So with IP tables we had chains like
zone_lan_prerouting
zone_wan_prerouting.
How are the new chains configured for the Nftables in OpenWrt 22.03.2.
I am gradually migrating my most important iptable rules, but I am not sure I got the new chains correctly.
zone_${zone}_prerouting => dstnat_${zone}
zone_${zone}_postrouting => srcnat_${zone}
what about
zone_wan_forward ?
zone_${zone}_input => input_${zone}
zone_${zone}_output => output_${zone}
zone_${zone}_forward => forward_${zone}
these are very helpful!
what about something like
output_rule
The old *_rule chains are user chains. There's no direct replacement for them in nftables. Instead you can simply declare custom chains at the various default hooks using different kinds of include mechanisms: https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes_for_2203_and_later_with_fw4
E.g. to produce a chain equivalent to iptables output_rule, place the following into /etc/nftables.d/my_output_rule_chain.nft:
chain output_rule {
type filter hook output priority filter - 1; policy accept;
}
The priority value will control whether such a chain is invoked before or after the fw4 chains (fw4's output delegation chain uses priority filter a.k.a. 0).
See also https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook
So at the moment I have determined my best course of action is a custom script. I simply have too many rules to try creating different customs.nft.
Thanks for all your help!
Man, I wish we had nftables much sooner! It is amazing how you can take really complicated iptable chains and use nftable mappings to simplify them!
https://wiki.nftables.org/wiki-nftables/index.php/Multiple_NATs_using_nftables_maps
I just shortened a lot of my rules.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.