I just installed BCP38 and I noticed in the firewall section that it's displaying a warning. Anyway to implement this in NFT?
Hardware: RT3200
Firmware: OpenWRT 22.03-SNAPSHOT
Did you hit the button to see?
Certainly; there's even an in-progress PR to do so: https://github.com/openwrt/packages/pull/19387
Unfortunately it seemed the PR stalled, so pinging the author may be worthwhile? 
2 Likes
Hold on, umm.. wait. I think @tohojo is the maintainer of the package, but @ne20002 is the author of the PR to support nftables. I see the PR needs some changes to be done before the merge is approved?
Hi
yes, sorry. Didn't had time to finish it. The solution of the PR is working. I have a slightly more elegant solution in place but need to do a new PR for this.
The current PR is stalled as I need some formal changes (name, email) and I haven't looked what to do here so far.
I see if I may submit a new PR on thursday.
2 Likes
It will have defaulted to iptables-zz-legacy, a known bug.
Remove the legacy version and install iptables-nft
It should be fine then.
@bluewavenet can you help me understand you comment a little more? These are the iptables/nft packages I currently have installed:
Firmware: OpenWRT 22.03-SNAPSHOT
# opkg list_installed | egrep "iptables|nft"
iptables-mod-ipopt - 1.8.7-7
iptables-nft - 1.8.7-7
kmod-nft-compat - 5.10.152-1
kmod-nft-core - 5.10.152-1
kmod-nft-fib - 5.10.152-1
kmod-nft-nat - 5.10.152-1
kmod-nft-offload - 5.10.152-1
libiptext-nft0 - 1.8.7-7
libnftnl11 - 1.2.1-2
nftables-json - 1.0.2-2.1
xtables-nft - 1.8.7-7
You can end up with both the legacy and nft versions of iptables installed at the same time. The error you are seeing is typically the result.
What does opkg list-installed | grep iptables show?
I do have a patched ipk ready and are willing to share it. If anyone would like to test it, I appreciate it. It requires: remove any reference to bcp38 from firmware building for now (I haven't trie to just update by manual install) and install the ipk manually. It also works with the existing luci-app.
Please excuse my ignorance;
- Should additional network be added by default?
- Should automation be added to keep the list updated as it changes?
Reference: https://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
My PR for bcp38 package has been accepted and merged into master. I don't know how long it takes to be available for master or if/when it will be available for 22.03. As soon as the package is available in master/snapshot it can be downloaded and installed manually.
I feel my work here is done.
3 Likes
On average, packages are built roughly daily.
22.03 would need a targeted backport, which may happen - but isn't automatic (usually one wouldn't do such a major change within a stable release, but as bcp38 is semi-broken in 22.03 without it, there would be good reason to do so after a little testing in master).
Have a look here:
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.