iptables-nft should seamlessy convert and apply most vanilla iptables rules, but that does probably not work for more exotic rules.
There is the PR track the conversion of packages from iptables to nftables...
1 Like
So, uhmm, did FW4 being defaulted silently remove /etc/firewall.user file, orr did I just miss the warning along the way.
1 Like
Yes, /etc/firewall.user got silently removed. It is trivial to add it back but not sure how how much sense it would make. Since fw4 uses a different internal chain structure (and not using iptables at all) many preexisting scripts likely won't work at all.
Maybe we can add it back but let it point to another path, like /etc/nftables.user? I don't really have formed an opinion on that, yet.
2 Likes
I thought /etc/nftables.d/10-custom-filter-chains.nft was the replacement for firewall.user?
Not directly, firewall.user is basically a shell script that can call any command besides iptables, it's like /etc/rc.local but always invoked when the firewall is reloaded instead of once on boot.
The /etc/nftables.d/* includes on the other hand only accept nftables syntax, you can't use them to execute shell commands and the like.
1 Like
So I have been using /etc/firewall.user in the past for quick and dirty experiments/measurements, like clamping MSS to specific values to allow to measure routing performance with a saturating load of small(er) packets, which was pretty easy with firewall.user, although I was only using iptables. My understanding was that this works because it is called after the rest of firewall3 was loaded and hence simply over-rode the default MSS_clamping configuration for clamped zones.
This was/is helpful, because few servers on the internet allow to specify packet sizes for tests (iperf3 for example should allow that at least for UDP, but I have not yet found a server that actually played along, while MSS clamping even to small values works well with a multitude of existing speedtest servers).
I'm building latest Openwrt on my own, seems somehow the latest builds are broken due to the firewall4, even if I deselected that and building firewall3, I still can't get back to original state. Can someone please advise what I have wrong in my config, what else I have to deselect to use only firewall3, until all packages will be compatible ? Thank you.
I will check this first based on this list probably (where=y) :
Selects: PACKAGE_kmod-nft-nat6 [=n] && PACKAGE_nftables-json [=y] && PACKAGE_ucode-mod-fs [=y] && PACKAGE_kmod-nft-core [=y] && PACKAGE_kmod-nft-fib [=n] && \ │
│ PACKAGE_ucode [=y] && PACKAGE_ucode-mod-ubus [=y] && PACKAGE_librt [=y] && PACKAGE_ucode-mod-uci [=y] && PACKAGE_libc [=y] && PACKAGE_libpthread [=y] && \ │
│ PACKAGE_kmod-nft-offload [=n] && PACKAGE_kmod-nft-nat [=n]
3 Likes
@jow
Uhm, I noticed if i have drop invalid packets checked, it blocks connection attempts on the second try.
Not sure if this is a fw4 thing or if the same happens with fw3.
Say I connect locally using ssh to a wifi client running linux, it works right. But if i try to do it again the connection attempt doesnt come through and is blocked for like 5 minutes.
It also drops pings if you abort it and try to ping again.
There's no issue if i leave drop invalid packets unchecked.
Please add it back as nftables.user 
1 Like
Why does firewall4 depend on IPV6=y?
Hi all.
Is there any way to put IPv4 subnets definition into /etc/nftables.d/10-custom-filter-chains.nft? It seems to me that this file is not full-fleged nftables config like /etc/nftables.conf.
I tried to put it at top of the file before any chain, it obviously did not worked.
The includes in /etc/nftables.d/ are included within the table inet fw4 { ... } scope, this somewhat limits what you can do in there (e.g. no defines I believe).
Could you describe in more detail what you tried exactly? Maybe there's another way to achieve it.
Basically it is censorship circumvention. I need to NAT REDIRECT traffic to some IPv4 subnets to HTTP(S) ports into local program.
Behaviour similar to vpnbypass/vpn-policy-routing/pbr.
That means that:
- After firewall startup or restart I need to prepend
NATPREROUTINGrule which refers toIPv4 subnetsdefinition. - In
/etc/rc.localexternal script will addIPv4 subnetsinto this definition.
Actually, I got two shitty solutions in mind.
First one:
- Forget about
/etc/nftables.d/10-custom-filter-chains.nft. - Hook into either
/etc/init.d/firewallor/sbin/fw4and create my rules there.
Second one:
echo 'include "/etc/nftables-root.d/*.nft"' >> /usr/share/firewall4/templates/ruleset.uc
The great thing about nftables is that you can have multiple tables, in contrast to fw3/iptables you do not need to hook into the firewall to create your own rules. You can simply create your own table with your own chain hooks having a lower priority than the fw4 ones. The fw4 framework will not touch your your custom table and it'll not be affected by firewall reloads, uci modifications etc.
Furthermore I suggest to have your rules use a named nft set (comparable to an ipset in iptables) and then have your external script just manage the subnet entries within this named set, instead of dynamically modifying the ruleset all the time.
Thanks, I am using nft -f /var/nftables-userfw.conf in /etc/rc.local now,
where /var/nftables-userfw.conf contains my table
with my chains
and my hooks with priority -1.
@jow @anomeome @shelterx @moeller0
To include a script from /etc/config/firewall, add option fw4_compatible '1', e.g.
config include
option fw4_compatible '1'
option path '/etc/firewall.user'
The user is responsible to adapt his script using nft.
Unfortunately this does not restore the Custom rules page in LuCI. It would be nice if someone fixes that. If I compile with firewall4 unchecked, the page is still available.
To be on the safe side, I moved some of my complex rules to /etc/nftables.d/20-my-rules.nft. Then I created an init.d script with nft calls for the tarpit.
The only rule I couldn't convert to nft is iptables -A input_tar_rule -p tcp -j TARPIT. Any idea how to add TARPIT or chaos tables from nft? Listing the rules returns a comment:
meta l4proto tcp counter packets 375688 bytes 16161412 # xt_TARPIT
Fortunately the tarpit works, and LuCI doesn't complain about my only iptables rule.