iptables-legacy kmods loaded as a dependency of iptables-nft blocking later

[brada4]

OpenWrt 22.03.1, r19777-2853b6d652 TP-Link Archer C7 v5

install iptables-nft

root@OpenWrt:~# iptables-save
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
root@OpenWrt:~# iptables-restore << EOF
> *filter
> COMMIT
> EOF
root@OpenWrt:~# iptables-save 
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

install iptables-legacy - but why should I?

root@OpenWrt:~# iptables-legacy-save 
# Generated by iptables-save v1.8.7 on Sun Oct 16 12:50:41 2022
*mangle
:PREROUTING ACCEPT [4004:1680290]
:INPUT ACCEPT [1922:515054]
:FORWARD ACCEPT [2082:1165236]
:OUTPUT ACCEPT [1617:300720]
:POSTROUTING ACCEPT [3699:1465956]
COMMIT
# Completed on Sun Oct 16 12:50:41 2022
# Generated by iptables-save v1.8.7 on Sun Oct 16 12:50:41 2022
*filter
:INPUT ACCEPT [1931:515522]
:FORWARD ACCEPT [2082:1165236]
:OUTPUT ACCEPT [1626:301808]
COMMIT
# Completed on Sun Oct 16 12:50:41 2022

Shouldnt it work without iptables-legacy, ermmm iptables-nft to work in general? EDIT: ip6tables exhibit same behaviour.

[brada4]

It is caused by ip_tables.ko module in nf-ipt. opkg pulls it as dependency for nft-ipt stuff, but once I rmmod those iptables-nft starts to work. I think it is a request to align opkg dependencies with kmod dependencies around this place, otherwise iptables-nft command line tools are completely unusable.

[brada4]

I worked around the issue re-appearing over reboot by truncating

/etc/modules.d/nf-ipt (kmod-nf-ipt)
/etc/modules.d/ipt-core (kmod-ipt-core)