Apologies if this has been covered elsewhere. I did search the forum and the web but couldn't find answers that address my specific situation.
I'm currently running 21.02 and have lots of custom iptables firewall rules, mostly for tagging connections/packets with DSCP marks, but sometimes in non-trivial ways devised over many months. Obviously at some point I will need to upgrade to 22.03, but I'm concerned about the switch from iptables to nftables and how much pain that's going to cause me.
Along with many of the core iptables features I use:
packet marks
connection marks (with masks, for storing and restoring DSCP marks)
hash limits (for flow rate measurements based on ports and IPs)
ipsets (static / dynamic / populated by dnsmasq)
I use these iptables packages/modules:
iptables-mod-conntrack-extra
iptables-mod-extra
iptables-mod-hashlimit
iptables-mod-ipopt
ipset
kmod-ipt-ipset
I've read that iptables-nft is "fully compatible" with iptables, but does that mean all of the above iptables features are still available and working in 22.03? i.e. can I just upgrade to 22.03, install these packages along with iptables-nft, and expect everything to work? I know that ipsets don't exist anymore with nftables, for example.
Whatever exists in uci firewall configuration will be migrated automatically. Custom iptables scripts in /etc/firewall.user however won't be. That being said, you might want to start migrating your custom scripts to fw3, for example marks are supported.
Thanks for the response, but I'm still not sure where I stand. I know that at some point I'm going to have to bite the bullet and learn nftables to the same extent that I know iptables, but that's not going to be trivial.
I guess the question boils down to whether iptables-nft really is "fully compatible" with iptables, i.e. can I install those iptables modules? Will they work? Will ipsets still work with iptables-nft?
Note the difference in compatibility in the iptables/nftables layer and in the fw3/fw4 uci firewall layer.
Eventhough iptables-nft would be fully compatible, you need lots of work, as the table/chain/rule structure created by the uci fw4 firewall is different than the one from fw3, so likely your iptables commands would need modifications so that they would apply to the corrent chains.
Ok, that's good to know. For most of my stuff I create my own chains that hang off the base prerouting/output chains, so changes to OpenWrt's chains shouldn't affect me too much, although there are definitely a couple of scripts of mine that will need fixing.
I'm also very interested in nftables' ingress chain. Presumably this chain could be used to manipulate/restore DSCP marks on download packets before they're seen by SQM?
Also, I found this mail on the nft mailing list which indicates that iptables-nftcan use ipsets, which is encouraging:
But it's not quite that simple. I have scripts that set up the rules in a way that's non-trivial, but makes the ruleset much easier to modify and maintain - one of these scripts generates about 300 iptables rules. I can't convert those scripts without understanding the nftables syntax properly. Yes, I could export my current set of iptables rules created by the scripts and convert them to nftables, but I would effectively be throwing the scripts away and I don't want to do that.
I'm also still not sure whether nftables (or even iptables-nft) will support all the iptables functionality in currently using (e.g. hashlimits).
When I upgrade to 22.03 I plan to convert the iptables rules to nftables and use the results to help me learn how nftables works, and then update/rewrite the scripts, but I want to have a stop-gap solution while I'm learning. I don't want to update the router and have everything in a broken state for several days/weeks while I figure out the nftables syntax.
I just found out that apparently there's no support in 22.03 for firewall script includes - i.e. no way to have a script run at firewall restart/reload to set up custom rules. This fundamentally breaks my setup
There does seem to be script includes available, but not very obvious yet. fw4 will load all script includes after the main firewall start as long as the filename isn’t firewall.user and the include stanza has the fw4_compatible 1 option set.
