grosjo
March 22, 2025, 5:37am
1
Hi
How can I translate the below commands to migrate out of legacy iptables ? (someone says that it is not very compatible with firewall4)
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
iptables -F
iptables -N LOGANDDROP
iptables -A INPUT -p udp --destination-port 67 -j LOGANDDROP
iptables -A INPUT -p udp --destination-port 68 -j LOGANDDROP
iptables -A INPUT -p udp --source-port 67 -j LOGANDDROP
iptables -A INPUT -p udp --source-port 68 -j LOGANDDROP
iptables -A FORWARD -p udp --destination-port 67 -j LOGANDDROP
iptables -A FORWARD -p udp --destination-port 68 -j LOGANDDROP
iptables -A FORWARD -p udp --source-port 67 -j LOGANDDROP
iptables -A FORWARD -p udp --source-port 68 -j LOGANDDROP
iptables -A LOGANDDROP -j LOG --log-prefix "iptables dropped DHCP " --log-level 7
iptables -A LOGANDDROP -j DROP
THank you
brada4
March 22, 2025, 5:55am
2
Can you show ubus call system board output?
grosjo
March 22, 2025, 6:28am
3
brada4:
ubus call system board
ubus call system board
{
"kernel": "6.6.73",
"hostname": "cpe-gateway",
"system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
"model": "KuWfi CPE830",
"board_name": "kuwfi,cpe830",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r28996-4efb4a26d2",
"target": "ath79/generic",
"description": "OpenWrt SNAPSHOT r28996-4efb4a26d2",
"builddate": "1742031870"
}
}
Same with teh problem of PR https://github.com/openwrt/openwrt/issues/18187
grosjo
March 22, 2025, 6:32am
4
Is kmod-nft-bridge a repalcement of kmod-br-netfilter ?
brada4
March 22, 2025, 7:12am
7
based on difference in names - no?
grosjo
March 22, 2025, 7:12am
8
Be polite and respectful and clarify what you are trying to say
krazeh
March 22, 2025, 7:13am
9
Are these rules the kludge you put in place after ignoring the advice we tried to give you in Firewall rules between 2 LANs on the same box ?
2 Likes
grosjo
March 22, 2025, 7:17am
10
The box is connecting 2 WDS , not "WAN" no "Internet" no such thnig
The script above works perfectly well
However, recent git of openwrt makes all the devices unstable and brada said that that may come from the usage of iptables
So my question is now : How to replace the above by something that is not iptables ? (and please, no more insults)
1 Like
krazeh
March 22, 2025, 7:19am
11
Go and read up about nftables and then use the equivalent nft command.
Or fix your setup and use UCI config to add appropriate rules.
2 Likes
grosjo
March 22, 2025, 7:20am
12
Can't you be friendly some times ? instead of those irrespectful comments ?
krazeh
March 22, 2025, 7:25am
13
You have a history of asking questions and then refusing to accept the advice you are given. Instead arguing that you know best and that everyone is being 'hateful' or 'disrespectful' or similar.
So, no, you reap what you sow. Until you show your attitude has changed then I (and I suspect many others here) are unlikely to want to put much time or effort in.
As a starting point you could go back through that previous thread, try and implement the advice you were given there, and if that doesn't help come back to let us know what you did and where it still isn't working as you hoped.
3 Likes
krazeh
March 22, 2025, 7:29am
15
I'll take that as a no then. Good luck with your query, but don't be surprised if no-one wants to help. I'm out.
3 Likes
grosjo
March 22, 2025, 7:53am
16
I wish you a great day, Mr Perfect
brada4
March 22, 2025, 8:21am
17
I ask you to prove authorship and understanding of that ruleset by optimizing 8x shorter for iptables. Unless so respect level duly earned.
Don't let the door hit you in the back, on your way out.
1 Like
grosjo
March 22, 2025, 12:32pm
19
For the serious people looking for help, here is the solution:
nft add table bridge nodhcp
nft add chain bridge nodhcp drop67 { type filter hook prerouting priority 0\; }
nft add rule bridge nodhcp drop67 udp dport { 67, 68 } log prefix \"New DHCP packet dropped: \" drop
ppmm
March 22, 2025, 1:33pm
20
how's this:
table inet filter {
# Define the LOGANDDROP chain
chain LOGANDDROP {
log prefix "iptables dropped DHCP " level debug
drop
}
# Input chain
chain input {
type filter hook input priority filter; policy accept;
udp dport {67, 68} jump LOGANDDROP
udp sport {67, 68} jump LOGANDDROP
}
# Forward chain
chain forward {
type filter hook forward priority filter; policy accept;
udp dport {67, 68} jump LOGANDDROP
udp sport {67, 68} jump LOGANDDROP
}
}
1 Like
He's now proposed this as a solution multiple threads.(?)
The rule is unnecessary if under normal condition - so for others, we can't guess how since you consider the inquiries to be "insults" and won't respond.
No insult - still 3 months later.
Edit:
Marking the OP's iptables rule as solution [in fairness and good faith] since the nft is merely a translation - which we still don't know why it's needed).
You seemed to have taken note
There is a package that will translate an iptables rule to nft, apologies if that's what you were seeking - we the…
We still donno how the 2 LANs ended up being bridged together.
Note that the kmod-nft-bridge package is required for the proposed solution. I'm not sure if that was mentioned anywhere.
I'd say something about a forest dweller eating popcorn, but it got flagged last time and was deleted....
2 Likes