Nftables-unbound openwrt 19.07.7

This is to compile through the image-builder channel with nftables, unbound, ssl for luci, log for nftables.

We download our tar.xz, in my case:

Unzip, and edit /include/
We delete the configuration of:

and instead we add:

DEFAULT_PACKAGES:=uhttpd luci-mod-admin-full luci-theme-bootstrap luci-app-opkg luci-proto-ppp libiwinfo-lua luci-proto-ipv6 rpcd-mod-rrdns base-files libc libgcc busybox dropbear mtd opkg netifd fstools uclient-fetch logd urandom-seed urngd uci libustream-mbedtls20150806 px5g-mbedtls luci-app-unbound

DEFAULT_PACKAGES.router:=ppp ppp-mod-pppoe odhcpd nftables kmod-nft-core kmod-nft-nat kmod-nfnetlink kmod-nft-nat6 kmod-nft-netdev kmod-nft-offload kmod-nft-bridge kmod-nft- arp kmod-nft-fib libxtables-nft12 unbound-daemon-heavy unbound-control ca-bundle libnetfilter-log1 ulogd ulogd-mod-nflog ulogd-mod-extra ca-certificates

Note that I install unbound-daemon-heavy, you can choose whatever version of unbound you want.

Now compile.
make image PROFILE="router model"

Update the firmware on your router.

You cannot access the router after the flash if you do not configure a fixed ip in your dhcp client, example:
Now if you have access to the router.
I didn't have access because odhcpd is not configured yet.

When you access the router for the first time, you will have to configure minimum odhcpd, unbound and nft. Following this link, search for "Unbound and odhcpd", to configure.

You can configure the wifi and configure the dropbear server to connect via ssh and upload your nftables.conf, add in rc.local
/usr/sbin/nft -f /etc/nftables.conf

You can also upload by ssh to /etc/init.d/nft

#!/bin/sh /etc/rc.common

DESC="firewall service"

start_service() {
	# Return
	#  0 if start OK
	#  2 if start NOK

	if [ ! -r "$CONF" ] ; then
		return 2
		logger -st $NAME $DESC "Error: No such config file $CONF"

	procd_set_param command $BIN -f $CONF
	procd_append_param command || return 0
	procd_set_param file $CONF

stop_service() {
	$BIN flush ruleset
	logger -st $NAME $DESC "stopped and ruleset flushed"

boot() {

You need execution permissions
chmod +x /etc/init.d/nft
service nft enable

Remove from rc.local: /usr/sbin/nft -f /etc/nftables.conf
You could have service nft restart / stop / start after modifying any parameter of your nftables.conf file.

nft list ruleset

To start the firewall at the start of the router power-up.
Without this well configured file you will not have internet access.

Restart the router and enjoy
Excuse my english