Confusion about mwan3 dependencies for v24.10

Hi,

tl;dr, could someone confirm me that both iptables-nft and iptables-zz-legacy should be installed? I'm curious why the dependencies are not set so it's always right.

I'm installing mwan3 on OpenWrt 24.10.1 but I'm unsure/confused about ip?tables-nft. The version 24.10 is not mentioned on https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3 so I'm unsure if having to install iptables-nft still applies. For brevity, wherever I write iptables-, I mean iptables- and ip6tables-*. I did some quick tests and it seems to work without.

I saw in mwan3 dependencies that there is:
iptables-nft (10.00 KiB) | iptables-zz-legacy (10.00 KiB)

I'm not sure what iptables-zz-legacy is. The doc (the page mentioned above) doesn't say if iptables-nft has to be installed after or before mwan3. I did some test and noticed that if mwan3 is installed along either of iptables-nft or iptables-zz-legacy then there is a "Legacy rules detected" warning on the .../status/nftables page.

Yes, iptables-nft is better and should be installed before or at the same time as mwan3, not after.

Both packages offer the "iptables" command, but the difference is the backends. iptables-nft share the modern nftables backend with fw4 (the openwrt firewall framework), and all calls to "iptables" will be transparently translated to nftables.

iptables-zz-legacy implements the command using the legacy "iptables" backend. This backend is not compatible with nftables or fw4 at all, it brings its own kernel modules and filtering code, etc.

If you install the latter, you will have several filtering modules running simultaneously and without one being aware of the work of the other. I was using mwan3 like this without realizing it and had multiple bugs with packet filtering or SNAT/DNAT handling.

1 Like

Absolutely NOT. This would cause so many problems, even to the point of kernel crashes in some cases.

The root of the problem is a bug in OpenWrt, where;

  1. if a legacy package has a dependency on iptables, the package iptables-zz-legacy is installed.
  2. If a legacy package, as a workaround, has had its dependency changed to iptables-nft, then iptables-nft gets installed.
  3. If two packages, one type 1 in this list, the other type 2 in this list get installed, you end up with BOTH iptables-zz-legacy AND iptables-nft, resulting at best, things not working properly, at worst, a crash.

The bug is because a generic dependency on iptables defaults to the "zz" version being installed.

This is an indication that a "zz" version is installed and being used - remove ALL "zz" packages, replacing with the "-nft" versions.

This can be mitigated by ensuring you always pre-install the iptables-nft package.

Note: This also applies to iptables siblings (xtables, ebtables, ipv4 and ipv6 versions)

To see previous discussion:

Edit:
Here is the relevant section from the mwan3 makefile:

define Package/mwan3
   SECTION:=net
   CATEGORY:=Network
   SUBMENU:=Routing and Redirection
   DEPENDS:= \
     +ip \
     +ipset \
     +iptables \
     +IPV6:ip6tables \
     +iptables-mod-conntrack-extra \
     +iptables-mod-ipopt \
     +jshn

It has iptables and ip6tables as dependencies.
This results in iptables-zz-legacy and ip6tables-zz-legacy being installed unless the -nft versions are pre-installed.

Also, it has ipset as a dependency.
OpenWrt, post nft migration, no longer supports configuration of "REAL" ipset, instead it does a weird emulation of the legacy ipset, using nftsets, lulling the unsuspecting into thinking the mwan3 ipset is configured - it will not be. There is no way round this other than doing manual ipset commands in a terminal or script.

In addition, Dnsmasq has been compiled so it no longer supports legacy ipsets, instead it uses the pseudo ipsets fw4 emulates. There is no way round this either, other than compiling your own custom version of Dnsmasq.

^^TL;DR:
In summary, it's a mess. I'm not surprised people get confused.

2 Likes