In the firewall tab I receive a notification:
Legacy rules detected
There are legacy iptables rules present on the system. Mixing iptables and nftables rules is discouraged and may lead to incomplete traffic filtering.
I suspect that it appeared due to the installation of docker.
How critical is this notification?
OpenWrt 23.05.3
Preferably you should use nftables modules, not xt_bridge and iptables ones.
See mapping:
https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables
Some modules plainly conflict - like mark and nat/masq if used from both sides at same time, some modules do not have nft equivalents, while still can be programmed via iptables-nft over the xt_bridge module
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
nft list ruleset | grep xt
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Bananapi BPI-R3",
"board_name": "bananapi,bpi-r3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '.....'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'sfp2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth1'
list ports 'wan'
config device
option name 'eth1'
option macaddr '...….'
config device
option name 'wan'
option macaddr '..........'
config interface 'wan'
option device 'br-wan'
option proto 'pppoe'
option username '...….'
option password '......'
option ipv6 'auto'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'fm350'
option device '/dev/ttyUSB4'
option apn '......'
option username '...'
option password '....'
option pdp 'ipv4v6'
option auto '0'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '......'
option encryption 'psk2+ccmp'
option macfilter 'allow'
list maclist '....'
option key '....'
option disassoc_low_ack '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid ......'
option encryption 'psk2+ccmp'
option key '......'
list maclist '....'
option macfilter 'allow'
option disassoc_low_ack '0'
The last part is most importeant w.r.t warning.
oh, sorry
it's empty here
iptables -V #should mention nft
iptables-save #should be empty
no it's not like that
root@OpenWrt:~# iptables -V
iptables v1.8.8 (legacy)
root@OpenWrt:~# iptables-save
# Generated by iptables-save v1.8.8 on Fri Aug 16 13:02:50 2024
*mangle
:PREROUTING ACCEPT [5677276:2568010501]
:INPUT ACCEPT [62764:8246787]
:FORWARD ACCEPT [5623493:2561273484]
:OUTPUT ACCEPT [62218:12850751]
:POSTROUTING ACCEPT [5684756:2573577801]
COMMIT
# Completed on Fri Aug 16 13:02:50 2024
# Generated by iptables-save v1.8.8 on Fri Aug 16 13:02:50 2024
*nat
:PREROUTING ACCEPT [47632:6848399]
:INPUT ACCEPT [3687:238532]
:OUTPUT ACCEPT [10821:755145]
:POSTROUTING ACCEPT [50840:7131699]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Aug 16 13:02:50 2024
# Generated by iptables-save v1.8.8 on Fri Aug 16 13:02:50 2024
*filter
:INPUT ACCEPT [65199:8586304]
:FORWARD ACCEPT [5692266:2592364662]
:OUTPUT ACCEPT [64421:13434661]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i br-wan -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Aug 16 13:02:50 2024
root@OpenWrt:~#
I have docker on 23.05.4 and it didn't bring any iptables-related packages.
What's the output of:
opkg whatdepends iptables-nft
opkg whatdepends iptables-zz-legacy
?
root@OpenWrt:~# opkg whatdepends iptables-nft
Root set:
What depends on root set
root@OpenWrt:~# opkg whatdepends iptables-zz-legacy
Root set:
iptables-zz-legacy
What depends on root set
dockerd 27.1.1-1 depends on iptables
root@OpenWrt:~#
for docker i installed
Oh, you're right, my bad, dockerd did bring some iptables packages.
Do you can check firewall? you also has this warning?
But my device is working fine
I'm only concerned about safety
No, I don't have this warning, but I'm also not using any fancy docker networking features.
You have to uninstall all zz-legacy stuff, pre-install -nft stuff then install docker/mwan/pbr/upnp etc.
Warning is objective opinion on your broken firewall
Put more directly:
In other words, @vlados, there is no guarantee that your firewall is working correctly. It is very likely broken.
If you do not mind that your firewall is probably not working correctly, then it is not critical at all.....
This is a known bug. If a package has a dependency on iptables listed in its OpenWrt makefile, then when installing that package, iptables-zz-legacy will be installed if iptables is not already available. (iptables is by default not preinstalled on OpenWrt 23.05.0 onwards.).
Although a PR to fix this by defaulting to iptables-nft was discussed, no-one that can merge such a PR was willing to do so, so tough luck, now we all have to deal with Legacy rules detected on the basis it would force maintainers of packages to migrate them to nftables. - This did not happen of course...
The actual workings depend on how 2 module sets hooks are ordered in kernel, dropped packets are dropped, maybe before other conntrack would like to pick up state, or nat-ed packets goes through other output, ctmark/mark becomes zero for other engine disbalancing mwan, try to settle it in one side as much as possible.
Oh, thanks for the clarification. I think I'll do a clean install without docker. it would be cool to have docker especially when there are a lot of resources available, but for me it's not a primary goal. by the way, what about procd init system? I read about it in the manual but didn't understand much (i have experience with docker, but i've been working with openwrt for a couple of days)
Install docker via luci - check for any legacy dependencies. You need (if i recall right) iptables-nft and ebtables-nft preinstalled, probably some others, but certainly not iptables-legacy. Irreplacable legacy kmods are OK as long as xt_bridge runs them under command of iptables-nft.