PROCD nft sets objects

stangri · August 26, 2022, 7:41pm

Hello @jow at al,

So before the transition to nftables, you could create firewall objects in PROCD to create/target ipsets, like this, with the transition I have the following questions:

Does fw4 still support ipset objects in PROCD? Does it require iptables-legacy then? Any changes to the syntax of the firewall objects?
What's the syntax for creation of an nft set and targeting the nft set with PROCD firewall objects? Since nft sets can only be created within tables (afaik), how do I create a new inet table within a firewall object?

Thanks!

jow · August 26, 2022, 10:58pm

Yes.

No. UCI declared "ipsets" are transparently translated to nft sets.

No changes, but some options are unsupported (but ignored) because they're not applicable to nft sets, such as storage.

The same as before when using fw3.

No need for that. uci declared sets will be spawned within the fw4 table.

stangri · August 27, 2022, 11:48am

Thank you for your prompt reply @jow!

I need clarification on a few things please:

How can I declare type for the set? I've tested and by default it's type ipv4_addr with the flags: interval. I need to create an IPv6 set as well.
Can I rely on the sets being created in the table fw4 of type inet in the future?

PS. I see the reasons for transparent translation of ipset objects into actual nft sets, but the naming is confusing, is there any plan to allow to use nftset in the place of ipset in uci config/PROCD objects before 22.03 is released? Would the /usr/share/firewall4/main.uc need to be changed or some other file? I'm confused.

dave14305 · August 27, 2022, 12:13pm

Setting the ipset family to 6 should create a set with ipv6_addr type.

https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/usr/share/ucode/fw4.uc;h=dcb13ad6cb00135529605e79388e1bf9fc48ee1c;hb=HEAD#l3249