Modify

Opened 2 years ago

Closed 2 years ago

#14415 closed defect (not_a_bug)

[Enhancement] Add nftables to base - migrate firewall/filtering to nftables architecture

Reported by: aenertia@… Owned by: developers
Priority: high Milestone: Features Paradise
Component: base system Version: Trunk
Keywords: nftables iptables arptables ip6tables ebtables Cc:

Description

Hi all, nftables is scheduled for mainline inclusion into the upcoming 3.13 kernel release.

announcement here: http://marc.info/?l=netfilter-devel&m=138176887917614&w=2

nftables is a drop in replacement for the entire {ip,eb,arp,ip6}tables userspace tool set and associated kernel modules. It still uses the netfilter architecture for complex extensions (and is part of the netfilter project)

The CLI is called 'nft' and there is an API and library interface to it (libnftables)

There is also an iptables to nft handle userspace conversion tool which will ease migration.

nftables is a major departure in that there is no need for deep protocol awareness in the kernel modules as everything filter related is handled by a basic virtual machine.

Here is a basic howto:

https://home.regit.org/netfilter-en/nftables-quick-howto/

--

It would be great to see inclusion of nftables into base replacing the current firewall UX.

There are a number of advantages to doing so including reduced package dependance/requirements for doing things like MAC filtering etc and performance improvements (I have been testing on trunk with some patches on WNDR3800).

Kind regards

-Joel Wirāmu Pauling
http://gplus.to/aenertia

Attachments (0)

Change History (1)

comment:1 Changed 2 years ago by jow

  • Resolution set to not_a_bug
  • Status changed from new to closed

We're aware of the nftables developments and will migrate once OpenWrt adopts a 3.13 kernel. If you want to help in development, feel free to send patches.

Since this is neither a bug, nor a specific problem description, I'll close this ticket.
If you want to start a general discussion on nftables migration, the delopment mailing list is the proper place.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.