Maybe I am being crazy trying to retain fw3. If I pull in PR5652 and do not revert the fw4, this is what my .config looks like. It contains both iptables and nftables. I thought that was asking for trouble?
Even with the new firewall4, there will still be an iptables binary in the background in case you (your packages) are using any iptables-mod-xxxx packages (like e.g. SQM does now). However, running "iptables" should actually lead you to "iptables-nft" showing version as "iptables (nftables)".
See the discussion at the end of
trying to revert fw4 and just use fw3
If you revert fw4, you will likely also need to revert all the fw4 oriented changes in packages... or at least investigate them.
E.g. SQM has been modified to pull in iptables-nft since
Thanks @hnyman for the info. I tried using the image I flashed and setup a simple firewall rule to deny a specific IP address access to the WAN. Although it shows active, I can still ping and connect from that device to the WAN so the firewall is not working properly on the latest build from master for me.
Reverting to the image I build from 02-Feb wherein fw4 was reverted does work.
I created this thread to discuss the issue rather than hijacking the original topic which was about the status page. Thanks all!
@darksky@hnyman I can confirm this behavior with a build from roughly 2 hours ago (from time of this post)
I have a firewall rule within traffice rules which blocks an range specific to IoTs to be blocked from Internet. After updating to a post FW4 build, devices in that range are able to access the Internet. Flipping back to build just prior to the FW4 becoming default (i.e. FW3 build), and Internet is again blocked for those IPs.
Source Zone: lan
Source Addresses: 192.168.1.208/28 and 192.168.1.224/28
Destination Zone: wan