luci icon indicating copy to clipboard operation
luci copied to clipboard

Published 20 hours ago verified publisher icon openwrt

Certain upstream switch to `firewall4` aka `nftables` instead of `iptables`

Open aparcar opened this issue 3 years ago • 15 comments

Hi all, especially @openwrt/luci-admin,

for the next OpenWrt release firewall4 is considered as a replacement of the current iptables based firewall package. While the configuration stays within /etc/config/firewall, packages using iptables directly may see trouble.

This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible.

Heads up for packages.git: https://github.com/openwrt/packages/issues/16818 Heads up for routing.git: https://github.com/openwrt/routing/issues/731

aparcar avatar Oct 06 '21 06:10 aparcar

Heads up, firewall4 gets into a fine state (thanks to @stintel and @jow- )and I'm planing to make it the default within the next week. For all scripts that require legacy iptables please test your apps with iptables-nft and report back!

aparcar avatar Jan 07 '22 09:01 aparcar

I think that that Status->Firewall menu item and page is still totally iptables based after 48599d8d1d, right?

https://github.com/openwrt/luci/blob/master/modules/luci-mod-status/htdocs/luci-static/resources/view/status/iptables.js

hnyman avatar Jan 07 '22 16:01 hnyman

Heads up, firewall4 gets into a fine state (thanks to @stintel and @jow- )and I'm planing to make it the default within the next week. For all scripts that require legacy iptables please test your apps with iptables-nft and report back!

I cannot find the iptables-nft package.

castillofrancodamian avatar Jan 12 '22 14:01 castillofrancodamian

Yea sorry the iptables-nft package is currently missing, should be fixed via https://github.com/openwrt/openwrt/pull/4957

aparcar avatar Jan 13 '22 08:01 aparcar

Yea sorry the iptables-nft package is currently missing, should be fixed via openwrt/openwrt#4957

I already found the iptables-nft package. Do you also have to install iptables and firewall or just firewall4 and iptables-nft?

castillofrancodamian avatar Jan 14 '22 15:01 castillofrancodamian

@castillofrancodamian maybe @stintel can comment better than me but from my understanding you could install firewall4 and iptables-nft, both will use NFTables while keeping backward compatibility with the iptables wrapper.

aparcar avatar Jan 14 '22 18:01 aparcar

@castillofrancodamian maybe @stintel can comment better than me but from my understanding you could install firewall4 and iptables-nft, both will use NFTables while keeping backward compatibility with the iptables wrapper.

Likewise, installing iptables-nft also installs iptables. The "real problem" is that I can't edit any firewall zones with the error "Cannot convert undefined or null to object" in LuCI.

castillofrancodamian avatar Jan 14 '22 18:01 castillofrancodamian

As discussed at yesterdays meeting I merged the changes. The next release will use firewall4 as default and all packages incompatible (e.g. using ipset) should add a negative dependency. Our considerations are that the default (WiFI home router) setup works fine wir firewall4 and special cases can always replace firewall4 with firewall3, which should work at least until the upcoming 5.15 Kernels.

aparcar avatar Jan 19 '22 08:01 aparcar

Just for awareness, what is the etiquette / developer preference in terms of issues found?

Is it to post in the appropriate package/luci/core ntftables thread (eg this for Luci)

or

create a bug and leave there.

or

create bug and post reference in thr appropriate nftables thread.

If the latter, I opened Luci bug where on two pages (main Luci and upnp luci app) port forwards are no longer shown.

edrikk avatar Feb 16 '22 02:02 edrikk

Just curious: what is the current status of this issue in terms of the 22.03 release requirements?

dfateyev avatar Apr 19 '22 19:04 dfateyev

luci-app-upnp has been patched to work with nftables, and accepted into the tree. I'm not sure if a legacy iptables version was kept.

kode54 avatar Jul 01 '22 23:07 kode54

luci-app-upnp has been patched to work with nftables, and accepted into the tree. I'm not sure if a legacy iptables version was kept.

I’ve been following the commits (and just rechecked) across the packages, luci, and openwrt repositories, but have not seen any commits around upnp.

I could of course be just missing it, although my local June 30th build from master does not show upnp forwards in either of the main page’s “Active UPnP Redirects” section, nor in the upnp menu (luci-app-upnp).

Maybe it takes a bit of time to show up if it was just accepted?

edrikk avatar Jul 02 '22 00:07 edrikk

The PR was closed, and they said they accepted it? I don't know.

kode54 avatar Jul 02 '22 00:07 kode54

Oh, it was never closed: https://github.com/openwrt/luci/pull/5839

kode54 avatar Jul 02 '22 00:07 kode54

Current status as of OpenWrt 23.05.0-rc2

This package depends on outdated package miniupnpd-iptables and doesn't take miniupnpd-nftables as viable replacement. Obviously iptables has been replaced by nftables in OpenWRT recently and miniupnpd-iptables doesn't work properly anymore. By default luci-app-upnp should come with miniupnpd-nftables.

To temporarily fix this, I need to call:

opkg remove miniupnpd-iptables --force-depends
opkg install miniupnpd-nftables

I got a response from @brada4 who pointed out, that it is an alphabetical problem, where both -iptables and -nftables being in 'provides' part of this package and first one being used.

Ashus avatar Aug 20 '23 19:08 Ashus