Upgrade to Firewall 4 (nftables) with custom ip6tables rules

Background: I am in a strange network that a router could only get single IPv6 address from the DHCPv6 server, that is to say, the IPv6 address of my route is a /128 address, which means I have to use NAT6 to enable IPv6 network for my devices in LAN.

With old versions of OpenWRT, I intsall ip6tables kmod-ipt-nat6 kmod-ip6tables kmod-ip6tables-extra packages to enable NAT in IPv6 and add custom firewall scripts in /etc/firewall.user:

ip6tables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i br-lan -j ACCEPT

But it is rules written in iptables, not nftables. I have tried add custom nftables rules like:

table ip6 nat {
  chain my_masquerade {
    type nat hook postrouting priority srcnat;
    oifname "pppoe-wan" masquerade
  }
}

But I was told my syntax is error, seems like I have no right to add a new table in custom rules. How to solve this problem?

Further, it seems MWAN3 also could not work properly for the new firewall environment, sadly.

I think you need to remove any iptables[xxx]-legacy packages and replace with iptables-nft and ip6tables-nft and your original iptables commands and mwan3 will work again.
I'm not sure if firewall.user still gets called though, you might have to run it via some other mechanism.

https://forum.openwrt.org/t/nat6-script-with-netfilter-fw4/136892/4 - #4 by jow

Thank you for your help!

Finally I use uci to add masquerade rule and add two custom rules in /etc/nftables.d/10-custom-filter-chains.nft, it worked.
In /etc/config/firewall:

config nat
	option name 'IPv6 Masquerade'
	option family 'ipv6'
	option src 'wan'
	option target 'MASQUERADE'
	list proto 'all'

In /etc/nftables.d/10-custom-filter-chains.nft:

chain user_post_forward {
    ct state established,related accept
    iifname br-lan accept
}

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.