-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
firewall: switch to nftables #2783
base: main
Are you sure you want to change the base?
Conversation
not sure how to go about ebtables. I took a quick glance and it seems there's not really anything missing from nftables that is currently being done in ebtables. If it's a good idea, I could do the rewrite of the ebtables rules, unless syntax is worse. Switched ebtables to ebtables-nft for now. |
87324b6
to
1f54a15
Compare
we'll build a firmware together in the next days; @mkg20001, @AiyionPrime |
IPTables migration is done, the goal is to go ahead with migrating ebtables to nftables. input is appreciated. |
how migrations are handled: ebtables -> nftables:
nftables in general:
for appending the includes I've choosen a similar style to what we already have with the webinterface elements. I hope I've found the best middleground between boilerplate and complexity. if wanted we could extend the removal/readd to all firewall rules (or extend /lib/gluon/nftables to become /lib/gluon/firewall with nftables includes aswell as regular firewall rules) |
alternative would be
|
@rotanid nftables itself is among the biggest things, we can't really get rid of much replacing fw4 isn't really an option either as that won't be maintainable
maybe disabling some features in nftables cli will help (not sure if that's possible) |
fw4 is written in ucode, which also uses a bunch of space
|
This comment was marked as resolved.
This comment was marked as resolved.
Also I came accross this: openwrt/openwrt#11895 This might help with space problems in general, but since mips is not supported yet it wouldn't do too much. |
Added it |
A potential fix for tiny would be including the minimal dnsmasq again, but this time only for tiny only. That way we should have enough space. |
Let's do this!
(not only because I have a passionate hate towards iptables, but because nftables is the cool new firewall that merges all the others)