[OpenWrt-Devel] nftables development and support in openwrt

Sun Dec 14 20:17:56 EST 2014

Hi Steven,

Thanks for answering so quickly - I'll try to play with nft and help with
testing.

Regarding the firewall package - its probably a dumb question, but isn't
this the reason for nftables' compatibility layer? (
http://git.netfilter.org/iptables-nftables/)

Best Regards,

Tomer
On Dec 14, 2014 7:08 PM, "Steven Barth" <cyrus at openwrt.org> wrote:

>
> Hi Tomer,
>
>  I am currently working on a kernel module which offloads traffic from the
>> Networking stack.
>> This is part of a project which optimizes IP forwarding for low end
>> routers that have weak CPU and low on memory.
>>
> Sounds interesting. Other approaches of speeding up forwarding are btw.
> also investigated right now, see https://dev.openwrt.org/changeset/43587
>
>
>>
>> I saw that nftables and libnftables are not yet supported in my openwrt
>> codebase (I am working with attitude adjustment 14.07)
>>
> there is no attitude adjustment 14.07. attitude adjustment is 12.09,
> barrier breaker is 14.07.
>
>
>  - but saw that recently some nftables related patches were added to the
>> master branch by you.
>> Could you please share the current status of nftables support in openwrt?
>>
> nftables is packaged, I added some patches so that it is a bit more
> embedded friendly (some of those are upstream, some of them aren't). I also
> packaged and reorganised the netfilter kernel packages.
>
> So you can select nftables in menuconfig and can play around with it. You
> can also get rid of iptables and use nftables only by deselecting the
> related packages.
>
>
> Known Issues
> * In general its not well tested. It might blow up here or there. Help and
> bugreports are appreciated.
>
> * We are aiming for kernel 3.14 for the next release which has somewhat
> reasonable nftables support but lacks some useful things e.g. devgroups,
> extended reject support among maybe other things iirc. So it will be there
> to play around / get a first look at it but thats it. I don't know how the
> following release will look but I wouldn't keep my hopes up all too high
> there for it to change that much.
>
> * Which brings us to the main issue, our firewall abstraction (the
> firewall package, all the /etc/config/firewall magic) is tied to iptables
> at the moment, so if you want to use nftables right now you get bare metal
> and have to write your own rulesets completely from scratch, cannot use
> /etc/config/firewall or a gui.
> Hopefully someone will put some effort into this next year and refactor
> our firewall daemon to use nftables but thats a major effort. Also at the
> moment its not very clear when the netfilter team will create a high-level
> library to interact with nftables which would probably be sort of a
> prerequisite for it depending on how this rewritten daemon will work.
>
>
>> Regardless, I will be happy to participate with the development and
>> testing of nftables if needed, just let me know if I can help,
>>
> Feel free to play around with it and send me bugreports etc.
>
> If it looks like an nftables bug you should probably contact the netfilter
> guys directly. If it looks like I messed up a patch or a package definition
> then tell me.
>
>
>
> Cheers,
>
> Steven
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20141215/6d81c4dd/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel