Certain upstream switch to firewall4 aka nftables instead of iptables

[aparcar]

Hi all, especially @openwrt/packages-write,

for the next OpenWrt release firewall4 is considered as a replacement of the current iptables based firewall package. While the configuration stays within /etc/config/firewall, packages using iptables directly may see trouble.

This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible.

Compatible with firewall4:

• acme
• adblock
• apfree-wifidog
• banip
• bcp38
• collectd (iptables plugin still uses iptables, no nftables plugin)
• coova-chilli
• dockerd
• etherwake-nfqueue
• fail2ban
• frr
• fwknop
• gnunet
• https-dns-proxy
• jool
• keepalived keepalived: enable nftables filtering #18058
• libreswan
• miniupnpd miniupnpd: bump version, drop igdv1 variant, add nftables support #17094
• mwan3 mwan3: update to version 2.11.0 #17940 only via iptables-nft
• phantap
• podman via dcbef6f
• pppossh
• redsocks
• shadowsocks-libev ((shadowsocks-libev: convert to using nft #17937)
• shorewall
• shorewall6
• shorewall6-lite
• shorewall-lite
• simple-adblock
• sqm-scripts
• strongswan
• trafficshaper
• uacme
• v2raya (v2raya: add iptables as dependency #18052)
• vpnbypass
• vpnc-scripts
• vpn-policy-routing
• wifidog
• xtables-addons

Heads up for routing.git: openwrt/routing#731
Heads up for luci.git: openwrt/luci#5409

[feckert]

As the package maintainer of the mwan3, I would also like to know what I have to do to make the mwan3 fit for nftables.
I did see that there was a firewall4, but I wasn't aware that it should already include as default firewall backend in the next release!

[aparcar]

It's possible, an idea to be discussed. There is no definite decision yet, however ideally maintainer start looking at firewall4 to have an idea what could change. Long term there might be a firewall5 package using eBPF things are moving :)

[ldir-EDB0]

My concern is over 'ipset' equivalent functionality support. dnsmasq v2.87 (not yet released) has immature support. adblock & banip rely heavily on ipsets and will need adjusting.
miniupnpd has nftables support, the integration into fw4 will need looking it.

[tohojo]

Is the plan to ship the iptables-nft compability binary? And is there an overview somewhere of how firewall4 differs in which table names it uses compared with firewall3?

Off the top of my head, at least sqm-scripts and bcp38 contain iptables invocations.

[feckert]

Also acme does some iptables command

packages/net/acme/files/run.sh

Lines 127 to 133 in 6c73457

	done
	iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
	ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
	debug "v4 input_rule: $(iptables -nvL input_rule)"
	debug "v6 input_rule: $(ip6tables -nvL input_rule)"
	return 0

[tohojo]

On 6 October 2021 12:31:12 CEST, Florian Eckert ***@***.***> wrote: Also acme does some iptables command https://github.com/openwrt/packages/blob/6c73457c09f838279b240bef59730cbff60ae799/net/acme/files/run.sh#L127-L133

Ah yes, so it does - totally forgot about that. Thanks for the reminder!

[dibdot]

adblock is purely DNS and doesn't use any direct iptables calls. Maybe simple-adblock is affected here - I don't know.

[alexeys85]

collectd iptables plugin depends on libiptc as far as I know

[luizluca]

I would expand the list a little further:

feeds/packages $ grep -E "(ip6?tables(-save|-restore)?( |$|\"|'|\))|lib/iptables|\+iptables)" -R */ | cut -d/ -f2 | sort -u
acme
adblock
apfree-wifidog
banip
bcp38
collectd
coova-chilli
dockerd
etherwake-nfqueue
fail2ban
frr
fwknop
gnunet
https-dns-proxy
jool
keepalived
libreswan
miniupnpd
mwan3
podman
pppossh
redsocks
shadowsocks-libev
shorewall
shorewall6
shorewall6-lite
shorewall-lite
simple-adblock
sqm-scripts
strongswan
trafficshaper
uacme
v2raya
vpnbypass
vpnc-scripts
vpn-policy-routing
wifidog
xtables-addons

Except from shorewall and xtables-addons, which are clearly not compatible with firewall4/nftable, the rest is still open. Anything that depends on iptables or calls iptables(-save/-restore) needs some testing, specially if iptables-nft is in use.

Maybe we could edit this issue description mentioning maintainers after the package to ping them all?

I doubt that iptables-nft will be installed by default and I think fw3 will still be available as a fallback. It would be interesting to see how we deal with dependencies when both standard iptables and iptables-nft are available and the user could either use fw3 or fw4. Some packages might require iptables/nftables flavors.

