Open aparcar opened 2 years ago
feckert
commented
2 years ago As the package maintainer of the mwan3, I would also like to know what I have to do to make the mwan3 fit for nftables. I did see that there was a firewall4, but I wasn't aware that it should already include as default firewall backend in the next release!
aparcar
commented
2 years ago It's possible, an idea to be discussed. There is no definite decision yet, however ideally maintainer start looking at firewall4 to have an idea what could change. Long term there might be a firewall5 package using eBPF things are moving :)
ldir-EDB0
commented
2 years ago My concern is over 'ipset' equivalent functionality support. dnsmasq v2.87 (not yet released) has immature support. adblock & banip rely heavily on ipsets and will need adjusting. miniupnpd has nftables support, the integration into fw4 will need looking it.
tohojo
commented
2 years ago Is the plan to ship the iptables-nft compability binary? And is there an overview somewhere of how firewall4 differs in which table names it uses compared with firewall3?
Off the top of my head, at least sqm-scripts and bcp38 contain iptables invocations.
feckert
commented
2 years ago Also acme does some iptables command https://github.com/openwrt/packages/blob/6c73457c09f838279b240bef59730cbff60ae799/net/acme/files/run.sh#L127-L133
tohojo
commented
2 years ago On 6 October 2021 12:31:12 CEST, Florian Eckert @.***> wrote:
Also acme does some iptables command https://github.com/openwrt/packages/blob/6c73457c09f838279b240bef59730cbff60ae799/net/acme/files/run.sh#L127-L133
Ah yes, so it does - totally forgot about that. Thanks for the reminder!
dibdot
commented
2 years ago adblock is purely DNS and doesn't use any direct iptables calls. Maybe simple-adblock is affected here - I don't know.
alexeys85
commented
2 years ago collectd iptables plugin depends on libiptc as far as I know
luizluca
commented
2 years ago I would expand the list a little further:
feeds/packages $ grep -E "(ip6?tables(-save|-restore)?( |$|\"|'|\))|lib/iptables|\+iptables)" -R */ | cut -d/ -f2 | sort -u
acme
adblock
apfree-wifidog
banip
bcp38
collectd
coova-chilli
dockerd
etherwake-nfqueue
fail2ban
frr
fwknop
gnunet
https-dns-proxy
jool
keepalived
libreswan
miniupnpd
mwan3
podman
pppossh
redsocks
shadowsocks-libev
shorewall
shorewall6
shorewall6-lite
shorewall-lite
simple-adblock
sqm-scripts
strongswan
trafficshaper
uacme
v2raya
vpnbypass
vpnc-scripts
vpn-policy-routing
wifidog
xtables-addonsExcept from shorewall and xtables-addons, which are clearly not compatible with firewall4/nftable, the rest is still open. Anything that depends on iptables or calls iptables(-save/-restore) needs some testing, specially if iptables-nft is in use.
Maybe we could edit this issue description mentioning maintainers after the package to ping them all?
I doubt that iptables-nft will be installed by default and I think fw3 will still be available as a fallback. It would be interesting to see how we deal with dependencies when both standard iptables and iptables-nft are available and the user could either use fw3 or fw4. Some packages might require iptables/nftables flavors.
aparcar
commented
2 years ago @luizluca the adblock packages mentions iptables in it's readme
adblock does not use error prone external iptables rulesets
aparcar
commented
2 years ago @stangri please track those packages here and not at luci.git
https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing https://github.com/openwrt/packages/tree/master/net/vpnbypass
I've also started working on a fork of the former called pbr and it's also iptables-dependent.
stangri
commented
2 years ago @stangri please track those packages here and not at luci.git
https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing https://github.com/openwrt/packages/tree/master/net/vpnbypass I've also started working on a fork of the former called pbr and it's also iptables-dependent.
Sorry, didn't see notification about this issue until after this quote.
If there's no compatibility binary to allow iptables calls while using nftables, both vpn-policy-routing and vpnbypass are in trouble. They are heavily iptables dependent and it may take me a while to find the time to figure out the switch to nftables.
Both https-dns-proxy and simple-adblock are good to go.
aparcar
commented
2 years ago There is iptables-nft which is however not available upstream at this point. I'm currently trying to run a CI to offer binaries including it, will post on updates.
jow-
commented
2 years ago You can ignore shorewall, it is an ip(6)tables preprocessor, so no need to port it to nftables.
brada4
commented
2 years ago iptables-nft can use ipset, esp for places where only access list is ipset. nft has own sets, but traditional ipset command does not bridge the gap
pmelange
commented
2 years ago aside from the command-line iptables/ip6tables, do we also need to keep an eye open for all packages which depend on kmod-ipt.*?
stintel
commented
2 years ago miniupnpd has nftables support, the integration into fw4 will need looking it.
@ldir-EDB0 As ex maintainer, would you mind having a look at #17094?
pprindeville
commented
2 years ago I would expand the list a little further:
feeds/packages $ grep -E "(ip6?tables(-save|-restore)?( |$|\"|'|\))|lib/iptables|\+iptables)" -R */ | cut -d/ -f2 | sort -u acme adblock apfree-wifidog banip bcp38 collectd coova-chilli dockerd etherwake-nfqueue fail2ban frr fwknop gnunet https-dns-proxy jool keepalived libreswan miniupnpd mwan3 podman pppossh redsocks shadowsocks-libev shorewall shorewall6 shorewall6-lite shorewall-lite simple-adblock sqm-scripts strongswan trafficshaper uacme v2raya vpnbypass vpnc-scripts vpn-policy-routing wifidog xtables-addonsExcept from shorewall and xtables-addons, which are clearly not compatible with firewall4/nftable, the rest is still open. Anything that depends on iptables or calls iptables(-save/-restore) needs some testing, specially if iptables-nft is in use.
Maybe we could edit this issue description mentioning maintainers after the package to ping them all?
I doubt that iptables-nft will be installed by default and I think fw3 will still be available as a fallback. It would be interesting to see how we deal with dependencies when both standard iptables and iptables-nft are available and the user could either use fw3 or fw4. Some packages might require iptables/nftables flavors.
Not aware of support for nftables in strongswan. @Thermi?
Also, locally we use ipset for blocking traffic from non-essential devices after hours so they don't interfere with remote backups... as well as xtgeoip from xtables-addons to block traffic from hostile countries.
Should add that we do all of that in /etc/firewall.user.
pprindeville
commented
2 years ago aside from the command-line iptables/ip6tables, do we also need to keep an eye open for all packages which depend on kmod-ipt.*?
This list can be pared down to ignore kmod-ipt-* and iptables-mod-* entries:
$ grep -e 'Package:' -e 'Depends:.*kmod-ipt' tmp/.packageinfo | grep -B1 'Depends:'
Package: kmod-ipt-conntrack
Depends: +kmod-ipt-core +kmod-nf-conntrack
Package: kmod-ipt-conntrack-extra
Depends: +kmod-ipt-core +kmod-ipt-conntrack
Package: kmod-ipt-conntrack-label
Depends: +kmod-ipt-core +kmod-ipt-conntrack
Package: kmod-ipt-filter
Depends: +kmod-ipt-core +kmod-lib-textsearch +kmod-ipt-conntrack
Package: kmod-ipt-offload
Depends: +kmod-ipt-core +kmod-nf-flow
Package: kmod-ipt-ipopt
Depends: +kmod-ipt-core
Package: kmod-ipt-ipsec
Depends: +kmod-ipt-core
Package: kmod-ipt-ipset
Depends: +kmod-ipt-core +kmod-nfnetlink
Package: kmod-nf-ipvs
Depends: @IPV6 +kmod-lib-crc32c +kmod-ipt-conntrack +kmod-nf-conntrack +kmod-ipt-core +kmod-ipt-conntrack
--
Package: kmod-ipt-nat
Depends: +kmod-ipt-core +kmod-nf-nat
Package: kmod-ipt-raw
Depends: +kmod-ipt-core
Package: kmod-ipt-raw6
Depends: @IPV6 +kmod-ipt-core +kmod-ip6tables
Package: kmod-ipt-nat6
Depends: @IPV6 +kmod-ipt-core +kmod-nf-nat6 +kmod-ipt-core +kmod-ipt-conntrack +kmod-ipt-core +kmod-ipt-nat +kmod-ipt-core +kmod-ip6tables
Package: kmod-ipt-nat-extra
Depends: +kmod-ipt-core +kmod-ipt-nat
--
Package: kmod-nf-nathelper-extra
Depends: +kmod-nf-nat +kmod-lib-textsearch +kmod-ipt-raw +kmod-asn1-decoder
Package: kmod-ipt-ulog
Depends: +kmod-ipt-core
Package: kmod-ipt-nflog
Depends: +kmod-ipt-core +kmod-nfnetlink-log
Package: kmod-ipt-nfqueue
Depends: +kmod-ipt-core +kmod-nfnetlink-queue
Package: kmod-ipt-debug
Depends: +kmod-ipt-core +kmod-ipt-raw +IPV6:kmod-ipt-raw6
Package: kmod-ipt-led
Depends: +kmod-ipt-core
Package: kmod-ipt-tproxy
Depends: +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +IPV6:kmod-ip6tables +kmod-ipt-core
Package: kmod-ipt-tee
Depends: +kmod-ipt-conntrack +kmod-ipt-core
Package: kmod-ipt-u32
Depends: +kmod-ipt-core
Package: kmod-ipt-checksum
Depends: +kmod-ipt-core
Package: kmod-ipt-iprange
Depends: +kmod-ipt-core
Package: kmod-ipt-cluster
Depends: +kmod-ipt-core +kmod-nf-conntrack
Package: kmod-ipt-clusterip
Depends: +kmod-ipt-core +kmod-nf-conntrack
Package: kmod-ipt-extra
Depends: +kmod-ipt-core
Package: kmod-ipt-physdev
Depends: +kmod-ipt-core +kmod-br-netfilter
Package: kmod-ip6tables
Depends: @IPV6 +kmod-nf-reject6 +kmod-nf-ipt6 +kmod-ipt-core
--
Package: kmod-arptables
Depends: +kmod-ipt-core
Package: kmod-br-netfilter
Depends: +kmod-ipt-core
Package: kmod-ebtables
Depends: +kmod-ipt-core
--
Package: kmod-nf-conntrack-netlink
Depends: +kmod-nfnetlink +kmod-ipt-conntrack
Package: kmod-ipt-hashlimit
Depends: +kmod-ipt-core
Package: kmod-ipt-rpfilter
Depends: +kmod-ipt-core
--
Package: kmod-vxlan
Depends: +kmod-iptunnel +kmod-udptunnel4 +IPV6:kmod-udptunnel6
Package: kmod-geneve
Depends: +kmod-iptunnel +kmod-udptunnel4 +IPV6:kmod-udptunnel6
--
Package: kmod-ipip
Depends: +kmod-iptunnel +kmod-iptunnel4
--
Package: kmod-ipsec4
Depends: kmod-ipsec +kmod-iptunnel4
Package: kmod-ipsec6
Depends: @IPV6 kmod-ipsec +kmod-iptunnel6
--
Package: kmod-ip-vti
Depends: +kmod-iptunnel +kmod-iptunnel4 +kmod-ipsec4
Package: kmod-ip6-vti
Depends: @IPV6 +kmod-iptunnel +kmod-ip6-tunnel +kmod-ipsec6
--
Package: kmod-sit
Depends: @IPV6 +kmod-iptunnel +kmod-iptunnel4
Package: kmod-fou
Depends: +kmod-iptunnel +kmod-udptunnel4 +IPV6:kmod-udptunnel6
--
Package: kmod-ip6-tunnel
Depends: @IPV6 +kmod-iptunnel6
Package: kmod-gre
Depends: +kmod-iptunnel
Package: kmod-gre6
Depends: @IPV6 +kmod-iptunnel +kmod-ip6-tunnel +kmod-gre
--
Package: kmod-sched-connmark
Depends: +kmod-sched-core +kmod-ipt-core +kmod-ipt-conntrack-extra
Package: kmod-sched-ctinfo
Depends: +kmod-sched-core +kmod-ipt-core +kmod-ipt-conntrack-extra
Package: kmod-sched-ipset
Depends: +kmod-sched-core +kmod-ipt-ipset
--
Package: kmod-sched
Depends: +kmod-sched-core +kmod-ipt-core +kmod-lib-crc32c
--
Package: kmod-mpls
Depends: +kmod-iptunnel
--
Package: firewall
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
--
Package: dnsmasq-full
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +libubus +PACKAGE_dnsmasq_full_dnssec:libnettle +PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack
