Yes it does, but what about packages that still use ipsets? I listed a few. Yes, in an ideal world everything would be migrated to nftables and use nftsets, but that is not an insignificant task.
Last week the compile option for ipset was in menuconfig to choose, but it isn’t set as standard.
To be honest, if you don’t use the precompiled standard images everything else but “build from source” is like doing something with your hands tied behind your back.
Imagebuilder is like square Lego blocks, it only puts together precompiled packages, you can’t make any adjustments or changes with imagebuilder since everything is already build.
Are we talking about 21.02-snapshot, 22.03-snapshot or master-snapshot?
Pseudo compatibility…yea but my personal experience is that when the train rolls it rolls. Pseudo compatibility is just what you say, an imaginary transition time.
If the packages doesn’t move along they will sooner or later be left behind and probably be replaced with something new or upgraded, like BanIP now has to do some job to keep up with development.
So the fault isn’t really OpenWrt that doesn’t do iptables, it is the packages that doesn’t do nftables.
Absolutely true.
But either this particular issue is an oversight, or it is a deliberate move to make such packages to some degree unusable.
Most other Linux distributions go all out to make iptables support as transparent as possible in the nftables environment. Does this make OpenWrt a leader in the deprecation process of all things iptables?
Either way, efforts to rework packages that use iptables should be given a top priority by their respective developers.
I guess that one way to encourage such reworking is to discuss it more and more on this forum and get people talking about it.
Some one need to be pioneers!
Wasn’t it Linus Torvalds that made nftables the no1 solution in to the future in the kernel?
And the DSA!
And Wireguard…
Maybe but these discussions are mostly decided in the mailing list and pull requests in Git hub. http://lists.openwrt.org/pipermail/openwrt-devel/
This is the prize we pay to be on the dev front line. And if you use master then you are on the very edge of the development frontline.
Unfortunately unless you are actively following threads continuously, you may not notice what is going on until it is too late. In addition, with mailing lists, it is often the case that comments by "outsiders" are ignored or at best discouraged. Although I must say I don't know if it is the case here.
The same goes for PRs on Github. Team members get notifications, others do not unless you spot the PR and make a comment. It is often the case that the first time people find out that a PR has been merged is when something stops working (as in this case of dnsmasq-full).
The advantage of this forum is that it is easily accessible to everyone, not just the core OpenWrt development team.
Yes. And not to mention you can’t search the mail database. You have to find “something” by pure luck by reading all mail. And mail aren’t answering in chronological order so it quickly gets a mess to fallow!
Yes. It is also another problem with PR. The volume! No one has the energy to go through them all, everyone interested has their favorite tags they fallow that makes some meaning to them. But the OpenWrt database is the base OpenWrt. And then we have Luci, packages also to keep up with. And the actual kernel dev history.
Maybe, my feeling is that most of the dev have pretty low forum time compared to the time spent in the git hub and mail. I can pretty much guarantee a new functions be or not to be will never be discussed in this general forum. This is only support forum. Not even in the dev section will these discussions be.
Dude. Nftables is around since 2012 or something. In 2016 it was announced that most netfilter stuff ia ported to nftables in the kernel already and that iptables is just a user space wrapper but the kernel already processed as netfilter anyway. also it was not Linus but Pablo who coordinate netlink and it was spelled out more then once in the last ten years that iptables will see it's sunset.
If people simply ignore the processing and warning through years then you can't help them. It is no news that nftables and nft is the modern way to handle filtering. Also the netfilter working group did a really good job to make the delayed transition as easy and convenient as possible.
While I agree the ipset support should be included in dnsmasq-full package, I just searched the packages repo for "ipset" and (outside of pbr, which supports it, but where it's not a hard dependency) it's pretty much just 3 packages which mention it -- banip, crowdsec-firewall-bouncer and mwan3, so I see how the decision has been made.