[Feature Request] use nft table "opensnitch"

[e3dio]

Summary:

Use nft table "opensnitch" to group IP rules for opensnitch in 1 table, standard practice and better organization, allows modifying and removing rules by table like during uninstall etc. Currently the rules are mixed under generic table names "filter", "mangle", not clear which rules belong to opensnitch

[gustavo-iniguez-goya]

Hi @e3dio ,

Why should they have a prefix? Any specific reason or just for aesthetics?

[e3dio]

To clearly label which tables are created and owned by Opensnitch. To avoid namespace conflicts. So every user of linux who opens their table rules can see what tables belong to what apps. Other apps clearly label the tables they create, Opensnitch is the only thing modifying nft tables and not labeling what is theirs. Is there any reason to not label the tables maintained by Opensnitch ?

[gustavo-iniguez-goya]

There're several places which suggest to use iptables names:
This introduces several concepts. The script is made up of tables, that contain chains, that contain rules. In iptables tables also exist, but in only certain types. nftables is more flexible, in that the tables can be called anything. Convention is though to use the iptables names by default.

https://openwrt.org/docs/guide-user/firewall/misc/nftables

For now I don't plan to change it.

[e3dio]

Are you the only person overseeing and using this repo ? Every app I've seen that uses nftables names it's own tables, for good reason. OpenWrt is designed to be the only software running on that device. Workstations and other User cases share multiple applications on the same computer that can modify tables. It's best practice to label the tables you create and modify. I would like a 2nd opinion, your single link basic tutorial is not convincing

[e3dio]

firewalld, container networking, vpn clients, all things that correctly label the tables they create with the name of what created it. Opensnitch is the only thing that provides a non-descript table name so you have no idea what created and is maintaining that table

[e3dio]

Also it appears to be best practice to create a single table for your app, like table inet opensnitch and then name your chains to describe the hook/priority/other details, like firewalld uses table inet firewalld and chain filter_INPUT, chain mangle_OUTPUT etc. Currently Opensnitch uses 3 tables with bad generic names, presumably to match a tutorial they found on OpenWrt website

[e3dio]

Naming the table allows you to remove the table. Looks like Opensnitch does not remove its table rules on uninstall and requires a system reboot to remove them ? If you name the table you just add nft destroy table opensnitch in the uninstall script