Mwan3: nftables porting help

feckert · March 7, 2022, 2:29pm

@jow @aaronjg Porting to the new firewall nftables backend is not quite trivial. I have problems with the ipsets.
I am now trying to use the new tool

ipset-translate restore

to use my mwan3 ipsets with nftables.

This tool is included in the new ipset 7.15. This was already added by me and merged in the openwrt master branch https://github.com/openwrt/openwrt/commit/ba6a48366f4ae4b7b47a11f95141554c52a2a5db

I have a problem with the following ipset. There seems to be no translation for it:

github.com

openwrt/packages/blob/master/net/mwan3/files/lib/mwan3/mwan3.sh#L805


      
          	config_get timeout "$1" timeout 600
          	config_get ipset "$1" ipset
          	config_get proto "$1" proto all
          	config_get src_ip "$1" src_ip
          	config_get src_iface "$1" src_iface
          	config_get src_port "$1" src_port
          	config_get dest_ip "$1" dest_ip
          	config_get dest_port "$1" dest_port
          	config_get use_policy "$1" use_policy
          	config_get family "$1" family any
          	config_get rule_logging "$1" logging 0
          	config_get global_logging globals logging 0
          	config_get loglevel globals loglevel notice
          
          	[ "$ipv" = "ipv6" ] && [ $NO_IPV6 -ne 0 ] && return
          	[ "$family" = "ipv4" ] && [ "$ipv" = "ipv6" ] && return
          	[ "$family" = "ipv6" ] && [ "$ipv" = "ipv4" ] && return
          
          	for ipaddr in "$src_ip" "$dest_ip"; do
          		if [ -n "$ipaddr" ] && { { [ "$ipv" = "ipv4" ] && echo "$ipaddr" | grep -qE "$IPv6_REGEX"; } ||
          						 { [ "$ipv" = "ipv6" ] && echo "$ipaddr" | grep -qE $IPv4_REGEX; } }; then

Can anyone tell me how to do this?

I would like to rewrite the mwan3 so that it use ucode like the firewall4. Unfortunately, I probably won't be able to do that until the freeze. Also, I would first have to read into ucode and restructure the whole mwan3.

Therefore, my only option is to work with translate.

I would be happy about any help and discussion with some feedback

With the following pullrequest [WIP] I have already started to prepare the mwan3 so that it also works with nftables.

github.com/openwrt/packages

mwan3: update to version 2.11.0

openwrt:master ← TDT-AG:pr/20220225-mwan3

opened 11:26AM - 25 Feb 22 UTC

feckert

+164 -104

Maintainer: me @aaronjg Compile tested: not needed only script changes Run te…sted: x86_64, APU3, OpenWrt latest Changes: * Add ip6tables dependency to fix issue that was added by the iptables package renaming. * Add debugging dump into `/var/run/mwan3/iptables_log` to see all iptables/ipset command that mwan3 do for debugging * Move the iptables and ipset command definition to `/lib/mwan3/common.sh`. * Since nftables does not support ipsets in ipsets (list:set), there is now a separate ipset and iptables rule for each ipset in mwan3. This is not mandatory, but it helps when porting from mwan3 to native nftables syntax without iptables-nft backend usage, to verify the rules. @champtar @stangri @jamesmacwhite @brianjmurrell @ptpt52 Could someone please verify my change with nftables before I merge it?