You can also change your luci feed to
src-git luci https://github.com/asvio/luci.git;luci-main-vht-nss
1 Like
@asvio Thanks for this Luci branch, I've changed to it in my feeds.config and now the colours are what I want them to be and with proper vht and firewall web pages.
@sqter About the Firewall -> Legacy rules detected
Probably the depends of the kmod-qca-nss-ecm-standard should be fixed as it was discussed earlier in the thread.
In kernel 6.6 build
root@R7800:~# apk info --all kmod-qca-nss-ecm-standard
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 description:
This package contains the QCA NSS Enhanced Connection Manager
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 webpage:
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 installed size:
1092 KiB
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 depends on:
iptables-mod-physdev
kernel=6.6.83~bce93d96cf540754e78c476af1227aae-r1
kmod-ipt-physdev
kmod-nf-conntrack
kmod-ppp
kmod-pppoe
kmod-pptp
kmod-qca-mcs
kmod-qca-nss-drv
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 provides:
kmod-qca-nss-ecm
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 is required by:
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 contains:
etc/config/ecm
etc/firewall.d/qca-nss-ecm
etc/init.d/qca-nss-ecm
etc/sysctl.d/99-qca-nss-ecm.conf
etc/uci-defaults/99-qca-nss-ecm
lib/apk/packages/kmod-qca-nss-ecm-standard.list
lib/modules/6.6.83/ecm.ko
lib/netifd/offload/on-demand-down
usr/bin/ecm_dump.sh
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 triggers:
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 has auto-install rule:
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 affects auto-installation of:
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 replaces:
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1 license:
root@R7800:~#
In older snapshot 23.05 NSS
root@R7800:~# opkg info kmod-qca-nss-ecm-standard
Package: kmod-qca-nss-ecm-standard
Version: 5.15.178+2023-01-20-db66c47-1
Depends: kernel (= 5.15.178-1-b2a79c0f94c0b2a733b6a19d82990987), kmod-qca-nss-drv, kmod-nf-conntrack, kmod-ppp, kmod-pppoe, kmod-pptp
Provides: kmod-qca-nss-ecm
Status: install user installed
Architecture: arm_cortex-a15_neon-vfpv4
Installed-Time: 1740038172
root@R7800:~#
Can you at least run apk info --all kmod-qca-nss-ecm-standard so we can see and compare the depends. I build from your repo and want to make sure that it's not something specific to my config.
root@R7800:~# apk info --all iptables-mod-physdev
iptables-mod-physdev-1.8.10-r1 description:
The iptables physdev match.
iptables-mod-physdev-1.8.10-r1 webpage:
https://netfilter.org/
iptables-mod-physdev-1.8.10-r1 installed size:
12 KiB
iptables-mod-physdev-1.8.10-r1 depends on:
kmod-ipt-physdev
libc
libxtables12
iptables-mod-physdev-1.8.10-r1 provides:
iptables-mod-physdev-1.8.10-r1 is required by:
kmod-qca-nss-ecm-standard-6.6.83.2023.07.25~9acdcb05-r1
iptables-mod-physdev-1.8.10-r1 contains:
lib/apk/packages/iptables-mod-physdev.list
usr/lib/iptables/libxt_physdev.so
iptables-mod-physdev-1.8.10-r1 triggers:
iptables-mod-physdev-1.8.10-r1 has auto-install rule:
iptables-mod-physdev-1.8.10-r1 affects auto-installation of:
iptables-mod-physdev-1.8.10-r1 replaces:
iptables-mod-physdev-1.8.10-r1 license:
GPL-2.0
iptables-mod-physdev-1.8.10-r1 description:
The iptables physdev match.
iptables-mod-physdev-1.8.10-r1 webpage:
https://netfilter.org/
iptables-mod-physdev-1.8.10-r1 installed size:
12 KiB
iptables-mod-physdev-1.8.10-r1 depends on:
kmod-ipt-physdev
libc
libxtables12
iptables-mod-physdev-1.8.10-r1 provides:
iptables-mod-physdev-1.8.10-r1 has auto-install rule:
iptables-mod-physdev-1.8.10-r1 license:
GPL-2.0
root@R7800:~#
If I just remove the iptables-mod-physdev the legacy rules warning disappears but it autoremoves kmod-qca-nss-ecm-standard too, so it cannot be used as a workaround.
