I am not sure if in 22.03 you can add custom parts of nftables rules like you did in previous versions.
1 Like
OK, cool...maybe I'll test. Thanks.
EDIT: The section doesn't exist in LuCI v 22.03.
Any experience with enumerating ipsets from the UCI as before?
why you use rule 1? default config fw4 includes
chain input {
type filter hook input priority filter; policy accept;
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
}
chain output {
type filter hook output priority filter; policy accept;
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
}
could you please elaborate where your rouge traffic is coming from which is not covered by these rules? I'm just curious.
- Because I have inbound TCP traffic that's not Established/Related - at least in <= versions 21
All people who open a [common] TCP port have this issue - that's why we highly suggest people don't - especially to LuCI. 
That rule creates a Relation for any NEW packet that DOES_EQUAL SYN - SYN is the ESTABLISHMENT of a TCP connection.
I got multiple examples, but that suffices (port forwards, routed public subnets I'm forwarding onward to another firewall and therefore not "establishing/relating" any traffic, etc.).
I realize now that you mention - that all traffic might be tracked now anyway in 22+. BTW, I think your display is nearly the same as the old rule pre-22 rules, no difference.
Also rule 1 was based on SYN, see this regarding the built-in SNY-Flood button: Syn flood protection for FORWARD?
You can add custom nftables rules via includes inserted before or after default rules in fw4 chains.
Also see the local readme at /usr/share/nftables.d/README
1 Like
there is this topic https://forum.openwrt.org/t/firewall4-nftables-tips-and-tricks/
the very first comment is about how tcp flags are handled for example. but there are many other tips. check it if you have not done so.
1 Like
All:
This is version 22.03.
- @trendy It seems I can translate Nos. 2 and 4 into UCI? it seems there was already a UCI syntax I never used - instead I made the argument calls thru extra
config rule
option target 'ACCEPT'
option proto 'tcp'
option name 'xyz_www'
option family 'ipv4'
option dest_port '80'
option src '*'
option limit '25/minute'
option limit_burst '100'
option dest 'xyz'
list dest_ip 'xx.xx.xx.xx
- I think No. 3 can be translated into a burst rule
- No. 5 basically says "do not allow the same SRC IP to have more than 3 established connections" - I may omit this if there's no simple UCI translation (this rule is not open at port 22 and keys are used anyway, it takes packets from another redirect and then applies those rules seen)
- Raw rules can be translated and appended as suggested
- My concern regarding No. 7 is that it prevents nested routing by malicious or misconfigured peers on that tunnel, if the decapsulated datagram inside the tunnel is read by the Kernel again before the firewall applies it as a new packet to be forwarded - a raw rule in iptables prevented these resources from being used. I'll have to test this behavior with fw4
- No. 8 was to mitigiate the TTL Expiry Attacks - I'll look into translating those - as a Raw rule was needed to stop the downstream Kernels and itself from transmitting the corresponding ICMP messages indicating the successful attack
But... @dave14305 - The wiki says
The iptables rules generated for this section rely on the state match which needs connection tracking to work.
It seems outdated. It also says "fw3" in certain sections I'm trying to reference. Also, "extra" and "burst" still exists in the documentation (which has to be iptables/fw3 because my rule does the same thing calling thru the extra arguments). It seems to need serious updating.
root@OpenWrt:~# iptables-translate -t raw -A PREROUTING -m ttl --ttl-lt 7 -j DROP
iptables-translate v1.8.7 (nf_tables): Couldn't load match `ttl':No such file or directory
Try `iptables-translate -h' or 'iptables-translate --help' for more information.
?
This worked:
root@OpenWrt:~# iptables-translate -t raw -I PREROUTING -p <x_proto> -i tunl0 -j DROP
nft insert rule ip raw PREROUTING iifname "tunl0" ip protocol <proto_name> counter drop
Now, is the file still /etc/firewall.user?
Also...
The translations I'm seeing in that thread are not what iptables-translate gives me. This one for example:
I get for the same example:
root@OpenWrt:~# iptables-translate -A POSTROUTING -o eth2 -t mangle -j TTL --ttl-set 64
iptables-translate v1.8.7 (nf_tables): unknown option "--ttl-set"
Try `iptables-translate -h' or 'iptables-translate --help' for more information.
So, this thread and the "main" thread for this says use the translation tool...?
Is this a UCI example, or is this the pre-stuff scripted into the fw4?
If it's UCI, can you show the syntax?
So I upgraded one of my major devices to 22.03.0 (the one with most of these rules).
This is a big no. This config:
config rule
option name 'Drop-Bogons_In_WAN'
option src 'wan'
option family 'ipv4'
option proto 'all'
option ipset 'bogons'
option target 'DROP'
config ipset
option name 'bogons'
option storage 'hash'
option match 'src_net'
list entry '0.0.0.0/8'
list entry '10.0.0.0/8'
list entry '100.64.0.0/10'
list entry '127.0.0.0/8'
list entry '169.254.0.0/16'
list entry '172.16.0.0/12'
list entry '192.0.0.0/24'
list entry '192.0.2.0/24'
list entry '192.168.0.0/16'
list entry '198.18.0.0/15'
list entry '198.51.100.0/24'
list entry '203.0.113.0/24'
list entry '224.0.0.0/4'
list entry '240.0.0.0/4'
Results in:
Section @ipset[3] (bogons) option 'storage' is not supported by fw4
How do others create lists of IPs and filter against them in the version 22 firewall ?
(e.g. I have a malware ipset that's ~1M IPs/ranges big, another that is used to allow the IPs...meaning that traffic is not working at this time)
I'm guessing people use /etc/rc.local now (which was advised against in previous versions). But this also means that a firewall reload will erase it. Is this correct?