--
Package: libipset
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +kmod-ipt-ipset +libmnl
Package: ipset
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +kmod-ipt-ipset +libmnl +libipset
--
Package: iptables
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
--
Package: iptables-mod-conntrack-extra
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-conntrack-extra +kmod-ipt-raw
Package: iptables-mod-conntrack-label
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL
Package: iptables-mod-extra
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-extra
Package: iptables-mod-physdev
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-physdev
Package: iptables-mod-filter
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-filter
Package: iptables-mod-ipopt
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipopt
Package: iptables-mod-ipsec
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipsec
Package: iptables-mod-nat-extra
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-nat-extra
Package: iptables-mod-iprange
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-iprange
Package: iptables-mod-cluster
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-cluster
Package: iptables-mod-clusterip
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-clusterip
Package: iptables-mod-ulog
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ulog
Package: iptables-mod-hashlimit
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-hashlimit
Package: iptables-mod-rpfilter
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-rpfilter
Package: iptables-mod-led
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-led
Package: iptables-mod-tproxy
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-tproxy
Package: iptables-mod-tee
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-tee
Package: iptables-mod-u32
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-u32
Package: iptables-mod-nflog
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-nfnetlink-log +kmod-ipt-nflog
Package: iptables-mod-trace
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-debug
Package: iptables-mod-nfqueue
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-nfnetlink-queue +kmod-ipt-nfqueue
Package: iptables-mod-checksum
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-checksum
--
Package: ip6tables-mod-nat
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread ip6tables +kmod-ipt-nat6
--
Package: apfree-wifidog
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +zlib +iptables-mod-extra +iptables-mod-ipopt +kmod-ipt-nat +iptables-mod-nat-extra +libjson-c +ipset +libip4tc +libevent2 +libevent2-openssl +libuci +px5g
--
Package: kmod-ipt-coova
Depends: coova-chilli +kmod-ipt-core +libxtables
--
Package: libreswan
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +IPV6:kmod-ip6-vti +IPV6:kmod-ipsec6 +ip-full +iptables-mod-ipsec +kmod-crypto-aead +kmod-crypto-authenc +kmod-crypto-gcm +kmod-crypto-hash +kmod-crypto-rng +kmod-ip-vti +kmod-ipsec +kmod-ipsec4 +kmod-ipt-ipsec +kmod-xfrm-interface +libevent2 +libevent2-pthreads +libldns +librt +libunbound +nss-utils +nspr +libcap-ng
--
Package: kmod-openvswitch
Depends: +kmod-lib-crc32c +kmod-nf-nat +IPV6:kmod-nf-nat6 +kmod-nf-conntrack +IPV6:kmod-nf-conntrack6 +kmod-nsh +kmod-ipt-conntrack-extra
--
Package: kmod-openvswitch-intree
Depends: +kmod-lib-crc32c +kmod-nf-nat +IPV6:kmod-nf-nat6 +kmod-nf-conntrack +kmod-udptunnel4 +kmod-ipt-conntrack-extra @IPV6 @DEVEL
--
Package: shorewall
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +ip +iptables +kmod-ipt-hashlimit +kmod-ipt-raw +iptables-mod-hashlimit +shorewall-core +perl +perlbase-autoloader +perlbase-autouse +perlbase-dynaloader +perlbase-digest +perlbase-findbin +perlbase-getopt +perlbase-hash
--
Package: shorewall6
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +ip +ip6tables +kmod-ipt-hashlimit +kmod-ipt-raw6 +iptables-mod-hashlimit +shorewall-core +perl +perlbase-autoloader +perlbase-autouse +perlbase-dynaloader +perlbase-digest +perlbase-findbin +perlbase-getopt +perlbase-hash
--
Package: strongswan
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +libpthread +ip +kmod-crypto-authenc +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6 +kmod-ipt-ipsec +iptables-mod-ipsec
--
Package: strongswan-mod-forecast
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread strongswan +kmod-ipt-conntrack-extra
--
Package: v2raya
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread @(aarch64||arm||i386||i686||mips||mips64||mips64el||mipsel||powerpc64||x86_64) +ca-bundle +iptables-mod-conntrack-extra +iptables-mod-extra +iptables-mod-filter +iptables-mod-tproxy +kmod-ipt-nat6 +xray-core
--
Package: vpn-policy-routing
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +jshn +ipset +iptables +resolveip +kmod-ipt-ipset +iptables-mod-ipopt +ip-full
--
Package: kmod-ipt-compat-xtables
Depends: +kmod-ipt-core +IPV6:kmod-ip6tables
Package: kmod-ipt-nathelper-rtsp