Below are the differences in menuconfig although I use the same build config.
k6.6 NSS
ββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββ Search Results βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Symbol: DEFAULT_kmod-ipt-physdev [=DEFAULT_kmod-ipt-physdev] β
β Type : unknown β
β β
β β
β Symbol: PACKAGE_kmod-ipt-physdev [=y] β
β Type : tristate β
β Defined at tmp/.config-package.in:16579 β
β Prompt: kmod-ipt-physdev.......................................... physdev module β
β Location: β
β -> Kernel modules β
β -> Netfilter Extensions β
β (1) -> kmod-ipt-physdev.......................................... physdev module (PACKAGE_kmod-ipt-physdev [=y]) β
β Selects: PACKAGE_kmod-br-netfilter [=y] && PACKAGE_kmod-ipt-core [=y] β
β Selected by [y]: β
β - PACKAGE_kmod-qca-nss-ecm-standard [=y] && (!PACKAGE_kmod-qca-nss-drv [=y] || TARGET_ipq806x [=y] || TARGET_ipq_ipq806x) && (!PACKAGE_kmod-qca-nss β
β - PACKAGE_iptables-mod-physdev [=y] β
β Selected by [n]: β
β - PACKAGE_kmod-qca-nss-ecm-noload [=n] && (!PACKAGE_kmod-qca-nss-drv [=y] || TARGET_ipq806x [=y] || TARGET_ipq_ipq806x) && (!PACKAGE_kmod-qca-nss-d β
β - PACKAGE_kmod-qca-nss-ecm-premium [=n] && (!PACKAGE_kmod-qca-nss-drv [=y] || TARGET_ipq806x [=y] || TARGET_ipq_ipq806x) && (!PACKAGE_kmod-qca-nss- β
β - PACKAGE_kmod-qca-nss-ecm-premium-noload [=n] && (!PACKAGE_kmod-qca-nss-drv [=y] || TARGET_ipq806x [=y] || TARGET_ipq_ipq806x) && (!PACKAGE_kmod-q β
β - PACKAGE_dockerd [=n] && !mips [=n] && !mips64 [=n] && !mipsel [=n] && (aarch64 [=n] || arm [=y] || i386 [=n] || i686 [=n] || loongarch64 [=n] ||
and 23.05
Search Results βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Symbol: DEFAULT_kmod-ipt-physdev [=DEFAULT_kmod-ipt-physdev] β
β Type : unknown β
β β
β β
β Symbol: PACKAGE_kmod-ipt-physdev [=n] β
β Type : tristate β
β Defined at tmp/.config-package.in:14754 β
β Prompt: kmod-ipt-physdev.......................................... physdev module β
β Location: β
β -> Kernel modules β
β (1) -> Netfilter Extensions β
β Selects: PACKAGE_kmod-br-netfilter [=n] && PACKAGE_kmod-ipt-core [=y] β
β Selected by [n]: β
β - PACKAGE_iptables-mod-physdev [=n] β
β - PACKAGE_dockerd [=n] && (aarch64 [=n] || arm [=y] || i386 [=n] || i686 [=n] || mips [=n] || mips64 [=n] || mips64el [=n] || mipsel [=n] || powerp β
I'm testing an experimental version of the 24.10 branch.
Here are the results of this opkg info branch.
BusyBox v1.36.1 (2025-03-25 12:39:05 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10-SNAPSHOT, r28563+33-9e63e2410d
-----------------------------------------------------
root@R7800:~# opkg info kmod-qca-nss-ecm-standard
Package: kmod-qca-nss-ecm-standard
Version: 6.6.83.2023.07.25~9acdcb05-r1
Depends: kernel (= 6.6.83~f16f991a8221187f461de0cc46a33cd4-r1), kmod-qca-nss-drv, kmod-nf-conntrack, kmod-ipt-physdev, iptables-mod-physdev, kmod-ppp, kmod-pppoe, kmod-pptp, kmod-qca-mcs
Provides: kmod-qca-nss-ecm
Status: install ok installed
Architecture: arm_cortex-a15_neon-vfpv4
Installed-Time: 1742906345
As you see I've the same ipt-iptables dependency that you have on your main branch.
1 Like
Yep, the solution would be the same as it was done for 23.05-NSS, the dependencies to be redacted. Currently I don't know how to redact the dependencies although I read some info on the forums. Maybe anyone (@vochong @acwifidude @noblem) who was involved previously with that issue can help.
I've removed iptables dependency from my sources. You can update it and test if It works.
I don't know if I've break other things until i've time to test so it is posible i'll revert it.
2 Likes
Just compiled the latest commit #5f092ba0c1 and flashed in my R7800.
I'll get back to you tmr. Thanks.
