-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge Jool into nftables #273
Comments
NAT64 keeps state information etc. It is hard to get it merged into mainline kernel. NAT46 can be easily merged as a virtual network device and will unlikely change much over the years. The kernel janitors would always keep it up to date. Thus Jool could concentrate on NAT64 and e.g. bpfilter support or whatever is coming. If Jool's NAT64 would also become a virtual network device and the design is conform with the kernel's (e.g. using the upcoming rhashtables etc.), it would also be well-suited for the mainline kernel, but it's a long journey to that point... |
Question: Where do you hear about this kind of stuff? LWN.net? Not sure if Jool has strayed far from the kernel's design. I probably need to update my understanding of it. |
I'm learning Linux kernel development for some years now, because I'd like to add some functionalities to mac80211, which is quite hard (MCCA). Thus I've read all the O'Reilly books and indeed a lot of LWN articles. Actually I'm still quite bad at it. At the moment I'm working e.g. on a heavily modified NAT4(2)6 virtual network layer 2 device which does connection tracking to allow seamless roaming for clients in Babel mesh networks. I held a talk on the Battlemesh about it, but it's a bit outdated. The setup has become even more complex as I don't want TCP connections to break and don't rely on intelligent client behavior which means the module needs to do connection tracking to fake a single gateway. That's why I've talked to some kernel devs about how a kernel module needs to look and "feel" like to be merged in mainline kernel. A simple, RFC-conform NAT46 virtual network device which is NAPI and net-utils compatible would very likely be accepted upstream. |
(Not much of an update, but I want to merge the two conversations and respond this e-mail at the same time.) There's nothing stopping me from knocking some doors upstream, other than the higher-priority feature requests still awaiting implementation. That said, if I attempted such a thing, I'd expect to run into some obstacles:
Addressing 2, 3 and 4 is a matter of time, but I would like to hear some arguments to defeat 1. For starters, here's a technical reason why merging Jool with the kernel would be a good idea:
|
I can help in this regard. I've been involved a bit with the RSBAC discussion in the early 2000s (and the problems around it) and seen the wireguard approach.
That sounds very promising!
I think this is subject to discussion and maybe a talk with the netfilter group is a good thing to do. If you want to, I can reach out and
I see a lot of convincing arguments for merging it into mainline:
If 2/3/4 are kind of easy from your side, I can support a bit with 1 and reach out slowly and get an understanding of how the general attitude is towards jool in upstream. |
Ok. I'm currently writing a message I should post on the Netfilter Developer Mailing List tomorrow. From the archives it seems there have been a couple of attempts to raise a bit of hype about NAT64 many years ago, but they seem to have been unsuccessful. So feel free to chime in, or even beat me to it. I can't imagine my message being persuasive on its own. |
hey @ydahhrk it seems that the mail thread you posted in your last comment just stopped with no further action. Personally I believe that having a NAT64 implementation in the kernel would be a great idea, especially if it could just sit next to other NAT'ing mechanism existing in the kernel. |
Merging Jool into nftables is still very much the ideal/intended path, but
I can't start yet because we're critically understaffed at the moment.
Right now I'm charged with the maintenance of both Jool and Fort, as well
as the development of half of a new internal project. It's pretty bad. Even
Jool 4.2.0 is half a year overdue.
I don't know when things will settle down, and I can't offer much right now
aside from maintenance and support.
…On Sat, Jul 10, 2021, 11:06 AM Antonio Quartulli ***@***.***> wrote:
hey @ydahhrk <https://github.com/ydahhrk> it seems that the mail thread
you posted in your last comment just stopped with no further action.
Is the idea of merging with nftables still on the table? what are your
thoughts? I'd like to help with this issue, but I am not sure about the
current direction that project wants to take.
Personally I believe that having a NAT64 implementation in the kernel
would be a great idea, especially if it could just sit next to other
NAT'ing mechanism existing in the kernel.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#273 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AASHNF2CPMVAPKRNPA6W6C3TXBV2HANCNFSM4GR4VOVQ>
.
