[OpenWrt-Devel] nftables development and support in openwrt
Steven Barth
cyrus at openwrt.org
Mon Dec 15 02:18:13 EST 2014
Hi Tomer,
>
> Regarding the firewall package - its probably a dumb question, but
> isn't this the reason for nftables' compatibility layer?
> (http://git.netfilter.org/iptables-nftables/)
>
afaik - and please correct me if I'm wrong - that works only for the
iptables CLI command, however our firewall tool currently uses
libiptables directly so I don't think it would work easily.
Cheers,
Steven
> Best Regards,
>
> Tomer
>
> On Dec 14, 2014 7:08 PM, "Steven Barth" <cyrus at openwrt.org
> <mailto:cyrus at openwrt.org>> wrote:
>
>
> Hi Tomer,
>
> I am currently working on a kernel module which offloads
> traffic from the Networking stack.
> This is part of a project which optimizes IP forwarding for
> low end routers that have weak CPU and low on memory.
>
> Sounds interesting. Other approaches of speeding up forwarding are
> btw. also investigated right now, see
> https://dev.openwrt.org/changeset/43587
>
>
>
> I saw that nftables and libnftables are not yet supported in
> my openwrt codebase (I am working with attitude adjustment 14.07)
>
> there is no attitude adjustment 14.07. attitude adjustment is
> 12.09, barrier breaker is 14.07.
>
>
> - but saw that recently some nftables related patches were
> added to the master branch by you.
> Could you please share the current status of nftables support
> in openwrt?
>
> nftables is packaged, I added some patches so that it is a bit
> more embedded friendly (some of those are upstream, some of them
> aren't). I also packaged and reorganised the netfilter kernel
> packages.
>
> So you can select nftables in menuconfig and can play around with
> it. You can also get rid of iptables and use nftables only by
> deselecting the related packages.
>
>
> Known Issues
> * In general its not well tested. It might blow up here or there.
> Help and bugreports are appreciated.
>
> * We are aiming for kernel 3.14 for the next release which has
> somewhat reasonable nftables support but lacks some useful things
> e.g. devgroups, extended reject support among maybe other things
> iirc. So it will be there to play around / get a first look at it
> but thats it. I don't know how the following release will look but
> I wouldn't keep my hopes up all too high there for it to change
> that much.
>
> * Which brings us to the main issue, our firewall abstraction (the
> firewall package, all the /etc/config/firewall magic) is tied to
> iptables at the moment, so if you want to use nftables right now
> you get bare metal and have to write your own rulesets completely
> from scratch, cannot use /etc/config/firewall or a gui.
> Hopefully someone will put some effort into this next year and
> refactor our firewall daemon to use nftables but thats a major
> effort. Also at the moment its not very clear when the netfilter
> team will create a high-level library to interact with nftables
> which would probably be sort of a prerequisite for it depending on
> how this rewritten daemon will work.
>
>
> Regardless, I will be happy to participate with the
> development and testing of nftables if needed, just let me
> know if I can help,
>
> Feel free to play around with it and send me bugreports etc.
>
> If it looks like an nftables bug you should probably contact the
> netfilter guys directly. If it looks like I messed up a patch or a
> package definition then tell me.
>
>
>
> Cheers,
>
> Steven
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20141215/3b6a1a10/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list