Depends: +kmod-ipt-core +kmod-ipt-conntrack-extra +kmod-ipt-nat
Package: iptables-mod-account
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-account
Package: kmod-ipt-account
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-chaos
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-chaos
Package: kmod-ipt-chaos
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables +kmod-ipt-delude +kmod-ipt-tarpit
Package: iptables-mod-condition
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-condition
Package: kmod-ipt-condition
Depends: +kmod-ipt-core
Package: iptables-mod-delude
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-delude
Package: kmod-ipt-delude
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-dhcpmac
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-dhcpmac
Package: kmod-ipt-dhcpmac
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-dnetmap
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-dnetmap
Package: kmod-ipt-dnetmap
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables +kmod-ipt-nat
Package: iptables-mod-fuzzy
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-fuzzy
Package: kmod-ipt-fuzzy
Depends: +kmod-ipt-core
Package: iptables-mod-geoip
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-geoip
Package: kmod-ipt-geoip
Depends: +kmod-ipt-core
Package: iptables-mod-iface
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-iface
Package: kmod-ipt-iface
Depends: +kmod-ipt-core
Package: iptables-mod-ipmark
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipmark
Package: kmod-ipt-ipmark
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-ipp2p
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipp2p
Package: kmod-ipt-ipp2p
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-ipv4options
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipv4options
Package: kmod-ipt-ipv4options
Depends: +kmod-ipt-core
Package: iptables-mod-length2
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-length2
Package: kmod-ipt-length2
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-logmark
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-logmark
Package: kmod-ipt-logmark
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-lscan
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-lscan
Package: kmod-ipt-lscan
Depends: +kmod-ipt-core
Package: iptables-mod-lua
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-lua
Package: kmod-ipt-lua
Depends: +kmod-ipt-core +kmod-ipt-conntrack-extra
Package: iptables-mod-proto
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-proto
Package: kmod-ipt-proto
Depends: +kmod-ipt-core
Package: iptables-mod-psd
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-psd
Package: kmod-ipt-psd
Depends: +kmod-ipt-core
Package: iptables-mod-quota2
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-quota2
Package: kmod-ipt-quota2
Depends: +kmod-ipt-core
Package: iptables-mod-sysrq
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-sysrq
Package: kmod-ipt-sysrq
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables +kmod-crypto-hash
Package: iptables-mod-tarpit
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-tarpit
Package: kmod-ipt-tarpit
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
--
Package: bmx6
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +kmod-ip6-tunnel +kmod-iptunnel6 +kmod-tun
--
Package: bmx7-tun
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread bmx7 +kmod-ip6-tunnel +kmod-iptunnel6 +kmod-tun
--
Package: kmod-ipt-rtpengine
Depends: +PACKAGE_kmod-ipt-rtpengine:kmod-crypto-hash +PACKAGE_kmod-ipt-rtpengine:kmod-ipt-core
$ 
Thermi
commented
2 years ago Hi, none natively, just via translation layer.
Am 13. November 2021 00:32:13 UTC schrieb Philip Prindeville @.***>:
I would expand the list a little further:
feeds/packages $ grep -E "(ip6?tables(-save|-restore)?( |$|\"|'|\))|lib/iptables|\+iptables)" -R */ | cut -d/ -f2 | sort -u acme adblock apfree-wifidog banip bcp38 collectd coova-chilli dockerd etherwake-nfqueue fail2ban frr fwknop gnunet https-dns-proxy jool keepalived libreswan miniupnpd mwan3 podman pppossh redsocks shadowsocks-libev shorewall shorewall6 shorewall6-lite shorewall-lite simple-adblock sqm-scripts strongswan trafficshaper uacme v2raya vpnbypass vpnc-scripts vpn-policy-routing wifidog xtables-addonsExcept from shorewall and xtables-addons, which are clearly not compatible with firewall4/nftable, the rest is still open. Anything that depends on iptables or calls iptables(-save/-restore) needs some testing, specially if iptables-nft is in use.
Maybe we could edit this issue description mentioning maintainers after the package to ping them all?
I doubt that iptables-nft will be installed by default and I think fw3 will still be available as a fallback. It would be interesting to see how we deal with dependencies when both standard iptables and iptables-nft are available and the user could either use fw3 or fw4. Some packages might require iptables/nftables flavors.
