firewall: switch to nftables

[mkg20001]

Let's do this!

(not only because I have a passionate hate towards iptables, but because nftables is the cool new firewall that merges all the others)

[mkg20001]

not sure how to go about ebtables. I took a quick glance and it seems there's not really anything missing from nftables that is currently being done in ebtables. If it's a good idea, I could do the rewrite of the ebtables rules, unless syntax is worse. Switched ebtables to ebtables-nft for now.

[AiyionPrime]

we'll build a firmware together in the next days; @mkg20001, @AiyionPrime

[mkg20001]

IPTables migration is done, the goal is to go ahead with migrating ebtables to nftables. input is appreciated.

[mkg20001]

how migrations are handled:

ebtables -> nftables:

• delete remaining ebtables config entierly (todo)

nftables in general:

• since the snippets installed might disappear when a mesh chooses to remove a package, which could potentially break fw4 (ok turns it it's just a warning but let's keep it clean)
  • individual includes are prefied with gluon_nftables_ and are removed once no longer needed

for appending the includes I've choosen a similar style to what we already have with the webinterface elements. I hope I've found the best middleground between boilerplate and complexity.

if wanted we could extend the removal/readd to all firewall rules (or extend /lib/gluon/nftables to become /lib/gluon/firewall with nftables includes aswell as regular firewall rules)

[mkg20001]

I hope I've found the best middleground between boilerplate and complexity.

alternative would be

• a module similar to what wireless does or

• adding a top line that specifies how the given file should be included (#! chain-pre <chain>, table-post, etc) and having lua arrange everything

[rotanid]

well, re450 was already marked as tiny, if it's the only device...
but it's said once again, that something new is using more space rather than "we wrote from scratch and saved space by not having to deal with the old stuff" :(

[mkg20001]

@rotanid nftables itself is among the biggest things, we can't really get rid of much

replacing fw4 isn't really an option either as that won't be maintainable

usr/lib/libnftables.so.1.1.0: 612kib
usr/lib/libnftnl.so.11.6.0: 132kib
usr/lib/libjansson.so.4.13.0: 40kib
usr/lib/libmnl.so.0.2.0: 16kib
bin/nft: 12kib

maybe disabling some features in nftables cli will help (not sure if that's possible)

[mkg20001]

fw4 is written in ucode, which also uses a bunch of space

$ du -hs ./usr/{bin,lib,share}/ucode
16K	./usr/bin/ucode
76K	./usr/lib/ucode
80K	./usr/share/ucode

[mkg20001]

Also I came accross this: openwrt/openwrt#11895

This might help with space problems in general, but since mips is not supported yet it wouldn't do too much.

[mkg20001]

I'd need some help enabling the right nftables modules as they seem to be missing.

Added it

[mkg20001]

A potential fix for tiny would be including the minimal dnsmasq again, but this time only for tiny only. That way we should have enough space.