Page MenuHomeVyOS Platform
Create Task
Maniphest T7816

Collapse tables in nftables into single tables per address-family
Open, NormalPublicFEATURE REQUEST
Actions

Description

Currently, there are a number of tables per address-family (ip, ip6, inet, bridge), all with slightly different functions. This isn't required for nftables, and can make developing new features inflexible.

For instance, task https://vyos.dev/T2196 would be trivial for the user to accomplish with add-address-to-group. But since that is a feature only in vyos_filter, and not vyos_nat, it means a hardcoded solution would need to be developed.

Additionally, sets are created per table, even though they are the same sets. And with some sets being dynamic, there are sync issues that can (and do) exist when updating a section like policy route. The dynamic sets are zeroed out, and must be repopulated, but it isn't working in all cases.

It would make iterating on firewall features much easier, as well as cleanup the current implementation, by collapsing like chains in single tables per address family.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

L0crian created this task.Sep 13 2025, 10:27 AM
Apachez subscribed.Sep 13 2025, 3:40 PM
L0crian added a comment.Sep 16 2025, 4:58 PM

Adding to this conversation. The one benefit to how things are currently being done is that changes to a single section (firewall, policy, conntrack, nat) just requires a simple delete of the entire table, then an atomic load of the updated config.

With this change, that wouldn't work, because a change to one section would then wipe out all other sections, only putting back the single section (e.g. a change to policy would delete nat, conntrack, and policy).

This could be solved easily by just getting a list of existing chains and then iterating over them in the Jinja2 template and deleting them. This would likely necessitate the renaming of some chains so that they can easily be sorted. It could be something like is currently done for the sets:

Example
VYOS_FORWARD_filter would become F_VYOS_FORWARD_filter
PREROUTING would become N_PREROUTING

Most of these changes would be fairly innocuous with the exception of smoketests. Those would need to be upated, since a lot of them are looking for a specific chain name after configuration.

pasik subscribed.Sep 16 2025, 5:03 PM
Unknown Object (User) triaged this task as Normal priority.Sep 17 2025, 11:08 AM