Not aware of support for
nftablesinstrongswan. @Thermi?Also, locally we use
ipsetfor blocking traffic from non-essential devices after hours so they don't interfere with remote backups... as well asxtgeoipfromxtables-addonsto block traffic from hostile countries.-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/openwrt/packages/issues/16818#issuecomment-967743789 -- Sent from mobile
Thermi
commented
2 years ago Also, as far as I remember some plugins (connmark, forecast) link libiptc and libip4tc, so that whould need to be changed for proper nftables support.
oskarirauta
commented
2 years ago I have added cni-plugins-nft for podman, so wouldn't that then check podman out?
aparcar
commented
2 years ago @oskarirauta added, thank you.
aparcar
commented
2 years ago @openwrt/packages-write heads up, firewall4 gets into a fine state (thanks to @stintel and @jow- )and I'm planing to make it the default within the next week. For all scripts that require legacy iptables please test your apps with iptables-nft and report back!
AQPSal
commented
2 years ago Getting this message in the latest snapshot - noticed that the router had connectivity, clients could connect to internet using IPV6 but not IPV4 - seemed a NAT/masquerade issue. No rules appeared in the firewall status. Checked the firewall - it did not seem to be running. Upon trying to start it, got the messages below.
root@OpenWrt:~# fw4 start Section @forwarding[4] option 'src' is mandatory but not set Reference error: left-hand side expression is not an array or object In [anonymous function](), file /usr/share/ucode/fw4.uc, line 1892, byte 21: called from function [arrow function] (/usr/share/ucode/fw4.uc:540:77) called from function foreach ([C]) called from function [anonymous function] (/usr/share/ucode/fw4.uc:540:78) called from function render_ruleset (/usr/share/firewall4/main.uc:100:24) called from anonymous function (/usr/share/firewall4/main.uc:167:28)
let f1 = fwd.src.zone ? fwd.src.zone.family : 0;
Near here -------------------^
(Raspberry Pi 4, a few VLANs and zones)
stintel
commented
2 years ago root@OpenWrt:~# fw4 start Section @forwarding[4] option 'src' is mandatory but not set Reference error: left-hand side expression is not an array or object In anonymous function, file /usr/share/ucode/fw4.uc, line 1892, byte 21: called from function [arrow function] (/usr/share/ucode/fw4.uc:540:77) called from function foreach ([C]) called from function [anonymous function] (/usr/share/ucode/fw4.uc:540:78) called from function render_ruleset (/usr/share/firewall4/main.uc10024) called from anonymous function (/usr/share/firewall4/main.uc:167:28)
let f1 = fwd.src.zone ? fwd.src.zone.family : 0;Near here -------------------^
Please attach your /etc/config/firewall/
AQPSal
commented
2 years ago root@OpenWrt:~# fw4 start Section @forwarding[4] option 'src' is mandatory but not set Reference error: left-hand side expression is not an array or object In anonymous function, file /usr/share/ucode/fw4.uc, line 1892, byte 21: called from function [arrow function] (/usr/share/ucode/fw4.uc:540:77) called from function foreach ([C]) called from function [anonymous function] (/usr/share/ucode/fw4.uc:540:78) called from function render_ruleset (/usr/share/firewall4/main.uc10024) called from anonymous function (/usr/share/firewall4/main.uc:167:28)
let f1 = fwd.src.zone ? fwd.src.zone.family : 0;Near here -------------------^Please attach your /etc/config/firewall/config defaults
Please see below. I entered all the rules using LUCI - I did not use the command line nor edited the file. As I was sanitizing it I noticed four forwarding rules with only dest or src. Perhaps they are what is causing the issue.
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option input 'REJECT'config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' list network 'lan' list network 'WG' option log '1' option forward 'REJECT'
config zone option name 'wan' option output 'ACCEPT' option masq '1' option mtu_fix '1' list network 'wan' list network 'wan6' option input 'DROP' option forward 'DROP'
config forwarding option src 'lan' option dest 'wan'
config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4'
config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT'
config rule option name 'Allow-IGMP' option src 'wan' option proto 'igmp' option family 'ipv4' option target 'ACCEPT'
config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fc00::/6' option dest_ip 'fc00::/6' option dest_port '546' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-MLD' option src 'wan' option proto 'icmp' option src_ip 'fe80::/10' list icmp_type '130/0' list icmp_type '131/0' list icmp_type '132/0' list icmp_type '143/0' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-IPSec-ESP' option src 'wan' option proto 'esp' option target 'ACCEPT' option dest '*'
config rule option name 'Allow-ISAKMP' option src 'wan' option dest_port '500' option proto 'udp' option target 'ACCEPT' option dest '*'
config rule option name 'Support-UDP-Traceroute' option src 'wan' option dest_port '33434:33689' option proto 'udp' option family 'ipv4' option target 'REJECT' option enabled '0'
config include option path '/etc/firewall.user'
config zone option name 'IOT' option output 'ACCEPT' list network 'IOT' option input 'REJECT' option forward 'REJECT'
config zone option name 'Guest' option output 'ACCEPT' option input 'REJECT' option forward 'REJECT' list network 'Guest' list network 'WG1' option log '1'
config zone option name 'UIOT' option output 'ACCEPT' list network 'UIOT' option forward 'REJECT' option input 'REJECT'
config forwarding option src 'IOT' option dest 'wan'
config forwarding option src 'Guest' option dest 'wan'
config forwarding option src 'UIOT' option dest 'wan'
