Nftables fix needed for acme in trunk

For Developers
1

Since OpenWrt is migrating to fw4 and nftables the acme package fails because of it using iptables commands in /usr/lib/acme/run-acme like this:

        iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
        ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
...

        iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
        ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1

Other than that I have to say it really runs quite well already with nftables. The resulting rules seem to work just fine. SQM QoS seems to be missing support but that will be a matter of time I guess.

Junicast

1 Like
2

Any suggested solutions or workarounds for this?

I tried using iptables-translate to help, which doesn't appear to be available on OpenWRT, but that didn't help. I looked at Firewall4 / NFtables Tips and Tricks - #59 by noblem which led me to try this, which worked:

        #iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
        #ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
        nft insert rule inet fw4 input tcp dport 80 counter accept comment \"ACME\" || return 1

and also for the later section:

        #iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
        #ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2> /dev/null
        nft insert rule inet fw4 input tcp dport 80 counter accept comment \"ACME\" 2> /dev/null
3

Cc @tohojo

4

That second rule is definitely wrong; it's supposed to be deleting the rule, and you're just inserting it again (so you'll accumulate rules on each run, and also leave port 80 open).

Sadly nft doesn't support deleting a rule based on its content, so we'll have to capture the handle and use that to delete.

I implemented that in https://github.com/openwrt/packages/pull/18187 - could you please test that?

1 Like