Nftables compatibility and performace issues in OpenWrt 23.05.2 (and 22.x.x)

I'm another iptablesaurus, having used iptables for years and with about 600 iptables/ipset commands generated by a large script, mostly related to traffic prioritization with DSCP tags etc.

I did try iptables-nft initially, hoping for a swift and easy way forward, but it became clear very quickly it wasn't going to work properly. As others have said, the only real solution is to dive in and learn nftables.

I put this off for ages and completely skipped Openwrt 22.03 (sticking to 21.02) to avoid it. But there were other improvements in 23.05 that I really wanted, so I had to bite the bullet. Like all these things it's horrid at first and if you're anything like me you'll feel like a complete idiot at times, but it gets better quickly, and iptables-translate can be a very useful learning aid to point you in the right direction.

Having now spent some time with nftables I can certainly see that it is extremely versatile. I was able to do everything I needed to, and in many cases I could (eventually) do it more efficiently that I could with iptables. IMO the syntax is also much nicer to read once you get used to it.

On the downside I've encountered some performance issues of my own, particularly with large sets, but nothing that was a deal breaker.

Regarding the need to constantly escape characters in nft commands, this irked me as well and the best solution is to bypass the shell by putting all your rules in an nft script, and then pass that into the nft command:

nft -f [script file]

With this approach I think the only escaping that's required is inside rule comments.

2 Likes