config rule option src 'UIOT' option target 'ACCEPT' option name 'DNS-vlan8' list proto 'tcp' list proto 'udp' option dest_port '53'
config rule option src 'UIOT' option target 'ACCEPT' option family 'ipv6' list proto 'udp' option name 'DHCP6-vlan8' option dest_port '546 547'
config rule option src 'UIOT' option target 'ACCEPT' option dest_port '67' option family 'ipv4' list proto 'udp' option name 'DHCP-vlan8'
config rule list proto 'udp' option src 'UIOT' option dest_port '5353' option target 'ACCEPT' option name 'mDNS-vlan8'
config rule option name 'Allow-ICMPv6-Input - vlan 8' option proto 'icmp' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' list icmp_type 'destination-unreachable' list icmp_type 'echo-reply' list icmp_type 'echo-request' list icmp_type 'neighbour-advertisement' list icmp_type 'neighbour-solicitation' list icmp_type 'packet-too-big' list icmp_type 'router-advertisement' list icmp_type 'router-solicitation' list icmp_type 'time-exceeded' option src 'UIOT'
config rule option src 'IOT' option target 'ACCEPT' option name 'DNS-vlan2' list proto 'tcp' list proto 'udp' option dest_port '53'
config rule option src 'IOT' option target 'ACCEPT' option family 'ipv6' list proto 'udp' option name 'DHCP6-vlan2' option dest_port '546 547'
config rule option src 'IOT' option target 'ACCEPT' option dest_port '67' option family 'ipv4' list proto 'udp' option name 'DHCP-vlan2'
config rule list proto 'udp' option src 'IOT' option dest_port '5353' option target 'ACCEPT' option name 'mDNS-vlan2'
config rule option name 'Allow-ICMPv6-Input - vlan 2' option proto 'icmp' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' list icmp_type 'destination-unreachable' list icmp_type 'echo-reply' list icmp_type 'echo-request' list icmp_type 'neighbour-advertisement' list icmp_type 'neighbour-solicitation' list icmp_type 'packet-too-big' list icmp_type 'router-advertisement' list icmp_type 'router-solicitation' list icmp_type 'time-exceeded' option src 'IOT'
config rule option src 'Guest' option target 'ACCEPT' option name 'DNS-vlan7' list proto 'tcp' list proto 'udp' option dest_port '53'
config rule option src 'Guest' option target 'ACCEPT' option family 'ipv6' list proto 'udp' option name 'DHCP6-vlan7' option dest_port '546 547'
config rule option src 'Guest' option target 'ACCEPT' option dest_port '67' option family 'ipv4' list proto 'udp' option name 'DHCP-vlan7'
config rule option proto 'icmp' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' list icmp_type 'destination-unreachable' list icmp_type 'echo-reply' list icmp_type 'echo-request' list icmp_type 'neighbour-advertisement' list icmp_type 'neighbour-solicitation' list icmp_type 'packet-too-big' list icmp_type 'router-advertisement' list icmp_type 'router-solicitation' list icmp_type 'time-exceeded' option src 'Guest' option name 'Allow-ICMPv6-Input - vlan 7'
config rule option name 'KaraokeGuest' option src 'Guest' list dest_ip '10.0.1.75' option dest_port '5000' option target 'ACCEPT' option family 'ipv4' option dest 'lan' list proto 'tcp'
config rule option name 'Wireguard' list proto 'udp' option src 'wan' option dest_port 'XXXXX' option target 'ACCEPT'
config forwarding option dest 'lan'
config forwarding option dest 'wan'
config forwarding option src 'lan'
config forwarding option src 'wan'
config redirect option target 'DNAT' option name 'DNS Redirect' option src 'IOT' option src_dip '8.8.8.8' option src_dport '53' option dest 'IOT' option dest_ip '10.0.2.1' option dest_port '53'
config forwarding option src 'lan' option dest 'IOT'
config forwarding option src 'lan' option dest 'Guest'
config forwarding option src 'lan' option dest 'UIOT'
config rule option name 'WireguardGuest' option src 'wan' option dest_port 'YYYYY' option target 'ACCEPT' list proto 'udp'
config rule list proto 'icmp' option target 'ACCEPT' option src 'IOT' option name 'Allow-ICMP-vlan2' option family 'ipv4'
config rule list proto 'icmp' option target 'ACCEPT' option name 'Allow-ICMP-vlan7' option src 'Guest' option family 'ipv4' list icmp_type 'echo-request'
config rule list proto 'icmp' option src 'UIOT' option target 'ACCEPT' option name 'Allow-ICMP-vlan8' option family 'ipv4' list icmp_type 'echo-request'
AQPSal
commented
2 years ago I manually deleted the odd-looking config forwarding rules - I have no idea how they got there. Firewall is working now.
However: The firewall status screen in LUCI is blank. Firewall LUCI screen gives me a "TypeError Cannot convert undefined or null to object" on the zones screen upon trying to make any change. The one odd thing is that I cannot ping FE80:: addresses from the router but the router replies if a ping is sent to it to its LL address.
KA2107
commented
2 years ago I got the following error when I tried to start firewall4 with "option force_dns 1" inside /etc/config/https-dns-proxy :
# fw4 start
ubus rule (ubus:https-dns-proxy[instance1] rule 1) option 'src' specifies invalid value 'lan'
Reference error: left-hand side expression is not an array or object
In infer_family(), file /usr/share/ucode/fw4.uc, line 270, byte 20:
called from function [anonymous function] (/usr/share/ucode/fw4.uc:2158:5)
called from function [arrow function] (/usr/share/ucode/fw4.uc:548:85)
called from function map ([C])
called from function [anonymous function] (/usr/share/ucode/fw4.uc:548:86)
called from function render_ruleset (/usr/share/firewall4/main.uc:100:24)
called from anonymous function (/usr/share/firewall4/main.uc:167:28)
` if (!obj || obj.family == 0 || obj.family == res)`
Near here ------------------^
I got the following error when I tried to start firewall4 with "option force_dns 1" inside /etc/config/https-dns-proxy :
# fw4 start ubus rule (ubus:https-dns-proxy[instance1] rule 1) option 'src' specifies invalid value 'lan'
@KA2107 Thank you for testimg!
