22.03.0-rc1 is now on the download pages, so it'll start getting some early adopter attention (such as me).
With the switch to nftables (fw4), is there a migration guide in the works for custom rules?
My initial questions:
LuCI has two Firewall status sections in 22.03.0-rc1, Firewall (iptables) and Firewall (nftables). Should they both be there?
With previous releases using fw3/iptables, I have a custom script that installs a NAT6 rule for my ULA prefix for VPNs when forwarding via an HE tunnel: ip6tables -t nat -A POSTROUTING -s {ULA_PREFIX} -o 6in4-wan6 -j MASQUERADE
This rule in the iptables/fw3 days required kmod-ipt-nat6. Is this kernel module specific to iptables, or does it still apply for nftables? What module (if any) do I need for the equivalent nftables rule that I will put into /etc/nftables.d/<something>.nft:
Generally, any guidance on migrating custom rules, either those included in /etc/firewall.user or equivalent include rules in /etc/config/firewall, or custom rules that have extra iptables arguments (in the extra field of a rule)
That would be nice. Maybe there is one?
Anyway a few important points:
fw4 is not nftables. fw4 uses nftables (whereas fw3 uses iptables)
22.03.0 onwards does not have the iptables package installed by default.
The package iptables-nft is fully compatible with nftables and actually uses nftables underneath. It provides the command "iptables" so old iptables scripts can still be used.
22.03 has a bug. If you install "iptables", you would think you would get the nftables compatible version, but instead you get the old version - iptables-legacy. this will work, sort of, but can cause all sorts of problems as it does not talk to nftables so you can get conflicts. You have to manually install iptables-nft, but be aware it is possible (incorrectly) to have both iptables-legacy and iptables-nft - very bad.
If you make sure only iptables-nft is installed (and/or ip6tables-nft if needed), then any of your iptables scripts should run without having to make any changes. If fw4 just executes custom scripts like fw3 did then it should be ok. You can install kmod-ipt-nat6 etc as required.
Do the include clauses in the firewall config still work in 22.03?
such as:
# uci show firewall.@include[0]
firewall.cfg67af89=include
firewall.cfg67af89.path='/etc/firewall.user'
firewall.cfg67af89.reload='1'
Or, if include doesn't work anymore, where would one put a script (containing iptables commands or other things) to get executed when the firewall configuration is reloaded?
(answering myself) it appears that kmod-nft-nat6 is installed by default, at least it is in my imagebuilder output without me having to list it in my package list, so that rule will work without requiring additonal packages. But maybe I have some other package in my list that depends on kmod-nft-nat6 indirectly?
I checked the x86_64 default build, it has kmod-nft-nat6 installed by default, so the end result is that I don't have to install anything extra to get a functioning NAT6 rule.
Tried the same syntax rules, and confirmed that include is not processed anymore, so that's something needed for migration: advice on where to put the commands that were in included files. They could be more than just iptables, it can be other things like logger or additional programs to run.