Hi Steven, Thanks for answering so quickly - I'll try to play with nft and help with testing.
Regarding the firewall package - its probably a dumb question, but isn't this the reason for nftables' compatibility layer? ( http://git.netfilter.org/iptables-nftables/) Best Regards, Tomer On Dec 14, 2014 7:08 PM, "Steven Barth" <cy...@openwrt.org> wrote: > > Hi Tomer, > > I am currently working on a kernel module which offloads traffic from the >> Networking stack. >> This is part of a project which optimizes IP forwarding for low end >> routers that have weak CPU and low on memory. >> > Sounds interesting. Other approaches of speeding up forwarding are btw. > also investigated right now, see https://dev.openwrt.org/changeset/43587 > > >> >> I saw that nftables and libnftables are not yet supported in my openwrt >> codebase (I am working with attitude adjustment 14.07) >> > there is no attitude adjustment 14.07. attitude adjustment is 12.09, > barrier breaker is 14.07. > > > - but saw that recently some nftables related patches were added to the >> master branch by you. >> Could you please share the current status of nftables support in openwrt? >> > nftables is packaged, I added some patches so that it is a bit more > embedded friendly (some of those are upstream, some of them aren't). I also > packaged and reorganised the netfilter kernel packages. > > So you can select nftables in menuconfig and can play around with it. You > can also get rid of iptables and use nftables only by deselecting the > related packages. > > > Known Issues > * In general its not well tested. It might blow up here or there. Help and > bugreports are appreciated. > > * We are aiming for kernel 3.14 for the next release which has somewhat > reasonable nftables support but lacks some useful things e.g. devgroups, > extended reject support among maybe other things iirc. So it will be there > to play around / get a first look at it but thats it. I don't know how the > following release will look but I wouldn't keep my hopes up all too high > there for it to change that much. > > * Which brings us to the main issue, our firewall abstraction (the > firewall package, all the /etc/config/firewall magic) is tied to iptables > at the moment, so if you want to use nftables right now you get bare metal > and have to write your own rulesets completely from scratch, cannot use > /etc/config/firewall or a gui. > Hopefully someone will put some effort into this next year and refactor > our firewall daemon to use nftables but thats a major effort. Also at the > moment its not very clear when the netfilter team will create a high-level > library to interact with nftables which would probably be sort of a > prerequisite for it depending on how this rewritten daemon will work. > > >> Regardless, I will be happy to participate with the development and >> testing of nftables if needed, just let me know if I can help, >> > Feel free to play around with it and send me bugreports etc. > > If it looks like an nftables bug you should probably contact the netfilter > guys directly. If it looks like I messed up a patch or a package definition > then tell me. > > > > Cheers, > > Steven >
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