Just remove the storage option from the definition. It should then create just fine.
It's preferred to use include files to take advantage of nftables' atomic rule replacement, but if you instead want to add nft add rule inet fw4 ... commands to a script, you can still use firewall.user as long as you add the fw4_compatible flag in the uci config for the include (this is mentioned in the wiki).
1 Like
Oh duh - thanks...I tested on the bogon, it works.
But how do I list/add/flush it by CLI?
(I'll need to alter scripts for the other sets - they won't be pre-populated and are dynamic using cron or triggered by a daemon calling the script upon an action.)
nft insert rule ip raw PREROUTING iifname "tunl0" ip protocol <proto_name> counter drop
Error: Could not process rule: No such file or directory
insert rule ip raw PREROUTING iifname tunl0 ip protocol x counter drop
^^^
Include '/etc/firewall.user' failed with exit code 1
I'm not sure what I'm missing here - same on the CLI when I actually attempt to enter the translated rule.
Should it be a *.nft file?
Is there an nft raw module?
Is there some module too for TTL in the link from the FW4 Tips/Tricks thread?
nft insert rule inet fw4 raw_prerouting iifname…
See the new chain structure available by running nft list chains or nft list ruleset
You can add elements to a named set with nft add element inet fw4 bogons { 192.168.1.4 }
1 Like
Wow...
That's a whole new syntax...
OK...this syntax is not what's found online.
Using this reference: https://wiki.nftables.org/wiki-nftables/index.php/Sets
root@OpenWrt:~# nft list set ip filter bogons
Error: No such file or directory
list set ip filter bogons
^^^^^^
- How does one list?
- How does one flush?
- How does one delete?
- How does one query?
(A link to a working wiki will also be OK.)
nft list set inet fw4 bogons
ip is the table type and filter is the example table name from the wiki. With firewall4, you would always use inet fw4 instead of ip filter. filter has no special meaning in this context except as the chosen name for the table by the wiki author.
1 Like
nft add rule inet fw4 raw_prerouting ip6 hoplimit \< 7 drop
nft add rule inet fw4 raw_prerouting ip ttl \< 7 drop
At the command line you need to escape the less-than character.
1 Like
OK...
I got list and add...
nft list set inet fw4 bogons
nft add element inet fw4 bogons { 192.168.1.4 }
nft flush set inet fw4 bogons
nft delete element inet fw4 bogons { 192.168.1.4 }
nft get element inet fw4 bogons { 192.168.1.4 }
(for other's reference)
Thanks!
EDIT: 
My router has booted, the scripts are translated...but they're taking longer than when I used iptables before switching to ipset. In fact, calculating, the one with 1 M + entries - could take 4 hours to 1.5 days to finish (compared to one that took about 70 seconds on ipset - it ran for 16 minutes). And it's taking multiple cores (GHz) to process. I've had to cancel it - it's taken so long, it's scheduled Cron began running too.
(I'm calculating how far in the CIDR range I see process adding the IPs - and by the script that finished.)
There's gotta be something I'm missing here.
If I understand you correctly, a similar stanza as in Post No. 1 (which I'm guessing is a custom script from a community member) you linked - can be used to add a rule for DROP New TCP packets in that do_not_equal SYN as I desire?
If such a handling is even needed now.
(Forgive my funky pseudocode.)
- If so, where do you add it? (I assume thats when you place an *.nft file)
- More importantly, where is a Wiki link to this syntax I'm seeing in that thread? (so I don't have to ask every time)
https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
especially for custom config: https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes_for_2203_and_later_with_fw4
Ummm...did you mean to link a particular section of the OpenWrt wiki? (disregard, browser issue on a mobile device - I did see this section, thanks)
Also, you posted the main page to the other wiki too...
Both were already posted...
I do appreciate the time - perhaps if not much trouble, you could highlight what syntax I'm supposed to see...where the file should be placed...etc. (i.e. the inquiry)?
Following your link I see nft commands. That's not what's shown even when the developers and other show rules in that thread.
I also see about 7 locations to place an nft file, 1 way to make an nft script and a way to make a script with nft commands inside. At this point I've only seen/demonstrated the latter thanks to dave14305. I assume the thread you linked shows the former...but where's the syntax, how did they generate it from iptables-translate (which I clearly showed is not identical to what jow posted to an inquiry), etc?
I was hoping for a link that would fill-in that missing information.
In a basic question - where is the manual thats showing people to write rules with { } () 
these marks.
All the wiki pages/example I see just use nft ....
Or...You can do either/or?
Note: I see how to display nft chains etc...but in iptables that display looked like iptables syntax...but the displayed output is not idetical to now the Wiki is showing adding them, though...(how would you re-add the same rules being shown by others then?)
EDIT: I see the OpenWrt section tagged in the URL on a full device, thanks - just need to know where it would go (I can pick a spot, I guess "before fw4") - and more so what syntax/how it's generated
that's all you got am afraid. there is no "the" guide other than the ones already linked (*).
but i think you should reset your mindset iptabels and nftables are not 1:1 mapped, there are different features in both only similar exists in the other, e.g. sets are similar but not exactly the same.
and yes, you have to learn the new syntax: start with the nftables wiki. the linked owrt own wiki explains how you can add custom config to fw4 via *.nft files can be placed in different location depending at which point/level you want to add custom stuff. but in general you can still use luci/uci interface to create rules.
definitely it will require effort to learn nftables, i agree it is not that obvious.
(*) i mean there are others of couse, archlinux is pretty good, but i'm not aware of detailed comprehensive guide for iptables -> nftables transition. there is the tool which (tries to ) translate iptables rule. which is also linked already.
1 Like