New firewall problem in snapshot

I upgraded my openwrt to snapshot yesterday.
Found some issues with the firewall, I'm not sure if it's a problem with openwrt or my settings.
PS1: I don't know much about firewalls.
PS2: The previous iptables is gone, replaced with nft.

  1. I have openvpn service, and setting the zone rule in the firewall, it works fine in the old version, but not in the new version.

After connecting to openvpn, I can ssh the router normally, but I can't connect to the internet and other devices on the lan.

  1. Can't open the ipv6 port.
    This is the script I use to open the ipv6 port.
uid="$(uci add firewall rule)"
uci set firewall.${uid}.dest_port="8000"
uci set firewall.${uid}.src='wan'
uci set firewall.${uid}.name="open-rasp-8000-port-IPv6"
uci set firewall.${uid}.family='ipv6'
uci set firewall.${uid}.dest_ip="::ff32/::ffff:ffff:ffff:ffff"
uci set firewall.${uid}.target='ACCEPT'
uci set firewall.${uid}.dest='lan'
uci add_list firewall.${uid}.proto="tcp"
uci commit
/etc/init.d/firewall restart

Also, it works fine in older versions, but newer versions will cause the whole firewall to crash.

Sounds like you likely upgraded from a version prior to 21.02.x and tried to keep your configurations.

Due to the change from swconfig to DSA in 21.02.x, configurations are not upgradeable for the following targeted devices...

ath79 (only TP-Link TL-WR941ND)
mediatek (most boards)
ramips (mt7621 subtarget only)

Your device is a mediatek

You'll need to re-configure from scratch.

I've been using snapshots and haven't paid attention to the version, the last update was about 2 months ago.
Every time I upgrade, I don't keep the config file, all my configurations come from the script.

openvpn script

uid="$(uci add firewall zone)"
uci set firewall.${uid}.name='openvpn'
uci set firewall.${uid}.input='ACCEPT'
uci set firewall.${uid}.forward='ACCEPT'
uci add_list firewall.${uid}.device='tun+'
uci set firewall.${uid}.output='ACCEPT'

uid="$(uci add firewall forwarding)"
uci set firewall.${uid}.dest='lan'
uci set firewall.${uid}.src='openvpn'

uid="$(uci add firewall forwarding)"
uci set firewall.${uid}.dest='wan'
uci set firewall.${uid}.src='openvpn'

uci commit

/etc/init.d/firewall restart

There’s a new commit in firewall4 that deals with wildcard device names (e.g. tun+). It might help your issue once firewall4 is updated in master.;a=commit;h=0bc844ba02ae460d4a895878b9136ba5d8e09b37


Matching non-contiguous masks (::ff32/::ffff:ffff:ffff:ffff) is not yet supported. I am working on it but porting this feature to the nftables ruleset is complex.


Thanks for your work, the prefix of Ipv6 in my house is dynamic so I can only use non-contiguous masks.