Do you see the above Firewall message.
@asvio I'm not completely sure but maybe kmod-ipt-physdev should be removed too. It doesn't exist in 23.05-NSS.
Just comment out these 2 lines in /etc/firewall.d/qca-nss-ecm, and reboot your router. No need to remove any module.
# iptables -nvL FORWARD | grep -q "physdev" && iptables -Z FORWARD 1
# iptables -nvL FORWARD | grep -q "physdev" || iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
1 Like
Yes, I saw this firewall legacy msg in day 1 but Iβve dismissed the msg from luci.
I donβt know how to re-produce the msg. Maybe I perform the firmware downgrade?
Just do what I mentioned above and the problem will be fixed cleanly.
Thanks,
I've tried it and it works (No Legacy rules message) but after sysupgrade those two lines are in their original state so probably it won't be convenient for less experienced users.
Anyway I've removed the kmod-ipt-physdev too and still the /etc/firewall.d/qca-nss-ecm has the two lines mentioned above after sysyupgrade but the Legacy message is not displayed on the Firewall tab.
Maybe someone knows how that file content is generated and maybe those two lines have to be removed altering some code so they don't appear at first boot after sysupgrade.
Here is the content of the qca-nss-ecm for 23.05-NSS that had a reset not so long ago.
#!/bin/sh
if [ ! -r /sbin/fw4 ]; then
iptables-save|grep physdev-is-bridged|while read a; do
iptables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT
done
iptables -I FORWARD 1 -m physdev --physdev-is-bridged -j ACCEPT
fi
and below is the content from my current 6.6-NSS build freshly sysupgraded after the removal of both kmod-ipt-physdev and iptables-mod-physdev
#!/bin/sh
#
# Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
iptables -nvL FORWARD | grep -q "physdev" && iptables -Z FORWARD 1
iptables -nvL FORWARD | grep -q "physdev" || iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
if grep -q "fw3" /etc/init.d/firewall; then
iptables -nvL | grep -q "Chain RATE-LIMIT" && iptables -F RATE-LIMIT
iptables -nvL | grep -q "Chain RATE-LIMIT" || iptables -N RATE-LIMIT
iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
iptables -A RATE-LIMIT -j DROP
iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
elif grep -q "fw4" /etc/init.d/firewall; then
nft add chain inet fw4 RATE-LIMIT
nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
nft add rule inet fw4 RATE-LIMIT counter drop
nft add rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
fi
There is no Legacy rules message but the lines are there probably doing nothing, I suppose.
Yes, these lines will not do anything if the physdev is not available. This will accomplish the same thing as commenting them out.
Hi @vochong
MR42 and MR52 should work, both have swconfig support on sources.
I haven't encountered any problems compiling for either device.
For the AP3935i, it's a different story. There's no DTS for this device that defines the parameters for a swconfig configuration (at least I do not find any). It would be very risky to define one without having a device to test the result. I, at least, don't dare do it because I'm convinced it would result in a bricked device.
Maybe @sqter has the ability 
I'm using Kong's qca-nss-ecm script with k6.6 and it's working.
root@OpenWrt:~# nft list ruleset
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain FORWARD {
type filter hook forward priority filter; policy accept;
xt match "physdev" counter packets 1175 bytes 214967 accept
xt match "physdev" counter packets 174 bytes 29802 accept
xt match "physdev" counter packets 480 bytes 81810 accept
xt match "physdev" counter packets 142528 bytes 25893093 accept
@asvio @vochong
Maybe this file should be altered so the two lines are commented.
/package/qca-nss/qca-nss-ecm/files/qca-nss-ecm.firewall
I'm now on: |Firmware Version|KONG 23 r0+24160-e118330494 / LuCI openwrt-23.05 branch git-24.264.56413-c7a3562|
| --- | --- |
|Kernel Version|5.15.167|
on my R7800. What is the best FW I can upgrade to with keep settings?
The DTS files for MR42 and MR52 definitely need to be modified with additional NSS settings, I had built MR52 image successfully using your repo but it did not bring up both Ethernet ports in the device. I had told sqter about it about a week ago. Thanks.
OpenWrt's default behavior allows bridge traffic to be forwarded, so there's no need to use iptables' physdev to configure it as another bridge interface for NSS traffic. You can completely get rid of fw3 and use only fw4.
I can test AP3935i if any change is needed. It has an external serial port so it's very easy to recover it.
Is this relevant for the GL-iNet GL-AX1800, which was added to the main branch this week? Would any additional DTS files or other adaptation be necessary?