Update Instructions to fw4 nftables

[simpz]

This project really should be a package or a core part of OpenWrt as it makes IPv6 so much more useful on OpenWrt! But anyway, thankfully this still works on fw4 with minor mods for "Configuration: Dynamic Firewall Rules".

The Change to /etc/firewall.user (step 3) that seems correct and works for me is:

#ip6neigh
touch /tmp/etc/firewall.ip6neigh
nft add chain inet fw4 wan6_forwarding
nft list chain inet fw4 forward_wan | grep -q wan6_forwarding 
if [ $? -ne 0 ] ; then
nft insert 'rule inet fw4 forward_wan iifname { "pppoe-wan", "wan" } ip6 daddr 2000::/3 jump wan6_forwarding'
else
echo 'wan6_forwarding rule already in place'
fi

I have added in a check to see if wan6_forwarding is already there and a check that this rule is only applied to Intenet addresses and not ULA ones.

The example /root/ip6neigh_rules.sh from step 4 can become:

#!/bin/sh

#Initialize the temp firewall script
TMP_SCRIPT='/tmp/etc/firewall.ip6neigh'
echo "nft flush chain inet fw4 wan6_forwarding" > $TMP_SCRIPT

#Create new rules for dynamic IPv6 addresses here. Example for accepting TCP connections on port 80 on a local server that identifies itself as 'Webserver' through DHCP.
echo "nft add 'rule inet fw4 wan6_forwarding ip6 daddr $(ip6neigh addr Webserver.gua.lan 1) tcp dport 80 jump accept_to_lan'" >> $TMP_SCRIPT

#Run the generated temp firewall script
/bin/sh "$TMP_SCRIPT"

And of course the rest of your firewall.user needs to be fw4 compatible i.e. nftables. Once it is it needs flagged as such in /etc/config/firewall:

config include
    option path /etc/firewall.user
    option fw4_compatible 1

Just putting out here in case the author wants to update or if this is useful to anyone else.

[cvmiller]

Good information. I'll look into adding it to the documentation for OpenWrt v21.02 and later.