Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2278 - RFE: Replace iptables(legacy) with iptables(nf_tables) #7150

Open
openwrt-bot opened this issue May 11, 2019 · 6 comments
Open

FS#2278 - RFE: Replace iptables(legacy) with iptables(nf_tables) #7150

openwrt-bot opened this issue May 11, 2019 · 6 comments
Labels

Comments

@openwrt-bot
Copy link

xosevp:

Supported since iptables 1.8: https://marc.info/?l=netfilter-devel&m=153086953903487

@openwrt-bot
Copy link
Author

nivex:

I would like to support this request and speak a little to what this would bring to OpenWRT. Since many targets are resource constrained, migrating to the nf_tables backend would be of benefit.

First is an improvement in packet filter performance. While not immense, any CPU savings on older / lower power devices is a win.

Second is the savings in storage. As functionality that would take multiple modules in legacy xtables modules is compiled neatly into nftables bytecode, fewer module packages are needed on the system. This would alleviate some flash constraints.

As a demonstration of the second point, from a Debian 10 system:
root@skylab:/lib/modules/4.19.0-8-amd64# find -name "xt_" | wc -l
71
root@skylab:/lib/modules/4.19.0-8-amd64# find -name "nft_
" | wc -l
41

I would also emphasize that these benefits would be seen without needing to alter ip(6)tables command line calls in other parts of the system. Notably, fw3 could remain unchanged. This is the default configuration in Debian 10.

It is my hope that this can be increased in priority as a low-hanging fruit with great potential gain.

@openwrt-bot
Copy link
Author

champtar:

I would recommend you come back with real numbers, for both the size and the performance, as the devil is in the detail.
Also there is a need for testing, I just got a iptables-nft bug fixed today
https://bugzilla.netfilter.org/show_bug.cgi?id=1422

@openwrt-bot
Copy link
Author

jow-:

Migration to nftables is planned later this year, in Q2 or Q3 until then there won't be much progress most likely.

@openwrt-bot
Copy link
Author

champtar:

@jow you plan to really migrate to nftable or to iptables-nft ?

@openwrt-bot
Copy link
Author

jow-:

nftables

@openwrt-bot
Copy link
Author

xosevp:

The change from iptables-legacy to iptables-nf_tables is almost trivial.
More work and test is needed to replace it with nftables.

And there is a new kid on the block, bpfilter:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant