Hi all. Last January I tried to do some advanced QoS tutorials using nftables but we ran into issues with nftables not loading the script properly, having some incompatibilities etc.
Now it's almost the end of 2020 and everyone's been doing COVID stuff so I understand if not much progress occurred, but has anyone got nftables working smoothly on recent OpenWrt?
yay, that's exciting. Is there a mechanism where you can ignore the UCI and just use an /etc/nftables.conf or something? Because the nftables script is really a great special purpose language.
Well stuff that uses uci firewall rules should just work as before. Also iptables and nftables can coexist on the same system, so that might be a possible migration path as well - afair modern iptables is just an alternative frontend for netfilter.
I don't have any particular migration path in mind just yet though, first milestone was having a more or less feature-compatible nftables implementation of /etc/config/firewall - now that this is largely done, the focus shifts towards potential migration possibilities.
modern iptables command line stuff yes. But my understanding was fw3 was directly diddling with the firewall through a library not going through the command line iptables?
sure, I guess I'm imagining a world where fw4 is standard, and you want to use /etc/nftables.conf how would you disable the fw4? or could there be a switch saying "use /etc/nftables.conf instead". but I guess this is part of the whole "migration path" concept.
Yes, procd firewall objects are recognized and should function exactly like fw3.
Yes, this is supported by fw4. To not introduce behavior changes for the existing configuration, it is configured slightly differently:
to enable IPv6 MASQUERADE on a zone, option masq6 must be set
to enable IPv6 for DNAT/SNAT etc. rules, an explicit option family ipv6 or option family any is required. The implicit default is option family ipv4 to retain backwards compatibility.
I installed fw4 to replace fw3 but it fails to start:
~# fw4 start
Reference error: left-hand side expression is null
In main(), file /usr/share/firewall4/templates/ruleset.uc, line 150, byte 48:
called from function include ([C])
called from function render_ruleset (/usr/share/firewall4/main.uc:98:72)
called from anonymous function (/usr/share/firewall4/main.uc:161:28)
`{% for (local rule in fw4.rules("input_"+zone.name)): %}`
Near here -------------------------------------^
/proc/self/fd/0:76:1-1: Error: syntax error, unexpected end of file
Is there any merit (or thoughts with OpenWRT) in waiting for BPFILTER and not using nftables? My understanding (though pretty limited) is Kernel developers were looking to replace nftables by BPFILTER. I haven't researched it thoroughly (just an article I'd read) , but this seemed to be the goal, not sure on the time frame.
I just ask out of interest as a way of avoiding two transitions iptables -> nftables -> BPFILTER.
No. nftables is clearly the future. It's actually the present in Debian and other related distros. The only thing that might happen is on the backend. nftables script might compile to eBPF at some point in the future. This will be transparent to you.