Hmm, I tried to use ethtool and nft commands but these are either hidden or not installed by default in 17.01.2
Am I going to break something if I install and use these? Can they co-exist?
I thought that newer kernels had in fact deprecated the old ifconfig and iptables commands.
LEDE has a high-level configuration layer through /etc/config/network and /etc/config/firewall to set up the interfaces and ip tables. It should be used if possible.
opkg update ; opkg install ethtool
I believe LEDE/openwrt leave out a number of potentially useful tools/binaries due to the sad fact that many home routers are really short on memory. Anything non-essential hence gets relegated into an installable packet, so users can make their own space vs. utility trade-offs.
Best Regards
Yes you can install and load iptables and nftables side by side but should only use one or the other with rules.
opkg install nftables
But openwrt/lede firewall3 the FW util only support iptables that mean you can only use nftable with your own script and setup and you have problems with packages that depends on FW3. (/etc/config/firewall)
Disable /etc/init.d/firewall if you want to play with.
The nft util is compiled without the cli interface you dont see much from it.
Okay then. I've installed ethtool for informational purposes only, such as "ethtool -S eth1".
But I probably shouldn't have installed nftables user space utility because when I type "nft list tables" I get nothing, so is seems LEDE is not using nftables yet, like the above post seems to say. Thanks all, this is all starting to sink in.
Yeah the dependency of the LEDE firewall on iptables is brutal. It really makes LEDE seem like a legacy OS IMO...
If I'm understanding trimso's post correctly then moving to nftables would require removal of iptables rules, thereby breaking compatibility with the gazillions of optional LEDE packages. Also AFIAK there currently do not seem to be any toolsets available for automatically translating iptables rules to nftables rules. But the LEDE developers are very clever; these folks understand programming, hardware, reverse engineering and networking. If anyone can figure out a way out of this conundrum then it will surely be them =)