Open aparcar opened 3 years ago
aparcar
commented
2 years ago Heads up, firewall4 gets into a fine state (thanks to @stintel and @jow- )and I'm planing to make it the default within the next week. For all scripts that require legacy iptables please test your apps with iptables-nft and report back!
hnyman
commented
2 years ago I think that that Status->Firewall menu item and page is still totally iptables based after 48599d8d1d, right?
castillofrancodamian
commented
2 years ago Heads up, firewall4 gets into a fine state (thanks to @stintel and @jow- )and I'm planing to make it the default within the next week. For all scripts that require legacy
iptablesplease test your apps withiptables-nftand report back!
I cannot find the iptables-nft package.
aparcar
commented
2 years ago Yea sorry the iptables-nft package is currently missing, should be fixed via https://github.com/openwrt/openwrt/pull/4957
castillofrancodamian
commented
2 years ago Yea sorry the
iptables-nftpackage is currently missing, should be fixed via openwrt/openwrt#4957
I already found the iptables-nft package. Do you also have to install iptables and firewall or just firewall4 and iptables-nft?
aparcar
commented
2 years ago @castillofrancodamian maybe @stintel can comment better than me but from my understanding you could install firewall4 and iptables-nft, both will use NFTables while keeping backward compatibility with the iptables wrapper.
castillofrancodamian
commented
2 years ago @castillofrancodamian maybe @stintel can comment better than me but from my understanding you could install
firewall4andiptables-nft, both will use NFTables while keeping backward compatibility with theiptableswrapper.
Likewise, installing iptables-nft also installs iptables. The "real problem" is that I can't edit any firewall zones with the error "Cannot convert undefined or null to object" in LuCI.
aparcar
commented
2 years ago As discussed at yesterdays meeting I merged the changes. The next release will use firewall4 as default and all packages incompatible (e.g. using ipset) should add a negative dependency. Our considerations are that the default (WiFI home router) setup works fine wir firewall4 and special cases can always replace firewall4 with firewall3, which should work at least until the upcoming 5.15 Kernels.
edrikk
commented
2 years ago Just for awareness, what is the etiquette / developer preference in terms of issues found?
Is it to post in the appropriate package/luci/core ntftables thread (eg this for Luci)
or
create a bug and leave there.
or
create bug and post reference in thr appropriate nftables thread.
If the latter, I opened Luci bug where on two pages (main Luci and upnp luci app) port forwards are no longer shown.
dfateyev
commented
2 years ago Just curious: what is the current status of this issue in terms of the 22.03 release requirements?
kode54
commented
2 years ago luci-app-upnp has been patched to work with nftables, and accepted into the tree. I'm not sure if a legacy iptables version was kept.
edrikk
commented
2 years ago
luci-app-upnphas been patched to work with nftables, and accepted into the tree. I'm not sure if a legacy iptables version was kept.
I’ve been following the commits (and just rechecked) across the packages, luci, and openwrt repositories, but have not seen any commits around upnp.
I could of course be just missing it, although my local June 30th build from master does not show upnp forwards in either of the main page’s “Active UPnP Redirects” section, nor in the upnp menu (luci-app-upnp).
Maybe it takes a bit of time to show up if it was just accepted?
kode54
commented
2 years ago The PR was closed, and they said they accepted it? I don't know.
kode54
commented
2 years ago Oh, it was never closed: https://github.com/openwrt/luci/pull/5839
Ashus
commented
1 year ago This package depends on outdated package miniupnpd-iptables and doesn't take miniupnpd-nftables as viable replacement. Obviously iptables has been replaced by nftables in OpenWRT recently and miniupnpd-iptables doesn't work properly anymore. By default luci-app-upnp should come with miniupnpd-nftables.
To temporarily fix this, I need to call:
opkg remove miniupnpd-iptables --force-depends
opkg install miniupnpd-nftablesI got a response from @brada4 who pointed out, that it is an alphabetical problem, where both -iptables and -nftables being in 'provides' part of this package and first one being used.
Hi all, especially @openwrt/luci-admin,
for the next OpenWrt release
firewall4is considered as a replacement of the currentiptablesbasedfirewallpackage. While the configuration stays within/etc/config/firewall, packages usingiptablesdirectly may see trouble.This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible.
Heads up for packages.git: https://github.com/openwrt/packages/issues/16818 Heads up for routing.git: https://github.com/openwrt/routing/issues/731