@aparcar @stintel here's the PROCD data used in the init script:
procd_open_data
json_add_array firewall
for p in $forceDNSPorts; do
if netstat -tuln | grep 'LISTEN' | grep ":${p}" >/dev/null 2>&1 || [ "$p" = '53' ]; then
json_add_object ''
json_add_string type redirect
json_add_string target DNAT
json_add_string src lan
json_add_string proto 'tcp udp'
json_add_string src_dport "$p"
json_add_string dest_port "$p"
json_add_boolean reflection 0
json_close_object
else
json_add_object ''
json_add_string type rule
json_add_string src lan
json_add_string dest '*'
json_add_string proto 'tcp udp'
json_add_string dest_port "$p"
json_add_string target REJECT
json_close_object
fi
done
json_close_array
procd_close_dataAny idea why lan is invalid value for src in fw4?
KA2107
commented
2 years ago @stangri @aparcar @stintel Looks the issue may be on my end. I had renamed the "lan" zone to "lan_1" zone in my /etc/config/firewall . I had been running with firewall3 (iptables) with "lan_1" zone for several months without any issue.
However when I tried firewall4 (nftables), /etc/init.d/firewall script was not getting loaded at startup and upon investigating I found this issue with https-dns-proxy. Not sure if I can call this a bug or if this is just an issue with my firewall config.
aparcar
commented
2 years ago As discussed at yesterdays meeting I merged the changes. The next release will use firewall4 as default and all packages incompatible (e.g. using ipset) should add a negative dependency. Our considerations are that the default (WiFI home router) setup works fine wir firewall4 and special cases can always replace firewall4 with firewall3, which should work at least until the upcoming 5.15 Kernels.
stangri
commented
2 years ago The dnsmasq-full still builds with ipset support. Is there a plan to switch to 2.87 which seems to be on the way of supporting nft sets?
This concerns me because of the policy routing packages which use dnsmasq ability to populate ipsets extensively. I don't mind looking into a rewrite to depend on nft, but unless there's a dnsmasq version which can populate nft sets instead of the ipsets, that would mean dropping one of the popular features.
I thought that I could delay the full rewrite by relying on iptables-nft for a while, that doesn't seem feasible anymore. :(
stintel
commented
2 years ago The dnsmasq-full still builds with
ipsetsupport. Is there a plan to switch to 2.87 which seems to be on the way of supporting nft sets?
openwrt/openwrt#4977
tiagogaspar8
commented
2 years ago Hi @aparcar I have a question. I'm working on porting jool to a version that isn't dependant on iptables.
Jool by default supports two modes:
Netfilter mode works on both iptables and neftables via the netlink API.
The iptables mode obviously only works with iptables.
My question is, since we're inevitably dropping iptables, when porting jool do I make a package with only netlink and end the porting or do I make a package with netlink and another with both?
Thanks.
aparcar
commented
2 years ago I'd suggest to go with netfilter only but if you want to support people that need iptables, you'd need both. I don't know how much work it is so I'd focus for now on netfilter.
tiagogaspar8
commented
2 years ago That's the question, netfilter is done, iptables is the one giving me a lot of work... I'll make a pull request then 😁😁😁
hnyman
commented
2 years ago Related to discussion at #17671
I just assumed that the iptables-nft binary installed a compatibility symlink to the iptables binary; otherwise, what's the point of having a compatibility binary if applications have to select it explicitly? Shouldn't this be fixed in the iptables-nft package instead?
Good question. So far there is not much info about the usage of iptables-nft in the OpenWrt context.
@aparcar enabled some iptables option with https://github.com/openwrt/openwrt/commit/0637093e8cb0e4cfb94dfcfe7b57afc23bf88852 in order to provide some nftables compatibility, but I don't think that the option actually installs iptables-nft. I had to install it separately.
And so far the "iptables" and "iptables-nft" lead to different binaries. I manually installed iptables-nft package, and after that it looks like this:
root@router1:/usr/sbin# ls -lt /usr/sbin/*tabl*
lrwxrwxrwx 1 root root 17 Jan 21 17:48 /usr/sbin/iptables-nft -> xtables-nft-multi
lrwxrwxrwx 1 root root 17 Jan 21 17:48 /usr/sbin/iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 1 root root 17 Jan 21 17:48 /usr/sbin/iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx 1 root root 17 Jan 21 17:48 /usr/sbin/iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx 1 root root 17 Jan 21 17:48 /usr/sbin/iptables-translate -> xtables-nft-multi
lrwxrwxrwx 1 root root 20 Jan 21 17:19 /usr/sbin/iptables -> xtables-legacy-multi
lrwxrwxrwx 1 root root 20 Jan 21 17:19 /usr/sbin/iptables-restore -> xtables-legacy-multi
lrwxrwxrwx 1 root root 20 Jan 21 17:19 /usr/sbin/iptables-save -> xtables-legacy-multi
-rwxr-xr-x 1 root root 58631 Jan 21 17:19 /usr/sbin/xtables-legacy-multi
-rwxr-xr-x 1 root root 149855 Jan 14 01:42 /usr/sbin/xtables-nft-multiOpenWrt SNAPSHOT, r18614-46ce629fe0
-----------------------------------------------------
root@router1:~# iptables -V
iptables v1.8.7 (legacy)
root@router1:~# iptables-nft -V
iptables v1.8.7 (nf_tables)Would be great if somebody with actual knowledge about the nftables firewall infra would enlighten us about the transition tools. (And maybe that symlink of iptables --> iptables-nft should be added, like some desktop distros apparently do.)
