How to follow along with the nftables development?
128 views
Skip to first unread message
Dave Horton
Nov 3, 2023, 12:39:26 PM11/3/23
to rtpe...@googlegroups.com
I notice the activity going on with migrating from iptables to nftables and I am super interested in this. Not sure how to follow along though — ie when to know when it is ready for testing etc. The read-the-docs referenced from tip of main still refer to iptables for instance, it seems some things have been done (removing iptables extension) and some things still in progress (migrating kernel module to nftables?) so I guess I am wondering where is the best place to look for announcements on this. Would that just be this mailing list? Also happy to contribute testing or building if it would be helpful. Thanks in advance
Dave
Dave
Richard Fuchs
Nov 3, 2023, 12:52:44 PM11/3/23
to rtpe...@googlegroups.com
On 03/11/2023 12.39, [EXT] Dave Horton wrote:
> I notice the activity going on with migrating from iptables to nftables and I am super interested in this. Not sure how to follow along though — ie when to know when it is ready for testing etc. The read-the-docs referenced from tip of main still refer to iptables for instance, it seems some things have been done (removing iptables extension) and some things still in progress (migrating kernel module to nftables?) so I guess I am wondering where is the best place to look for announcements on this. Would that just be this mailing list? Also happy to contribute testing or building if it would be helpful. Thanks in advance
There's two stages to this.
> I notice the activity going on with migrating from iptables to nftables and I am super interested in this. Not sure how to follow along though — ie when to know when it is ready for testing etc. The read-the-docs referenced from tip of main still refer to iptables for instance, it seems some things have been done (removing iptables extension) and some things still in progress (migrating kernel module to nftables?) so I guess I am wondering where is the best place to look for announcements on this. Would that just be this mailing list? Also happy to contribute testing or building if it would be helpful. Thanks in advance
The first stage is done (except for the docs as you mention - welcome to
FOSS) which is to drop dependency on the iptables CLI tool. The
nftables/iptables rules are now directly managed by rtpengine via netlink.
The second stage would be moving the kernel module itself to the
nftables framework. For the time being it remains an xtables module,
which is fully functional in an nftables environment (as well as within
iptables) with the exception of the nft CLI tool not being able to
manage the rules. Hence offloading management into rtpengine itself.
There's no predicted timeline for the second stage, but the current
status is that it's fully functional as it is.
Cheers
Anshuman Rawat
Nov 3, 2023, 2:30:22 PM11/3/23
to rtpengine
Hi, just needed to confirm - has this been done in version mr12.x.x.x? I have been trying to understand how the kernel forwarding works (which includes understanding the procfs, kernel modules, strace etc.) using version mr11.5.1.9 and see no mention of netlink or nftables. Is my understanding correct?
Richard Fuchs
Nov 3, 2023, 3:10:25 PM11/3/23
to rtpe...@googlegroups.com
On 03/11/2023 14.30, [EXT] Anshuman
Rawat wrote:
Hi, just needed to confirm - has this been done in version mr12.x.x.x? I have been trying to understand how the kernel forwarding works (which includes understanding the procfs, kernel modules, strace etc.) using version mr11.5.1.9 and see no mention of netlink or nftables. Is my understanding correct?
Yes, correct. But the kernel module itself is the same between both versions and kernel-mode forwarding works the same. The only difference is in how the iptables/nftables rule to pass packets to the kernel module is created.
Cheers
Reply all
Reply to author
Forward
0 new messages