Nftables rule help

HI
My version is 23.05.0-rc3 now.

The vpn rules I used before are as follows, what command does nft use to replace it?
iptables -t nat -A postrouting_wan_rule -j ACCEPT -m policy --dir out --pol ipsec -m set --match-set ipsetlist dst

BTW
How to use nftset instead of ipset

My current configuration is
dnsmasq.conf:

conf-file=/etc/dnsmasq.d/dnsmasq.list.conf

dnsmasq.list.conf

server=/example.com/8.8.8.8#53
ipset=/example.com/ipset

23.05.0-rc3 's configuration is

#server=/example.com/8.8.8.8#53
nftset=/example.com/4#inet#fw4#test

But failed´╝îdnsmasq cannot start´╝łNetstat result does not listen to port 53´╝ë

How to query nftset results, like
#ipset list ipsetlist

Remove (or comment out) any ipset= lines in your custom dnsmasq.conf because by default in 23.05, dnsmasq is no longer compiled with ipset support (only nftset support).

nft list set inet fw4 test

IPSEC vpn policy migration from iptables to nft - #6 by andesu

1 Like

Note that if you get "Error: Could not process rule: Not supported" when loading the meta ipsec exists rule, then you need to:

opkg install kmod-nft-xform

Pretty sure it auto loads, but you can force it with

modprobe -v nft_xfrm