Custom packet filtering

Hi all, I am completely new to networking in general and openWrt in particular. So please be gentle with the newbie :wink: I am excited to learn though and have been impressed by the quality of the openWrt project.

As I am learning more and more, the list of features that I want to try and implement grows. From reading the forum, it seems the traditional way of adding features to my router is to use the processes in the openWrt distro or add packages. However, some overlap, and I was wondering if I'd be better off in writing a custom packet filter, that would apply my own code to all packets, rather than relying on different packages/processes in openWrt.

I feel it would be simpler and easier for me to start with, if I can simply access all inbound and outbound packet, and apply my logging and logic to it. That would be easier than getting my head around many new processes, or at least that would allow me the most control.

What is the most efficient way to do so in openWrt?

Also, there is the latency consideration. Say I write such a custom packet filter, and make it do something simple, like reject all outbound TCP/UDP packet that have a destination IP in a harcoded list. Is it possible to write such a packet filter that would add as little latency as doing the same thing with iptables/fw3?

What I think will condition the response to that is how much openWrt relies on hardware specifc instructions. I do not know anything about routers, so I am unclear on this. On an Intel-based computer for example, I differentiate processes happening all in software, with instructions from the programming language, versus using "Intel intrinsics", which actually directly call a more complex CPU instruction to do something faster. (of course "normal" instructions end up calling processor instructions, but basic ones). Is there something equivalent on a router? If no, then that probably means a custom filter could be as fast as other processes in openWrt. If yes, that probably means that one needs to learn the hardware "intrinsic" instructions in order to do something faster. There would therefore be a higher learning curve for me, and might not be the easiest route to learn.
Any color on that is much appreciated as well.


read up on 'nfqueue' (general internet guides)... athough... you should really practice on a full-os first... ( and yes... there is an associated performance hit)

1 Like

So, you do not have much experience with networking in general, but you want to code your own packet filter, instead of learning how to use the standard tools (like "iptables"), or the simplified and user friendly utilities provided by OpenWrt... may I advise you to not do this?


Well, with no experience in the field, I was able to develop a fully-fledge packet filter on macOS, based on a network extension. It was allowing me to do IP and domain name filtering, among other things. This was surprisingly easy to do, given my lack of networking experience.

So I assumed it would not be that much harder to do on OpenWrt... But I might be wrong? It is significantly harder to do on OpenWrt than on MacOS?

Thanks for that. Do you have some pointers for me to understand why there is an associated performance hit? As far as I know, iptables operates in user space, like nfqueue does. So I am not clear on why we could not reproduce something as fast (I am sure you are right, I just don't understand why).

The "iptables" user space utility configures the tables, the packet handling happens in kernel space.


Ah I see. That makes sense actually. Wikipedia said “iptables is a user-space utility program” and that led me to incorrectly conclude it was operating in kernel space.

Of course operating in kernal space provides an irreducible advantage, as the copying of data from kernel space to user space adds a signficant latency hit, given how many packets flow through the router.

So I guess that to create something that would be fast, I’d need to write a loadable kernel module. I have written kernel extension on macOS, but I have no experience with it on Linux. I can imagine this could require significant knowledge about the OS, which I have about macOS but do not at all with OpenWrt.

There are iptables (which us just a frontend for-), nftables and eBPF, they are tried and battle tested.


Thanks a lot for that. eBPF looks like really cool technology, I'll look into that.

The future of basic packet filtering is nftables. If you want something more sophisticated than 5-6 iptables rules, start with nftables. eBPF is interesting but the tools to create it are less than easy to use whereas nftables has a great high level language which is very powerful.

1 Like

Thanks for the tip, much appreciated.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.