Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firewall: switch to nftables #2783

Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

firewall: switch to nftables #2783

wants to merge 19 commits into from

Conversation

mkg20001
Copy link
Member

@mkg20001 mkg20001 commented Feb 5, 2023

Let's do this!

(not only because I have a passionate hate towards iptables, but because nftables is the cool new firewall that merges all the others)

@mkg20001
Copy link
Member Author

mkg20001 commented Feb 5, 2023

not sure how to go about ebtables. I took a quick glance and it seems there's not really anything missing from nftables that is currently being done in ebtables. If it's a good idea, I could do the rewrite of the ebtables rules, unless syntax is worse. Switched ebtables to ebtables-nft for now.

@mkg20001 mkg20001 force-pushed the nft branch 4 times, most recently from 87324b6 to 1f54a15 Compare February 5, 2023 22:58
@AiyionPrime
Copy link
Member

we'll build a firmware together in the next days; @mkg20001, @AiyionPrime

@mkg20001
Copy link
Member Author

IPTables migration is done, the goal is to go ahead with migrating ebtables to nftables. input is appreciated.

@AiyionPrime AiyionPrime added the 5. needs: testing Testing of the changes is necessary label Feb 25, 2023
@AiyionPrime AiyionPrime added the 2. status: waiting-on-author Waiting on some action from the author label Mar 22, 2023
@github-actions github-actions bot added 3. topic: docs Topic: Documentation 3. topic: wireguard This is about wireguard, an in-kernel layer 3 VPN labels Apr 25, 2023
@mkg20001
Copy link
Member Author

mkg20001 commented Apr 25, 2023

how migrations are handled:

ebtables -> nftables:

  • delete remaining ebtables config entierly (todo)

nftables in general:

  • since the snippets installed might disappear when a mesh chooses to remove a package, which could potentially break fw4 (ok turns it it's just a warning but let's keep it clean)
    • individual includes are prefied with gluon_nftables_ and are removed once no longer needed

for appending the includes I've choosen a similar style to what we already have with the webinterface elements. I hope I've found the best middleground between boilerplate and complexity.

if wanted we could extend the removal/readd to all firewall rules (or extend /lib/gluon/nftables to become /lib/gluon/firewall with nftables includes aswell as regular firewall rules)

@github-actions github-actions bot removed 3. topic: wireguard This is about wireguard, an in-kernel layer 3 VPN 3. topic: docs Topic: Documentation labels Apr 25, 2023
@mkg20001
Copy link
Member Author

mkg20001 commented Apr 25, 2023

I hope I've found the best middleground between boilerplate and complexity.

alternative would be

  • a module similar to what wireless does or

  • adding a top line that specifies how the given file should be included (#! chain-pre <chain>, table-post, etc) and having lua arrange everything

@github-actions github-actions bot added 3. topic: config-mode This is about the configuration mode 3. topic: docs Topic: Documentation 3. topic: wireguard This is about wireguard, an in-kernel layer 3 VPN labels May 1, 2023
@github-actions github-actions bot removed 3. topic: docs Topic: Documentation 3. topic: wireguard This is about wireguard, an in-kernel layer 3 VPN labels May 1, 2023
@mkg20001
Copy link
Member Author

mkg20001 commented May 2, 2023

@rotanid nftables itself is among the biggest things, we can't really get rid of much

replacing fw4 isn't really an option either as that won't be maintainable

usr/lib/libnftables.so.1.1.0: 612kib
usr/lib/libnftnl.so.11.6.0: 132kib
usr/lib/libjansson.so.4.13.0: 40kib
usr/lib/libmnl.so.0.2.0: 16kib
bin/nft: 12kib

maybe disabling some features in nftables cli will help (not sure if that's possible)

@mkg20001
Copy link
Member Author

mkg20001 commented May 2, 2023

fw4 is written in ucode, which also uses a bunch of space

$ du -hs ./usr/{bin,lib,share}/ucode
16K	./usr/bin/ucode
76K	./usr/lib/ucode
80K	./usr/share/ucode

@mkg20001

This comment was marked as resolved.

@mkg20001
Copy link
Member Author

mkg20001 commented May 2, 2023

Also I came accross this: openwrt/openwrt#11895

This might help with space problems in general, but since mips is not supported yet it wouldn't do too much.

@mkg20001
Copy link
Member Author

mkg20001 commented May 21, 2023

I'd need some help enabling the right nftables modules as they seem to be missing.

Added it

@mkg20001
Copy link
Member Author

A potential fix for tiny would be including the minimal dnsmasq again, but this time only for tiny only. That way we should have enough space.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2. status: waiting-on-author Waiting on some action from the author 3. topic: babel Topic: Babel Layer 3 Routing 3. topic: batman-adv 3. topic: continuous integration 3. topic: docs Topic: Documentation 3. topic: firewall 3. topic: hardware Topic: Hardware Support 3. topic: multidomain 3. topic: package Topic: Gluon Packages 3. topic: respondd 5. needs: testing Testing of the changes is necessary
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants