me bugreports etc.

If it looks like an nftables bug you should probably contact the 
netfilter guys directly. If it looks like I messed up a patch or a 
package definition then tell me.



Cheers,

Steven
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list