dangowrt
commented
2 years ago We could use ALTERNATIVES for that, see e.g. openssh vs. dropbear packages both providing candidates for scp and the package manager takes care of maintaining a symlink.
tiagogaspar8
commented
2 years ago Jool netfilter is merged, you can cross off jool @aparcar Thanks for the help!
hnyman
commented
2 years ago Regarding module dependencies, some interesting stuff pops up, when packages are tried to be modified. E.g. SQM was tried to be straightened out by @tohojo , but SQM selecting iptables-nft instead of iptables caused a circular dependency.
Collecting package info: done
tmp/.config-package.in:38676:error: recursive dependency detected!
tmp/.config-package.in:38676: symbol PACKAGE_libxtables is selected by PACKAGE_tc-mod-iptables
tmp/.config-package.in:108984: symbol PACKAGE_tc-mod-iptables is selected by PACKAGE_tc-tiny
tmp/.config-package.in:108997: symbol PACKAGE_tc-tiny is selected by PACKAGE_sqm-scripts
tmp/.config-package.in:1243: symbol PACKAGE_sqm-scripts depends on PACKAGE_libxtablesChange in SQM Makefile causing circular:
...
- DEPENDS:=+tc +kmod-sched-cake +kmod-ifb +iptables \
- +iptables-mod-ipopt +iptables-mod-conntrack-extra
+ DEPENDS:=+tc +kmod-sched-cake +kmod-ifb +iptables-nft
I think that we (currently) need to also select the old iptables, as iptables-nft has for some strange reason the "at" dependency for iptables, instead of selecting it. https://github.com/openwrt/openwrt/blob/0637093e8cb0e4cfb94dfcfe7b57afc23bf88852/package/network/utils/iptables/Makefile#L111
That easily causes a circular dependency when iptables-nft is selected along other network related packages.
(Selecting also iptables in sqm Makefile fixes the circular dependency.)
On the long the better solution would likely be to change dependency directly at the iptables-nft, but I am not even sure why there is that iptables dependency at iptables-nft, as I believe that iptables-nft is more related to nftables than to iptables. (But I have no deeper knowledge about the intricacies here) Is the legacy iptables actually needed for iptables-nft?
To me it seems that the whole iptables/nftables/tc/whatever dependency universe is currently a bit twisted, likely because the dependencies have been drafted from the "iptables as default" perspective. (and there is separately ip6tables-nft and all the ipv6 side...)
Hopefully people with enough knowledge about the netfilter modules can straighten the dependencies out.
ghost
commented
2 years ago Long term there might be a
firewall5package using eBPF things are moving :)
@aparcar why don't we make the jump to firewall5 aka eBPF instead of nftables?
nftables 🤢🤮
tiagogaspar8
commented
2 years ago As I've read many times, eBPF isn't ready for production and stable environments for now, maybe in a year or two we can have this headache porting everything to eBPF 😆
PolynomialDivision
commented
2 years ago We just noticed that regex matching in firewall rules is no longer supported?
For example all wireguard interfaces with naming should be included in the zone freifunk:
config zone 'zone_freifunk'
option name 'freifunk'
list device 'wg_+'This does not work anymore.
CC: @spolack
champtar
commented
2 years ago @PolynomialDivision try * instead of +
stangri
commented
2 years ago As I've read many times, eBPF isn't ready for production and stable environments for now, maybe in a year or two we can have this headache porting everything to eBPF 😆
Wouldn't the maturity of eBPF just coincide perfectly with the next stable OpenWrt release timing then?
neheb
commented
2 years ago nope. I don't think eBPF is available for all OpenWrt supported platforms.
spolack
commented
2 years ago @PolynomialDivision try * instead of +
This wont work, as nftables doesnt support wildcard matching within sets. Furthermore i'd expect fw4 to handle this transparent to the user, otherwise its not suitable as drop-in replacement, breaking a standard configuration for many setups.
TheB1gG
commented
2 years ago nope. I don't think eBPF is available for all OpenWrt supported platforms.
Wouldn't it be usefull to do that than only for supported plattforms like already done for the kernel? Looking at the possible performance gains eBPF could be usefull for plattforms in enviroments which work with 1-25 gbps. That speeds are not so uncommon for consumers anymore.
neheb
commented
2 years ago IIRC, x86, ARM, and MIPS currently have eBPF support. No idea about PowerPC or older ARM. ARC is non existent.
Hi all, especially @openwrt/packages-write,
for the next OpenWrt release
firewall4is considered as a replacement of the currentiptablesbasedfirewallpackage. While the configuration stays within/etc/config/firewall, packages usingiptablesdirectly may see trouble.This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible.
Compatible with
firewall4:ppposshshorewallshorewall6shorewall6-liteshorewall-liteHeads up for routing.git: https://github.com/openwrt/routing/issues/731 Heads up for luci.git: https://github.com/openwrt/luci/issues/5409