As I reported previously here, I upgraded from firewall (iptables) to firewall4 (nftables) and it did not work.
Basically after the upgrade (preserving settings) firewall did not start, causing all devices in the network to lose Internet connectivity. At that moment I did not have time to further investigate the issue, and I rolled back to iptables.
Well, today I have some spare time and I decided to further investigate the issue. The root cause is actually two configurations in my previous firewall configuration file that broke firewall4:
- Some months ago I replaced my OpenVPN server by Wireguard. The following configuration was a leftover fromOpenVPN server. While it did not affect the original firewall, it does break firewall4 and causes its failure:
config zone 'lan'
(...)
list device 'tun+'
(...)
- My router (Archer C6 v3.2) is an mt7621 device. I was using Hardware flow offload. However the current firewall4 does not support this configuration, and adding option
flow_offloading_hw '1'to the /etc/config/firewall file causes firewall4 to stop working:
config defaults
(...)
option flow_offloading_hw '1'
(...)
Error when using this configuration:
root@ap1-router:/etc/config# fw4 restart
/proc/self/fd/0:9:12-13: Error: Could not process rule: Not supported
/proc/self/fd/0:54:29-44: Error: Could not process rule: No such file or directory
Is there already a topic in the Developers section where I can report this?