|
Hi everyone! @ydahhrk Great work! I'm sorry to hear you're understaffed and under lots of work, hope things got better in the meantime. Hope you had great festivities and want to wish you a great year! 😄 |
The situation has done nothing but worsen over time. To be perfectly honest, I (and I speak for myself only) would like to sunset the project at this point, but the higher ups won't allow it. Then again, there are no resources, so I don't know what to tell you. If somebody would be willing to pay me a salary to work on this, I suppose it could be pushed, but otherwise, I don't see it happening. Although, if the problem is simply that OpenWRT is about to drop the iptables glue code, I could release a Jool variant that lacks the iptables dependency. Or make it optional. (Maybe it already is; I don't remember.) You'd be forced to use Netfilter mode, but otherwise, nothing would change. |
Really? Oh wow, that's very sad to hear, this project implements a important feature like no other... As you might guess I can't do that, I wish I could but I can't 😢 Yes, that's the issue, OpenWRT is dropping the old iptables and moving to nftables. That would be great cause that way I can update the package and it would continue working in the future! I'm not actually sure if actually is, but if the logic is right, if the netfilter mode can work with both iptables and nftables, then removing iptables as a dependency might actually work right? It might be worth it to add a compile flag or check to see if iptables exists and disallow it's use. Really, thanks for your work, and I hope that in the future things get better, we're all needing it 😄 |
Let me also express frustrations at this news, as I consider this the old financing-open-source-projects problem rearing its head once again. I'm also in no position to employ someone, but would love to chip in and help get this feature to mainline. @ydahhrk have you (not just you personally, but the organisation in general) considered organising Kickstarter or some similar fundraiser? Back in 2018, Bootlin (this was around the same time they changed their name from Free Electrons, so news articles might reference the old name) set up a Kickstarter in a somewhat similar situation - they had code that was working on either deprecated APIs (VDPAU), some initial reversing work done by community, and binary blob from a non-cooperating hardware vendor targeting at that point a long-EOLed kernel versions. They found enough people and companies who wanted a proper mainline driver for the hardware and were willing to put their money into the project. Over the course of a year or two, they succeeded in the goals they set up - driver was developed for the new V4L2 API, made to run with kodi player (where the team also pushed some changes, I think), driver pushed to the kernel before being accepted.
|
Have you considered to ask NLnet to fund this project (well at least $some development)? https://nlnet.nl/ |
I have to second everyone on this list that Jool has become a very
important project.
As I see others are also thinking about chipping in: I am working for
ungleich[0] in Switzerland, which is registered ltd.
I'm open to put 100$/month to support Jool development and it would be
easy to collect other payments in Switzerland and send them in one batch
to Alberto. At no cost. [1]
I know there are other projects to support monthly payments and I'm also
open to use that, depending on what's easiest for Alberto.
So, who else is in?
Best regards,
Nico
[0] www.ungleich.ch, ungleich glarus ag
[1] No cost = ungleich passes it through, minus banking fees.
Alberto Leiva Popper ***@***.***> writes:
… The situation has done nothing but worsen over time. To be perfectly honest, I (and I speak for myself only) would like to sunset the project at this point, but the higher ups won't allow it. Then again, there are no resources, so I don't know what to tell you.
If somebody would be willing to pay me a salary to work on this, I suppose it could be pushed, but otherwise, I don't see it happening.
Although, if the problem is simply that OpenWRT is about to drop the iptables glue code, I could release a Jool variant that lacks the iptables dependency. Or make it optional. (Maybe it already is; I don't remember.) You'd be forced to use Netfilter mode, but otherwise, nothing would change.
--
Sustainable and modern Infrastructures by ungleich.ch
|
@telmich I know you're pretty active in the RIPE community - maybe you could circulate this idea there and see which other company would be willing to help? |
Status: Sorry, but I'm too busy right now. Will work on the optional iptables dependency in the weekend, and figure out a plan for nftables over the second half of January. |
Userspace iptables depends on whether the configure script detects libxtables-dev installed. Kernelspace iptables needs to be removed manually: make JOOL_FLAGS=-DXTABLES_DISABLED This feature was requested in #273.
Ok, iptables should now be optional in the optional-iptables branch. Is it possible to test it in the iptablesless OpenWRT without me generating a release?
Is this enough? |
Hi @ydahhrk I'm really gonna need some pointers here as I believe the way OpenWRT compiles jool is different from the way you "officially" support. Ignoring the source of the code (I have yet to change the link, checksum, etc.) there are two issues I'm facing:
This is the make file I came up with:
|
CFLAGS_MODULE is the new JOOL_FLAGS. It's more standard. Instead of make JOOL_FLAGS=-D<flag> do make CFLAGS_MODULE=-D<flag> Progress on #273.
Huh. Is it just me, or they documented this way better now? I just uploaded an improvement patch. Forget Looking at your script, it's probably in these:
Something like this:
Don't forget the backslash! Note, you have to do it three times. If you can see the output of
|
Turns out including a dependency depending on installedness is not standard practice. Manually includes and excludes xtables from the userspace binaries: ./configure # xtables included ./configure --with-xtables # xtables included ./configure --with-xtables=yes # xtables included ./configure --with-xtables=no # xtables excluded Took a while, but I think I finally landed optional iptables properly. Progress on #273.
Yet another improvement patch: Userspace iptables can also be excluded through a flag now.
("xtables" and "iptables" are synonyms.) Note, this only applies to userspace. For kernel modules, keep doing
No. (Note: If you're still finding problems, please open a new issue. This thread is kind of unrelated.) |
Is the work of merging jool into nftables still active? Is there a status update on this? |
The entire project is more or less frozen. I'm doing minimal maintenance in my free time. We should get some funding next year, but I can't be any more specific than that because it's still in the planning phase. |
This has been mentioned several times, particularly in #140 and the survey. It appears that some people want Jool to merge with the Linux kernel.
Why, though? I get that people don't like installing from source, but wouldn't official packages fix that satisfactorily?
Personally, I sympathize with the Unix philosophy, and feel that IP translation is a tad too specific a need and too far from core to expect a kernel to ship with it by default. Wouldn't most distributions disable it?
The text was updated successfully, but these errors were encountered: