Certain upstream switch to firewall4 aka nftables instead of iptables

[aparcar]

Hi all, especially @openwrt/luci-admin,

for the next OpenWrt release firewall4 is considered as a replacement of the current iptables based firewall package. While the configuration stays within /etc/config/firewall, packages using iptables directly may see trouble.

This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible.

Heads up for packages.git: openwrt/packages#16818
Heads up for routing.git: openwrt/routing#731

[aparcar]

Heads up, firewall4 gets into a fine state (thanks to @stintel and @jow- )and I'm planing to make it the default within the next week. For all scripts that require legacy iptables please test your apps with iptables-nft and report back!

[hnyman]

I think that that Status->Firewall menu item and page is still totally iptables based after 48599d8, right?

https://github.com/openwrt/luci/blob/master/modules/luci-mod-status/htdocs/luci-static/resources/view/status/iptables.js

[castillofrancodamian]

Heads up, firewall4 gets into a fine state (thanks to @stintel and @jow- )and I'm planing to make it the default within the next week. For all scripts that require legacy iptables please test your apps with iptables-nft and report back!

I cannot find the iptables-nft package.

[aparcar]

Yea sorry the iptables-nft package is currently missing, should be fixed via openwrt/openwrt#4957

[castillofrancodamian]

Yea sorry the iptables-nft package is currently missing, should be fixed via openwrt/openwrt#4957

I already found the iptables-nft package. Do you also have to install iptables and firewall or just firewall4 and iptables-nft?

[aparcar]

@castillofrancodamian maybe @stintel can comment better than me but from my understanding you could install firewall4 and iptables-nft, both will use NFTables while keeping backward compatibility with the iptables wrapper.

[castillofrancodamian]

@castillofrancodamian maybe @stintel can comment better than me but from my understanding you could install firewall4 and iptables-nft, both will use NFTables while keeping backward compatibility with the iptables wrapper.

Likewise, installing iptables-nft also installs iptables. The "real problem" is that I can't edit any firewall zones with the error "Cannot convert undefined or null to object" in LuCI.

[aparcar]

As discussed at yesterdays meeting I merged the changes. The next release will use firewall4 as default and all packages incompatible (e.g. using ipset) should add a negative dependency. Our considerations are that the default (WiFI home router) setup works fine wir firewall4 and special cases can always replace firewall4 with firewall3, which should work at least until the upcoming 5.15 Kernels.

[edrikk]

Just for awareness, what is the etiquette / developer preference in terms of issues found?

Is it to post in the appropriate package/luci/core ntftables thread (eg this for Luci)

or

create a bug and leave there.

or

create bug and post reference in thr appropriate nftables thread.

If the latter, I opened Luci bug where on two pages (main Luci and upnp luci app) port forwards are no longer shown.

[dfateyev]

Just curious: what is the current status of this issue in terms of the 22.03 release requirements?

[kode54]

luci-app-upnp has been patched to work with nftables, and accepted into the tree. I'm not sure if a legacy iptables version was kept.

[edrikk]

luci-app-upnp has been patched to work with nftables, and accepted into the tree. I'm not sure if a legacy iptables version was kept.

I’ve been following the commits (and just rechecked) across the packages, luci, and openwrt repositories, but have not seen any commits around upnp.

I could of course be just missing it, although my local June 30th build from master does not show upnp forwards in either of the main page’s “Active UPnP Redirects” section, nor in the upnp menu (luci-app-upnp).

Maybe it takes a bit of time to show up if it was just accepted?

[kode54]

The PR was closed, and they said they accepted it? I don't know.

[kode54]

Oh, it was never closed: #5839

[Ashus]

Current status as of OpenWrt 23.05.0-rc2

This package depends on outdated package miniupnpd-iptables and doesn't take miniupnpd-nftables as viable replacement. Obviously iptables has been replaced by nftables in OpenWRT recently and miniupnpd-iptables doesn't work properly anymore. By default luci-app-upnp should come with miniupnpd-nftables.

To temporarily fix this, I need to call:

opkg remove miniupnpd-iptables --force-depends
opkg install miniupnpd-nftables

I got a response from @brada4 who pointed out, that it is an alphabetical problem, where both -iptables and -nftables being in 'provides' part of this package and first one being used.