Nftables

[Denna]

Is there any interest in including nftables in Asuswrt-Rmerlin ?

Or is this a change that Asus would have to make in Asuswrt first ?

 

[RMerlin]

Is there any interest in including nftables in Asuswrt-Rmerlin ?

Or is this a change that Asus would have to make in Asuswrt first ?

Nftables was added in kernel 3.13. We're at kernel 2.6.36...

 

[heysoundude]

How now? it's 5-6 years later and there's a whole bunch of new hardware since this was originally posted. is asus stuck on iptables for a particular reason, or have they moved forward as well?

I see RMerlin and others have outlined the process in this thread from a few years ago, so I guess I'm looking for someone who knows to give an indication of where the process is at or even if it's proceeding

 

[RMerlin]

The whole firmware is designed to use iptables. Adding nftables would just be unnecessary bloat, as there's no way the firmware could be re-engineered to switch to nftables.

 

[SomeWhereOverTheRainBow]

The whole firmware is designed to use iptables. Adding nftables would just be unnecessary bloat, as there's no way the firmware could be re-engineered to switch to nftables.

I tend to agree here. Nftables would only be usable from the terminal since none of the webui or existing code is configured for it. Plus it would require a full kernel change. Preferably to the newer kernels out now. All this would definitely not be possible without completely re-engineering mostly everything.

 

[sfx2000]

nftables went default in openwrt master back in Jan 2022, along with their fw4 implementation.

It's a fairly major change, and not everything has been fully debugged and working compared to ipables/fw3, but there's been good progress.

As others have mentioned - it's not a straight backport, and it would involved reworking major parts of AsusWRT (and the vendor BSP's) to bring nft in... it's not just kernel support, but it touches everything, from dnsmasq to the firewall automation scripts.

Here's a snippet - nftables/fw4 is a nice step forward for many things...

 

[heysoundude]

The whole firmware is designed to use iptables. Adding nftables would just be unnecessary bloat, as there's no way the firmware could be re-engineered to switch to nftables.

Switching from ip to nftables was what I was asking about, but having to re-write the firmware entirely is a good reason why it's not happening at this time.

It's a fairly major change, <SNIP>

As others have mentioned - it's not a straight backport, and it would involved reworking major parts of AsusWRT (and the vendor BSP's) to bring nft in... it's not just kernel support, but it touches everything, from dnsmasq to the firewall automation scripts.

Thanks for reading into my question! It's pretty much what I was wondering about, and what I was asking

 

[sfx2000]

nftables went default in openwrt master back in Jan 2022, along with their fw4 implementation.

Along with FW4 and nftables - the OpenWRT team actually created a whole scripting language around it...

Sources/ucode/README.md

 

[heysoundude]

Along with FW4 and nftables - the OpenWRT team actually created a whole scripting language around it...

Sources/ucode/README.md

I believe something like that is well beyond Eric's original intent behind his version of the firmware.
It is impressive what they've done there, though.