New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#2278 - RFE: Replace iptables(legacy) with iptables(nf_tables) #7150
Comments
nivex: I would like to support this request and speak a little to what this would bring to OpenWRT. Since many targets are resource constrained, migrating to the nf_tables backend would be of benefit. First is an improvement in packet filter performance. While not immense, any CPU savings on older / lower power devices is a win. Second is the savings in storage. As functionality that would take multiple modules in legacy xtables modules is compiled neatly into nftables bytecode, fewer module packages are needed on the system. This would alleviate some flash constraints. As a demonstration of the second point, from a Debian 10 system: I would also emphasize that these benefits would be seen without needing to alter ip(6)tables command line calls in other parts of the system. Notably, fw3 could remain unchanged. This is the default configuration in Debian 10. It is my hope that this can be increased in priority as a low-hanging fruit with great potential gain. |
champtar: I would recommend you come back with real numbers, for both the size and the performance, as the devil is in the detail. |
jow-: Migration to nftables is planned later this year, in Q2 or Q3 until then there won't be much progress most likely. |
champtar: @jow you plan to really migrate to nftable or to iptables-nft ? |
jow-: nftables |
xosevp: The change from iptables-legacy to iptables-nf_tables is almost trivial. And there is a new kid on the block, bpfilter: |
xosevp:
Supported since iptables 1.8: https://marc.info/?l=netfilter-devel&m=153086953903487
The text was updated successfully, but these errors were encountered: