More details on the nftables page

summers · October 17, 2018, 9:30am

Hi All,

just about finished installing nftables on my router. Would you be happy if I updated: https://openwrt.org/docs/guide-user/firewall/misc/nftables to give an example, that way is anyone else does decide to try nftables, they at least have an example of how to go about it - and i'll explain the hassled (e.g. command line only), but also advantages (easier to understand the commands, and merged ipv4 and ipv6).

David.

P.S. I may (if I get time) look into doing a luci interface, seams easiest to totally separate for fw3 ...

lleachii · October 17, 2018, 6:38pm

If you use the UCI, iptables and ip6tables works as one software.

summers · October 17, 2018, 8:23pm

My understanding was though when uploaded to the kernel it had to be done as two commands, one for ipv4 and one for ipv6. Not I'm not sure, but I'd expect that to be two commands in the kernel.

With nftable you can use inet, which is a single command, and means both ipv4 and ipv6. Again my understanding is this gets loaded to the kernel as a single command.

Anyway this is not the point of this topic, there are two ways of doing firewall, iptable, and nftable. Is it not better if users are allowed the choice which they want to use?

lleachii · October 18, 2018, 1:28am

Indeed. If you have an account, of course - feel free to update that page. We need more people in the community willing to do so!

vgaetera · October 18, 2018, 5:09am

I like the concept, alas it won't be popular until it becomes the default.

Mortan · October 18, 2018, 5:30am

All the xtables/setsockopt based tools are considered legacy and iptables version 1.8.0 actually uses nf_tables in the kernel. OpenWrt should be working towards using only nftables by default especially because iptables and nft can not perform NAT at the same time.

summers · October 18, 2018, 8:55am

Thats interesting - I hadn't seen that. So will openwrt switch to iptables 1.8.0 or will that give problems with libnftnl vs libiptc in fw3?

jow · October 18, 2018, 10:10am

The fw3 executable does not care about the iptables tooling present on the system, it uses libiptc directly, and this remains functional until the kernel side of the setsockopt() based infrastructure is removed.

Transition to nft in OpenWrt will occur through a future fw4 package which continues to accept the same uci firewall configuration but translated to nftables instead of iptables. (Minus details such as option extra which cannot be translated to nftables syntax).

It is likely that firewall 4 will be a mere preprocessor which translates /etc/config/firewall into an nftables program through the use of a bunch of template files, but the exact details will be ironed out when we actually start working on it.

summers · October 18, 2018, 11:26am

Good that fw4 is planned - yes what I'll do is just a placeholder for setting up nftables from the command line, so won't be as user friendly as much of openwrt.

summers · October 18, 2018, 8:28pm

OK - I've started the page. I havn't saved it to the wiki yet - as I'm only about 25% of the way through. Its going to end up being quite a long page - so we may want to take a view on splitting it. Anyway let me finish the text first - then people here can take a view ...

summers · October 19, 2018, 6:38pm

OK I've done a first attempt on nftables can people take a look and let me know what you think.

Its been written very quickly, I havn't checked for typos etc. Really I wanted to get something up, so I could get peoples thoughts on if this is the right kind of thing. I know that the formatting in places is horrible - I'll correct that later.

Anyway, do give your thoughts, and feedback either positive or negative is good.