Mwan3: nftables porting help

feckert · February 21, 2022, 8:44am

Hello Community,

I just heard on the mailing list that a new OpenWrt release is planned for March 2022.
In this release, the firewall is now used on nftables by default.
I only found out about it a month ago.
Unfortunately, I have to say that I have not yet had the time to deal with this topic in depth because of other projects that have more priority.

I think that the iptables to nftables conversion via iptables-nft should work, but I have not tested it.
My problem is that I use ipsets, which does not exist in nftables as I know.

Pullrequest are welcome to port the mwan3 to nftables.
I will probably not be able to port the mwan3 in time for the next release without our help

I have found a reference implementation for policy based routing with nativ nftables with out iptables-nft

gist.github.com

https://gist.github.com/elico/492d8f75f584ec1bed98b2a054a02cbb

nftables-lb-wan.sh

#!/usr/bin/env bash

DEST_NET="192.168.111.0/24"

NEXT_HOPS="2"

NEXT_HOP_1="192.168.126.202"
NEXT_HOP_2="192.168.126.203"

NEXT_HOP_1_TABLE="202"

This file has been truncated. show original

jow · February 21, 2022, 9:28am

Nftables supports named sets instead which should provide equivalent functionality.

feckert · March 7, 2022, 2:29pm

@jow @aaronjg Porting to the new firewall nftables backend is not quite trivial. I have problems with the ipsets.
I am now trying to use the new tool

ipset-translate restore

to use my mwan3 ipsets with nftables.

This tool is included in the new ipset 7.15. This was already added by me and merged in the openwrt master branch https://github.com/openwrt/openwrt/commit/ba6a48366f4ae4b7b47a11f95141554c52a2a5db

I have a problem with the following ipset. There seems to be no translation for it:

github.com

openwrt/packages/blob/master/net/mwan3/files/lib/mwan3/mwan3.sh#L805


      
          	config_get timeout "$1" timeout 600
          	config_get ipset "$1" ipset
          	config_get proto "$1" proto all
          	config_get src_ip "$1" src_ip
          	config_get src_iface "$1" src_iface
          	config_get src_port "$1" src_port
          	config_get dest_ip "$1" dest_ip
          	config_get dest_port "$1" dest_port
          	config_get use_policy "$1" use_policy
          	config_get family "$1" family any
          	config_get rule_logging "$1" logging 0
          	config_get global_logging globals logging 0
          	config_get loglevel globals loglevel notice
          
          	[ "$ipv" = "ipv6" ] && [ $NO_IPV6 -ne 0 ] && return
          	[ "$family" = "ipv4" ] && [ "$ipv" = "ipv6" ] && return
          	[ "$family" = "ipv6" ] && [ "$ipv" = "ipv4" ] && return
          
          	for ipaddr in "$src_ip" "$dest_ip"; do
          		if [ -n "$ipaddr" ] && { { [ "$ipv" = "ipv4" ] && echo "$ipaddr" | grep -qE "$IPv6_REGEX"; } ||
          						 { [ "$ipv" = "ipv6" ] && echo "$ipaddr" | grep -qE $IPv4_REGEX; } }; then

Can anyone tell me how to do this?

I would like to rewrite the mwan3 so that it use ucode like the firewall4. Unfortunately, I probably won't be able to do that until the freeze. Also, I would first have to read into ucode and restructure the whole mwan3.

Therefore, my only option is to work with translate.

I would be happy about any help and discussion with some feedback

With the following pullrequest [WIP] I have already started to prepare the mwan3 so that it also works with nftables.

github.com/openwrt/packages

mwan3: update to version 2.11.0

openwrt:master ← TDT-AG:pr/20220225-mwan3

opened 11:26AM - 25 Feb 22 UTC

feckert

+164 -104

Maintainer: me @aaronjg Compile tested: not needed only script changes Run te…sted: x86_64, APU3, OpenWrt latest Changes: * Add ip6tables dependency to fix issue that was added by the iptables package renaming. * Add debugging dump into `/var/run/mwan3/iptables_log` to see all iptables/ipset command that mwan3 do for debugging * Move the iptables and ipset command definition to `/lib/mwan3/common.sh`. * Since nftables does not support ipsets in ipsets (list:set), there is now a separate ipset and iptables rule for each ipset in mwan3. This is not mandatory, but it helps when porting from mwan3 to native nftables syntax without iptables-nft backend usage, to verify the rules. @champtar @stangri @jamesmacwhite @brianjmurrell @ptpt52 Could someone please verify my change with nftables before I merge it?

feckert · March 7, 2022, 4:38pm

The documentation is a bit poor but I have now found out with try and error that my assumption is not correct.
The ipsets are created with the ipset tool and could be used iptables-nft.
I therefore assume that the mwan3 works with nft.

Sorry for the noise