Firewall in snapshot broken - next release nftables?

Hi,

I just compiled my own snapshot from the latest git repo. What is the current status of the firewall? I read some posts about migrating to fw4 and nftables?
When I create a traffic rule in the GUI there is no corresponding entry in nft list ruleset, thus the rule is not being applied and the traffic cannot flow.
I'm just wondering what the target for the next release is? Is it replacing iptables with nftables and also fw3 with fw4?

Regards
Junicast

Fw4 is nftables only, and it just got made default. From what I gathered it should be transparent, ie UCI config should carry over and work just like with fw3.

Do not use fw4 currently! Its only for developers and many scripts and packages are broken!
You cant even apply menuconfig currently:

tmp/.config-package.in:38805:error: recursive dependency detected!
tmp/.config-package.in:38805:   symbol PACKAGE_libxtables is selected by PACKAGE_tc-mod-iptables
tmp/.config-package.in:109628:  symbol PACKAGE_tc-mod-iptables is selected by PACKAGE_tc-tiny
tmp/.config-package.in:109641:  symbol PACKAGE_tc-tiny is selected by PACKAGE_sqm-scripts
tmp/.config-package.in:1243:    symbol PACKAGE_sqm-scripts depends on PACKAGE_libxtables
For a resolution refer to Documentation/kbuild/kconfig-language.rst
subsection "Kconfig recursive dependency limitations"
1 Like

so the work around for that is to not install SQM intially and the install it manually, either by using the --force-depends argument or completely manually following the instuctions on https://github.com/tohojo/sqm-scripts, and then some parts of sqm will not work, but piece_of_cake.qos/cake should still work.

1 Like

I don't know if this belongs here - but I just upgraded to OpenWrt SNAPSHOT r18729-8c1d5129ee / LuCI Master git-22.025.79016-22e2bfb (most current as of Jan 4) from stable 21.02.1, and it didn't seem to be loading my firewall rules.

# /etc/init.d/firewall restart
Section @forwarding[1] references src IoT restricted to IPv4 and dest restricted to wan, ignoring forwarding
Section @forwarding[2] references src Guest restricted to IPv4 and dest restricted to wan, ignoring forwarding
Section @forwarding[3] references src lan restricted to IPv4/IPv6 and dest restricted to DMZ, ignoring forwarding
Section @rule[7] (DMZ - Default block router) is disabled, ignoring section
Section @rule[8] (DMZ - Default block LAN) is disabled, ignoring section

Examining the first error from above, the referenced config sections in my /etc/config/firewall:

...
config zone                             
        option name 'IoT'               
        option input 'ACCEPT'           
        option output 'ACCEPT'          
        option forward 'REJECT'         
        option family 'ipv4'
        option auto_helper '0' 
        list network 'IoT'              
                               
config forwarding              
        option src 'IoT'       
        option dest 'wan'
../

I don't know what's wrong with option family 'ipv4', but with it removed forwarding works again.

Soo, FYI, I guess? I don't know if this warrants a bug report, or where I'd even submit a bug report. But I'm open to suggestions.

Thanks!

/etc/firewall.user is not executed anymore, even with iptables-nft installed. Is that intentional? @jow

Will look into it tonight

Custom rules feature depends on iptables command line parser and as such will never be compatible with nftables. No idea if there is a plan to replace it, e.g. by allowing JSON-formatted nft rules being added in a similar way.

from Belkin RT3200/Linksys E8450 WiFi AX discussion - #1484 by daniel

Additional there is a new bug in openwrt introduced, if you installed only "legacy"/fw3 there are the 6 iptables commands missing as the links are only created with -legacy postfix.
A good distribution would create these links to -legacy OR -nft ALWAYS, depending on the user selection

Fixed with

2 Likes