geoip-shell icon indicating copy to clipboard operation
geoip-shell copied to clipboard
verified publisher icon friendly-bits

Error "changing the firewall backend is unsupported on OpenWrt"

Open walterzilla opened this issue 4 months ago • 6 comments

Scenario: OpenWrt 24.10.2 running in privileged or unprivileged Proxmox 8.4.12 LXC

Running a non-attended setup I'd like to use -w nft option but I get changing the firewall backend is unsupported on OpenWrt error which seems rather odd to me giving that in interactive mode geoip-shell allows you to use nftables as backend and afterwards everything's running smoothly...any idea? Thanks!

walterzilla avatar Aug 31 '25 12:08 walterzilla

Hi, since OpenWrt is typcially running on an embedded device with very limited flash storage (in some cases as small as 8MB), geoip-shell makes a minimal installation on OpenWrt, in order to take up as little storage space as possible. This involves stripping unnecessary code (debug and code comments) from the scripts, installing trimmed-down versions of certain scripts and only installing the library for the detected firewall backend. Because of that, changing the firewall backend after installation is not possible. Currently the installation logic checks which OpenWrt firewall (firewall3 or firewall4) exists in the system. If firewall3 is found then the firewall backend defaults to iptables. If firewall4 is found then the firewall backend defaults to nftables. Then the respective library is installed.

So I'm not sure how it is possible that you get to choose the firewall backend at all. Could you provide the following information:

  • OpenWrt version
  • Complete console output when running sh geoip-shell-install.sh
  • Output of geoip-shell showconfig after installation

(redact sensitive information if any)

Also, to clarify: why do you need to change the firewall backend after installation?

friendly-bits avatar Aug 31 '25 12:08 friendly-bits

OpenWrt version

24.10.2 running in privileged or unprivileged Proxmox 8.4.12 LXC.

Image

Anyway I'm not trying to change fwl backend after installation, issue arises using -w option while configuring.

Without -w option:

Image

With -w option:

Image

walterzilla avatar Aug 31 '25 13:08 walterzilla

issue arises using -w option while configuring

geoip-shell configuration occurs after geoip-shell is installed, even if this may appear as one procedure.

The firewall backend selection dialog doesn't account for the fact that geoip-shell is installed on OpenWrt - this is an oversight. This dialog should not be occuring on OpenWrt at all, I will fix this in the upcoming release.

I can help you to achieve what you need, but I still do not understand what your ultimate goal is. Which firewall backend do you want to use geoip-shell with?

friendly-bits avatar Aug 31 '25 13:08 friendly-bits

I still do not understand what your ultimate goal is

Running a non-interactive setup i.e. by adding in my host script a command like

pct exec 100 -- sh -c "geoip-shell configure -w nft -m whitelist -c it -r it -f ipv4 -i eth0 -z"

Which firewall backend do you want to use geoip-shell with?

Firewall backend is not at stake since OpenWrt 24 by default relies on nftables which is fine for me.

walterzilla avatar Aug 31 '25 14:08 walterzilla

I'll make some changes in the code and let you know.

friendly-bits avatar Aug 31 '25 15:08 friendly-bits

I just released geoip-shell v0.7.5 which fixes this issue - please confirm.

friendly-bits avatar Sep 04 '25 09:09 friendly-bits