RDKBNETWOR-80 : Transform to Nftables from Iptables#292
Open
vsai1990 wants to merge 2 commits into
Open
Conversation
Contributor
Contributor
|
b'## WARNING: A Blackduck scan failure has been waived A prior failure has been upvoted
|
snayak002c
requested changes
May 11, 2026
Reason for change: 1) Translate all the RDKB IPtables rules to nftables 2) write into /tmp/.nft and /tmp/.nft_v6 files and apply into netfilter 3) all the nftables rules are added under firewall_nft dir Test Procedure: RDKB Firewall functionality Risks: Medium
snayak002c
approved these changes
Jun 22, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces an nftables-based firewall implementation alongside the existing iptables-based firewall, with build-time support (--enable-firewall-nft) and runtime selection via syscfg nft_enable.
Changes:
- Adds a new
source/firewall_nft/implementation (firewall + nfqueue handler + support headers) intended to generate/apply nftables rules. - Updates build system (autotools + Makefile conditionals) to optionally build the nftables firewall and to build the legacy firewall binary as
firewall_ipt. - Updates runtime launcher script and a utapi port-forwarding path to conditionally use nft vs iptables.
Reviewed changes
Copilot reviewed 14 out of 16 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| source/utapi/lib/utapi.c | Adds runtime switch to attempt nft rules for ephemeral port forwarding. |
| source/utapi/lib/Makefile.am | Adds -DNFT_ENABLE when FIREWALL_NFT is enabled. |
| source/scripts/init/service.d/service_firewall/firewall_log_handle.sh | Switches between legacy and nft firewall binaries based on syscfg nft_enable. |
| source/Makefile.am | Adds firewall_nft subdir when FIREWALL_NFT is enabled. |
| source/firewall/Makefile.am | Builds legacy firewall as firewall_ipt under FIREWALL_NFT. |
| source/firewall_nft/raw_socket_send.c | Adds raw packet send helper (copied from legacy). |
| source/firewall_nft/nfq_handler_nft.c | Adds nft-oriented nfqueue handler implementation. |
| source/firewall_nft/Makefile.am | Builds firewall_nft and an nfqueue handler binary. |
| source/firewall_nft/firewallnft.h | Adds nft firewall header/API surface. |
| source/firewall_nft/firewall_priv_nft.c | Adds nft versions of custom rule helpers. |
| source/firewall_nft/firewall_ipv6_nft.c | Adds nft IPv6 firewall rule generation. |
| source/firewall_nft/firewall_interface_nft.c | Adds weak stubs for platform hooks in nft firewall. |
| source/firewall_nft/firewall_ext_nft.c | Adds extender-mode nft firewall logic. |
| source/firewall_nft/firewall_custom.h | Adds nft firewall custom header and shared declarations/macros. |
| configure.ac | Adds --enable-firewall-nft configure option and generates source/firewall_nft/Makefile. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+7615
to
+7616
| v_secure_system("nft %c rule ip nat prerouting_fromwan ip saddr %s ip daddr %s tcp dport %s counter dnat to %s:%s", | ||
| ciptableOprationCode,natip4, external_dest_port, external_ip, toip, port_modifier); |
Comment on lines
+7637
to
+7638
| v_secure_system("nft %c rule ip nat prerouting_fromlan ip saddr %s ip daddr %s tcp dport %s counter dnat to %s:%s", | ||
| ciptableOprationCode,lan_ipaddr, external_dest_port, external_ip, toip, port_modifier); |
Comment on lines
+7692
to
+7693
| v_secure_system("nft %c rule ip filter wan2lan_forwarding_accept ip saddr %s ip daddr %s tcp dport %s counter jump xlog_accept_wan2la", | ||
| ciptableOprationCode,external_ip, toip, dport); |
Comment on lines
+7794
to
+7795
| v_secure_system("nft %c rule ip filter wan2lan_forwarding_accept ip saddr %s ip daddr %s udp dport %s counter jump xlog_accept_wan2la", | ||
| ciptableOprationCode,external_ip, toip, dport); |
Comment on lines
22
to
+26
| AM_LDFLAGS = -lccsp_common -lsecure_wrapper -lnetfilter_queue -lnfnetlink $(DBUS_LIBS) -pthread -lrt | ||
|
|
||
| if FIREWALL_NFT | ||
| bin_PROGRAMS = firewall_ipt nfq_handler | ||
| else |
Comment on lines
+222
to
+227
| v_secure_system("flush chain ip filter device_%u_container", insNum); | ||
|
|
||
| #if _NFQ_DEBUG_LEVEL == 1 | ||
| printf("system: add rule ip filter device_%u_container ip daddr %s jump wan2lan_dnsr_nfqueue_%u", insNum, ipAddr, insNum); | ||
| #endif | ||
| v_secure_system("add rule ip filter device_%u_container ip daddr %s jump wan2lan_dnsr_nfqueue_%u", insNum, ipAddr, insNum); |
Comment on lines
+469
to
+478
| if(nat_fp) { | ||
| fclose(nat_fp); | ||
| snprintf(fname, sizeof(fname), "/tmp/filter6_%x", ourpid); | ||
| unlink(fname); | ||
| } | ||
| if(filter_fp) { | ||
| fclose(filter_fp); | ||
| snprintf(fname, sizeof(fname), "/tmp/nat6_%x", ourpid); | ||
| unlink(fname); | ||
| } |
Comment on lines
+122
to
+126
| // Constants used by both files | ||
| #define MAX_NO_IPV6_INF 10 | ||
| #define MAX_LEN_IPV6_INF 32 | ||
| #endif | ||
|
|
Comment on lines
+481
to
+487
| /* ipv4 */ | ||
| prepare_ipv4_firewall(filename1); | ||
| v_secure_system("nft -f /tmp/.ipt_ext 2> /tmp/.nftv4table_ext_error"); | ||
|
|
||
|
|
||
| prepare_ipv6_firewall(filename2); | ||
| v_secure_system("nft -f /tmp/.nft_v6 2> /tmp/.nftv6table_ext_error"); |
Comment on lines
+7718
to
+7720
| v_secure_system("nft %c rule ip nat prerouting_fromwan ip saddr %s ip daddr %s udp dport %s counter dnat to %s:%s", | ||
| ciptableOprationCode,natip4, external_dest_port, external_ip, toip, port_modifier); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reason for change:
Test Procedure: RDKB Firewall functionality
Risks: Medium