Main dnsmasq maintainer here.

I just looked at the nftables documentation, and it looks like all the
support is needed to do the same sort of things we do with iptables, but
it would take either an nftables expert or a lot of reading to get
sufficiently familiar with the system to actually implement it.

I'd gladly accept a patch, or a paid commission to implement this.
Failing either of those, it will go on the "nice to have" list, but
given the current rate of progress, it may be some time.



On 20/12/2019 13:34, wrote:
> Many thanks for your answer.
> Is it planned to support nftables through dnsmasq? Is there a roadmap?
> iptables-legacy is unfortunately only a temporary solution.
> *Gesendet:* Donnerstag, 19. Dezember 2019 um 17:20 Uhr
> *Von:* "Florent Fourcot" <>
> *An:*,
> *Betreff:* Re: [Dnsmasq-discuss] dnsmasq Debian 10 ipset nftables
> Hello,
> Currently ipset are filled with Linux netlink interface, so it's fast
> and efficient (not like running an external command). ipset module is an
> iptables extension, and is not supported by nftables.
> nftables has built-in same functionality than ipset (no need of an
> extension), and is manageable thanks to netlink as well. But it's not
> included today in dnsmasq.
> So If you want to change our firewall after a DNS resolution on dnsmasq,
> you still have to use iptables and not nftables (i.e. iptables-legacy on
> Debian 10).
