Legacy rules detected

lexus1 · November 29, 2022, 5:32pm

help convert iptables rule to nft

iptables -t nat -I PREROUTING -i br-lan -p tcp -m set --match-set onion dst -j REDIRECT --to-ports 9040

/etc/config/firewall

config ipset
        option name 'onion'
        option match 'dst_net'
        option enabled '1'
        option loadfile '/opt/ipset/blocked_ip.dat'

dave14305 · November 29, 2022, 7:57pm

What if you try this?

Removed…

results in:

chain dstnat_lan {
    meta nfproto ipv4 ip daddr @onion counter redirect to 9040 comment "!fw4: Onion"
}

lexus1 · November 29, 2022, 8:20pm

dave14305:

config redirect
        option target 'DNAT'
        option name 'Onion'
        list proto 'tcp'
        option src 'lan'
        option ipset 'onion'
        option dest_port '9040'

The system outputs the following:

/dev/stdin:226:57-60: Error: transport protocol mapping is only valid after transport protocol match
                meta nfproto ipv4 ip daddr @onion counter redirect to 9040 comment "!fw4: Onion"

config ipset
<------>option name 'onion'
<------>option match 'dst_net'
<------>option enabled '1'
<------>option loadfile '/opt/ipset/blocked_ip.dat'

config redirect
        option target 'DNAT'
        option name 'Onion'
        list proto 'tcp'
        option src 'lan'
        option ipset 'onion'
        option dest_port '9040'
........

dave14305 · November 29, 2022, 9:01pm

Sorry, I realize I only did fw4 print instead of fw4 reload. More research needed.

lexus1 · November 30, 2022, 3:52pm

Thanks for pointing me in the right direction

config redirect
        option target 'DNAT'
        option name 'Onion'
        list proto 'tcp'
        option src 'lan'
        option ipset 'onion'
        option dest_port '9040'
        option src_dport '1-65535'

Working OK

system · December 10, 2022, 3:52pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.