Build v24.10.2 with iptables

take the example of a Western Digital My Net N750

get default config
wget https://downloads.openwrt.org/releases/24.10.2/targets/ath79/generic/config.buildinfo -O .config

make menuconfig

Target Profile (Multiple devices)  --->
    select your device, 'Western Digital My Net N750'

Base system  --->
    N to  < > firewall4

Network  --->
    Firewall  --->
        N to
            < > arptables-nft
            < > ebtables-nft
            < > ip6tables-nft
            < > iptables-nft
            < > nftables-json
            < > xtables-nft
        Y to
            <*> iptables-zz-legacy
            <*> ip6tables-zz-legacy (option)
Libraries --->
    N to < > libnftnl
    Firewall  --->
        N to < > libiptext-nft
Kernel modules  ---> Netfilter Extensions  --->
    N to all kmod-nft-(at bottom part), kmod-nft-core would be the last one after all other deselected
    Y to <*> kmod-ipt-offload

then you could do your customization

and finally, build the firmware
make

You can compose packages via firmware-selector web interface or imagebuilder (but not owut or luci-attendedsysupgrade) that excludes fw4 and nft and includes iptables-zz-legacy and fw3 for luci web (or juast install iptables-nft on a blank fresh OpenWrt)

Why?
Using iptables has been deprecated for many years now, but sure, it is akin to the ipv4/ipv6 thing in that the effort to migrate packages to nftables has been lacking in some cases.

If it is a case of you having to use a legacy package stuck on iptables, then as @brada4 says, make sure you have iptables-nft installed before you do anything else.

But if it is a case of "you can't teach an old dog new tricks", then do a bit of reading and a bit of experimentation. Even for an old dog like me, moving to nftables was, in actual fact, very easy.

thanks!

will try next time

To each their own

for me, the nft rule set is obscure and the ‘extra’ option in /etc/config/firewall is no longer supported, which allows finetuning the rules

You have iptables-translate for that....
Yes, include mechanism in fw4 changed upside down.

Good luck:
BOOK: https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables
Example for /etc/nftables.d/whatever.nft (it is included in table inet fw4 {} BEFORE each rule, if you define same hook priority and name it is prepended to default hook.

chain raw_prerouting {
        type filter hook prerouting priority raw; policy accept;
        iif "lo" counter notrack
}

chain raw_output {
        type filter hook output priority raw; policy accept;
        oif "lo" counter notrack
}

So it is actually my latter case. Perhaps more of "I've used oil lamps all my life, there is no way I'm having that new fangled 'Lectric Light in my house".

Seriously though, a bit of reading and a bit of experimentation and you will get up to speed (@brada4 has given you some pointers). I went through this myself a few years ago, so I know.

You can of course go in the full on legacy direction via what will very quickly amount to your own OpenWrt fork. As you said:

Worth noting we can help to convert messy rulesets, even if people run shorewall or ufw savefile believing it is fw3

the key is that nft is not so ‘brighter’ compare to iptables.

the iptables is sufficient for now and I did not feel like using candle in modern time

The horse is here to stay, but the automobile is only a novelty – a fad.

You are either suffering from terminal laziness or are looking for a quick fix while re-developing your application packages.

If it is the latter, your build with iptables is a valid short term approach, but merely adding iptables-nft instead would be a much more efficient way, supporting your application as well as being able to co-exist with all modern packages.

thanks to point out

it is sad that why there is no iptables like UI and underline is FW4

BTW

nft syntax is against the trends of modern programing/command, it’s strange why this kind syntax show up in 21st century. It’s like back to the early Unix/Linux/dos time, like the commands cd, ls, sed, grep and umount in Unix/Linux. But Unix at that time has the reason to do so since the system only has xxKB or so memory.

while modern language/command syntax is tend to be easy to understand and error-free format, that why python etc. are getting popular.

Why nft/fw4 does not do the same as Linux when it becomes the replacement of the Unix, keep the UI unchanged

updates

this way works

however, it is not ‘clean’ as the compiled one. it will include the following extra nft packages even it is not used when the dnsmasq-full package (to support DNSSEC and other functionality) is included

kmod-nft-core

libnftnl11

nftables-json(which contain nft command)

also, the nft related kernel module will be loaded unless you comment them out in file /etc/modules.d/nft-core

the system behaved the same regardless the nft related kernel modules loaded or not

They do nothing if you do not enter rules via nft or ip?tables-nft.
fw4 and nftables-json (other option being firewall aka fw3) adds -nft- kmods as dependency.
On the other hand iptables-nft requires -ipt- kmods for syntax parsing, some syntax parsers come as extension libraries without needing dual purpose serving kmod-ipt- kmod-xt- -s

I would still recommend going with iptables-nft-restore in rc.local and slowly moving to fw4

Calling nftables syntax “against modern trends” is like complaining that C is against modern programming trends because it doesn’t look like Rust or Python.

It’s solving a different problem at a different level.

The syntax is unconventional and takes getting used to, but it’s a huge engineering advance over the iptables mess, and it’s perfectly appropriate for what it’s trying to be: the universal, high-performance packet filtering language for Linux in the 21st century.

You are basically saying “I don’t like the look of assembly language in 2025” while standing in the kernel networking subsystem. It’s a category error.

nftables wins on:

• Everything lives in one tool and one file
• No more table/chain ordering surprises (-t nat vs filter)
• Built-in support for sets, maps, meters, verdicts maps, etc.
• Atomic replace (nft -f) without flushing
• Much better IPv4+IPv6 unification

Yes, the syntax looks “weird” if you’re used to iptables, but it’s vastly more logical and powerful once you get past the initial shock.

you totally misinterpreted the order, it is C → python → rust, that’s the normal order.

As you are saying, more people are joining the python/rust, leaving obscure and hard to understanding C and assembler, although they are necessary in some case like boot loader, embedded and OS (for efficiency)

what I meant in last reply is that if we already have python and Rust, and some one propose the C-like language, this is the order what we discuss now from iptables to nft

that’s what I said, this way is not a straight forward.

I do like a tool to accept the iptables-like syntax and translate it into fw4 internal rule.

iptables-nft is the way to go. Then look at nft ruleset and transfer nft rules to fw4 includes (can be configured or added as the files in directories)

I did not say that at all. You must choose how you program based on your environment. Here we are down in the core of an operating system, not a highly abstracted user application.

But as an "old dog that doesn't want to learn new tricks", you can do whatever you like to avoid learning something new.

FYI. Here is a short but useful comparison: