Issue Summary:
OpenWRT has fully migrated to nftables as its default packet filtering framework, replacing iptables. Coova-Chilli still relies on iptables and xtables, which now limits its compatibility with OpenWRT and other distributions moving toward nftables. I am aiming to add full support for nftables in Coova-Chilli, ensuring compatibility with modern systems like OpenWRT.
Objective:
Transition Coova-Chilli from using iptables/xtables to nftables.
Eliminate any remaining legacy iptables references from the codebase.
Ensure the build and runtime environment aligns with nftables support, particularly for OpenWRT custom builds.
Detailed Requirements:
Script Conversion:
Scripts such as up.sh.in and functions.in: These scripts currently contain iptables commands and should be updated to use nftables commands. For instance:
Replace iptables -A with nft add rule.
Replace iptables -t nat -A with nft add rule nat.
Remove any references to legacy iptables modules or paths (e.g., /sbin/iptables).
Example Updates:
The current codebase includes libxt_coova.c, which is tightly coupled with xtables for custom Coova-specific rules. This file needs to either be rewritten to support nftables or removed if the functionality is no longer needed.
Options:
Use libnftnl and libmnl to communicate directly with the kernel's nftables subsystem and handle custom rule creation, or
Remove libxt_coova.c if this functionality can be managed purely by nftables rules.
Build System Updates (Makefile):
The Makefile includes targets to build libxt_coova.so, which registers custom xtables extensions. This should either be reworked for nftables or removed.
Ensure that the dependencies in the build system reflect nftables libraries, such as libnftnl and libmnl.
Dependencies and Packaging:
Debian Control File: The dependency on iptables should be replaced with nftables.
Ensure that OpenWRT builds correctly include nftables packages and drop iptables dependencies.
Update any related documentation and example scripts to reflect the changes to nftables.
Testing:
Once the code is migrated, testing needs to be done on an OpenWRT build to ensure that Coova-Chilli correctly initializes the firewall rules using nftables.
Validate all use cases, such as hotspot management and network filtering, to confirm that they work as expected with nftables.
Code Adjustments:
Scripts:
conf/functions.in: Replace all iptables commands with nftables.
conf/up.sh.in: Convert iptables rules to nftables.
Source Files:
Remove or refactor libxt_coova.c: This file currently registers xtables-based custom matches for Coova. Either rewrite this using nftables hooks or remove it if unnecessary.
Modify Makefile: Remove references to building xtables extensions or adjust them to support nftables as necessary.
Documentation:
Convert firewall.iptables and firewall.openwrt example files to nftables-based rulesets.
Example Code Snippet:
Current Script (iptables):
iptables -A FORWARD -i $TUNTAP -o $HS_WANIF -j ACCEPT
Conclusion:
By migrating Coova-Chilli to nftables, we ensure compatibility with OpenWRT and future-proof the project for modern firewall frameworks. This is critical as OpenWRT and many other Linux distributions are now fully moving away from iptables.
Please let me know how I can assist further with these changes or testing!
Issue Summary: OpenWRT has fully migrated to nftables as its default packet filtering framework, replacing iptables. Coova-Chilli still relies on iptables and xtables, which now limits its compatibility with OpenWRT and other distributions moving toward nftables. I am aiming to add full support for nftables in Coova-Chilli, ensuring compatibility with modern systems like OpenWRT.
Objective: Transition Coova-Chilli from using iptables/xtables to nftables. Eliminate any remaining legacy iptables references from the codebase. Ensure the build and runtime environment aligns with nftables support, particularly for OpenWRT custom builds. Detailed Requirements: Script Conversion:
Scripts such as up.sh.in and functions.in: These scripts currently contain iptables commands and should be updated to use nftables commands. For instance: Replace iptables -A with nft add rule. Replace iptables -t nat -A with nft add rule nat. Remove any references to legacy iptables modules or paths (e.g., /sbin/iptables). Example Updates:
Before:
iptables -A INPUT -p tcp --dport 80 -j ACCEPTAfter:
nft add rule inet filter input tcp dport 80 acceptReplace libxt_coova.c:
The current codebase includes libxt_coova.c, which is tightly coupled with xtables for custom Coova-specific rules. This file needs to either be rewritten to support nftables or removed if the functionality is no longer needed. Options: Use libnftnl and libmnl to communicate directly with the kernel's nftables subsystem and handle custom rule creation, or Remove libxt_coova.c if this functionality can be managed purely by nftables rules. Build System Updates (Makefile):
The Makefile includes targets to build libxt_coova.so, which registers custom xtables extensions. This should either be reworked for nftables or removed. Ensure that the dependencies in the build system reflect nftables libraries, such as libnftnl and libmnl. Dependencies and Packaging:
Debian Control File: The dependency on iptables should be replaced with nftables. Ensure that OpenWRT builds correctly include nftables packages and drop iptables dependencies. Update any related documentation and example scripts to reflect the changes to nftables. Testing:
Once the code is migrated, testing needs to be done on an OpenWRT build to ensure that Coova-Chilli correctly initializes the firewall rules using nftables. Validate all use cases, such as hotspot management and network filtering, to confirm that they work as expected with nftables. Code Adjustments: Scripts:
conf/functions.in: Replace all iptables commands with nftables. conf/up.sh.in: Convert iptables rules to nftables. Source Files:
Remove or refactor libxt_coova.c: This file currently registers xtables-based custom matches for Coova. Either rewrite this using nftables hooks or remove it if unnecessary. Modify Makefile: Remove references to building xtables extensions or adjust them to support nftables as necessary. Documentation:
Convert firewall.iptables and firewall.openwrt example files to nftables-based rulesets.
Example Code Snippet:
Current Script (iptables):
iptables -A FORWARD -i $TUNTAP -o $HS_WANIF -j ACCEPTUpdated Script (nftables):
nft add rule inet filter forward iifname $TUNTAP oifname $HS_WANIF acceptConclusion: By migrating Coova-Chilli to nftables, we ensure compatibility with OpenWRT and future-proof the project for modern firewall frameworks. This is critical as OpenWRT and many other Linux distributions are now fully moving away from iptables.
Please let me know how I can assist further with these changes or testing!