[aparcar]

@luizluca the adblock packages mentions iptables in it's readme

adblock does not use error prone external iptables rulesets

[aparcar]

@stangri please track those packages here and not at luci.git

https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing
https://github.com/openwrt/packages/tree/master/net/vpnbypass

I've also started working on a fork of the former called pbr and it's also iptables-dependent.

[stangri]

@stangri please track those packages here and not at luci.git

https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing
https://github.com/openwrt/packages/tree/master/net/vpnbypass
I've also started working on a fork of the former called pbr and it's also iptables-dependent.

Sorry, didn't see notification about this issue until after this quote.

If there's no compatibility binary to allow iptables calls while using nftables, both vpn-policy-routing and vpnbypass are in trouble. They are heavily iptables dependent and it may take me a while to find the time to figure out the switch to nftables.

Both https-dns-proxy and simple-adblock are good to go.

[aparcar]

There is iptables-nft which is however not available upstream at this point. I'm currently trying to run a CI to offer binaries including it, will post on updates.

[jow-]

You can ignore shorewall, it is an ip(6)tables preprocessor, so no need to port it to nftables.

[brada4]

iptables-nft can use ipset, esp for places where only access list is ipset. nft has own sets, but traditional ipset command does not bridge the gap

[pmelange]

aside from the command-line iptables/ip6tables, do we also need to keep an eye open for all packages which depend on kmod-ipt.*?

[stintel]

miniupnpd has nftables support, the integration into fw4 will need looking it.

@ldir-EDB0 As ex maintainer, would you mind having a look at #17094?

[shikasta-net]

Ok, so apparently I have iptables-zz-legacy 1.8.7 installed not iptables-nft.

[brada4]

Reflashing and installing correct iptables package over migrated configuration is very likely to work right away.

[hmh]

The issues with fw4 and nftables are not really related to broken kernel module + userspace choices (it has been long documented everywhere that you need to get rid of the legacy iptables support / modules and use the iptables-nft package to have a nftables-compatible "iptables" command). But even if you have both iptables and nftables in the kernel, things are deterministic: if anything rejects or drops a packet, it gets rejected/dropped. Only if both iptables and nftables agree a packet can be ACCEPTED, will it be ACCEPTED.

But even if you are in a system where the kernel was properly configured to be nftables-only, there is a major catch: in nftables, an ACCEPT target is NOT final. It can be turned into a REJECT or something else by a rule that processes that packet later (from another table, connected to the same nftables hook but with a different priority).

So, everything works if you're just using iptables-nft everywhere, and no custom tables. But fw4 uses its own table, at which point things can break.

You really need to "fw4-erize" everything because of this, it needs to use the fw4 table, and the correct "chains" for fw4.

[brada4]

You dont know in which order filtering applies, especially if you put up accept rules as final.

[PedroM4]

omcproxy needs updating. still using fw3
https://github.com/openwrt/openwrt/blob/ec6293febc244d187e71a6e54f44920be679cde4/package/network/services/omcproxy/files/omcproxy.init

omcproxy is nicer than igmproxy because it has a luci app.

[brada4]

Try sed -iBAK "s/(fw3/(fw4/g" /etc/init.d/omcproxy and tell if it works

@aparcar seems that calling fw3 command should be accounted for too.

[jow-]

Note that fw4 ships an fw3 compatibility symlink. The omcproxy init script should work as-is with both fw3 and fw4.

[PedroM4]

the sed thing didn't work, or, better explained, it does work in the sense that it does not throw an error when running omcproxy but the thing is, upgrading my openwrt distro ( turris omnia ) from a november master build ( fw3 ) to yesterday's master build ( fw4 ) made my IPTV stop working ( keeping configuration between the upgrade ).
It may be because of mwan3. I was/am diverting igmp traffic using mwan3 so it may be because of that.

I will troubleshoot this further this weekend and report back. If I believe it is fw3 to 4 related I will post here, if not on the appropriate place.

[sum32]

iptables-nft-save -t nat

Thanks for your reply, this is the output of those commands, it looks like the firewall is completely open?!! Am I at risk or is it the nft tables which is the truth? Very confusing to me with the coexistence. My version of iptables seems to be compatible atleast, but not working well.

root@r1:~# iptables --version
iptables v1.8.7 (nf_tables)
root@r1:~# iptables-nft-save -t filter
# Generated by iptables-nft-save v1.8.7 on Sat Mar 25 18:39:33 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 25 18:39:33 2023
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
root@r1:~# iptables-nft-save -t nat
# Generated by iptables-nft-save v1.8.7 on Sat Mar 25 18:39:57 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 25 18:39:57 2023
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
root@r1:~#
root@r1:~# iptables --version
iptables v1.8.7 (nf_tables)

[brada4]

You have rules in nft nft list ruleset, and you can observe renderings of iptables rules there.
iptables-nft will add rules with stats counter in a way they can be read back via same legacy-looking interface, but native rules will be invisible there.
Most linux distros took the path of shipping -nft wrappers in place of legacy thing, none has solid nft-based framework so far. OpenWRT took a bit more radical flag in hands.

[sum32]

Ok, thanks, that clarifies the relation between iptables-nft and nft a bit. I still don't get why the rules from fknopd is not properly translated even after installing kmod-ipt-nat kmod-ipt-nat-extra

[brada4]

no need for any kmod-ipt-* at all.
if you do iptables-nft-save - do you se fwknop tables?

[PedroM4]

so, cant get igmp to work with the latest master for some reason that I am unable to figure out.
mwan3 is not installed. configuration has not changed from end last year fw3 master.
omcproxy results in this:
root@gateway:~# ip mroute
(192.168.89.100,239.255.255.250) Iif: lan3 State: resolved

if I try to use igmproxy instead the state is always unresolved.
going to open a thread on the forum regarding this.

I have image for 10s and then it stops and this is a sign of multicast traffic not reaching the device.

[PedroM4]

so I am sorry for jumping the gun. The issue with igmp traffic has nothing to do with fw3/4 and all to do with this commit:
openwrt/openwrt@738b04c
I was able to track it down to it. Already posted a message there.

[57382]

The suspicion is that something related might have something to do with it.
openwrt/openwrt#12429

iptables/firewall3

=======================================

nftables/firewall4
Seems to have serious performance flaws. For IPQ40XX

[aparcar]

I'll unpin this since it happened. For further issues please open individual issues.

[baldurmen]

sqm-scripts has been marked as OK in the tracking list in this issue, but as of 22.03.5 it still depends on some iptables packages:

https://github.com/openwrt/packages/blob/openwrt-22.03/net/sqm-scripts/Makefile#L27

Trying to remove those packages does indeed fail:

$ opkg remove iptables-mod-ipopt iptables-zz-legacy
No packages removed.
Collected errors:
 * print_dependents_warning: Package iptables-mod-ipopt is depended upon by packages:
 * print_dependents_warning: 	sqm-scripts
 * print_dependents_warning: These might cease to work if package iptables-mod-ipopt is removed.

 * print_dependents_warning: Force removal of this package with --force-depends.
 * print_dependents_warning: Force removal of this package and its dependents
 * print_dependents_warning: with --force-removal-of-dependent-packages.
 * print_dependents_warning: Package iptables-zz-legacy is depended upon by packages:
 * print_dependents_warning: 	sqm-scripts
 * print_dependents_warning: These might cease to work if package iptables-zz-legacy is removed.

 * print_dependents_warning: Force removal of this package with --force-depends.
 * print_dependents_warning: Force removal of this package and its dependents
 * print_dependents_warning: with --force-removal-of-dependent-packages.

[tam481]

Hello all,
I suspect I misunderstood but I installed iptables-nft and ip6tables-nft, removed iptables-zzz-legacy and reinstalled dockerd on my OpenWrt x86 system but I still can't access any of the containers (I'm using FW4 of course). I read somewhere that adding "iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 443" fixes the issue for the specified port(s) but this is a blanket redirecting which with my limited knowledge doesn't make sense because it's forwarding traffic on port 443 to port 443 and does not specify the interface but at least it works for a container that listens on 443 but I can't run the same rule for port 80 because it ends up in an endless redirect to the container.

Any help would be greatly appreciated.

[terrytw]

Hello all, I suspect I misunderstood but I installed iptables-nft and ip6tables-nft, removed iptables-zzz-legacy and reinstalled dockerd on my OpenWrt x86 system but I still can't access any of the containers (I'm using FW4 of course). I read somewhere that adding "iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 443" fixes the issue for the specified port(s) but this is a blanket redirecting which with my limited knowledge doesn't make sense because it's forwarding traffic on port 443 to port 443 and does not specify the interface but at least it works for a container that listens on 443 but I can't run the same rule for port 80 because it ends up in an endless redirect to the container.

Any help would be greatly appreciated.

Check this: https://forum.openwrt.org/t/nftables-vs-dockerd/132588
Also it seems to me that making dockerd use nftables is not terribly complicated, since there are already some people doing it:
https://gist.github.com/goll/bdd6b43c2023f82d15729e9b0067de60
Hope someone got the time to implement it.

[brada4]

Like docker corp.

[tiaomail]

UP, can I help to resolve the incompatibility with coova-chilli?

[brada4]

Just link this issue in PR.
One coova issue: #23092

• xt_coova will not wotk with iptables-nft or nft
• do you plan to adjust dependency to iptabled-nft or port iptables ruleset to new nftables chains?