packages
packages copied to clipboard
openwrt
Certain upstream switch to `firewall4` aka `nftables` instead of `iptables`
Hi all, especially @openwrt/packages-write,
for the next OpenWrt release firewall4 is considered as a replacement of the current iptables based firewall package. While the configuration stays within /etc/config/firewall, packages using iptables directly may see trouble.
This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible.
Compatible with firewall4:
- [ ] acme
- [x] adblock
- [ ] apfree-wifidog
- [ ] banip
- [ ] bcp38
- [x] collectd (iptables plugin still uses iptables, no nftables plugin)
- [ ] coova-chilli
- [ ] dockerd
- [x] etherwake-nfqueue
- [ ] fail2ban
- [ ] frr
- [ ] fwknop
- [x] gnunet
- [x] https-dns-proxy
- [x] jool
- [x] keepalived https://github.com/openwrt/packages/pull/18058
- [ ] libreswan
- [x] miniupnpd https://github.com/openwrt/packages/pull/17094
- [x] mwan3 https://github.com/openwrt/packages/pull/17940
- [x] phantap
- [x] podman via dcbef6fde01eed546bd405724bd70cd8f3381c4b
- [x] ~~pppossh~~
- [ ] redsocks
- [x] shadowsocks-libev ((https://github.com/openwrt/packages/pull/17937)
- [x] ~~shorewall~~
- [x] ~~shorewall6~~
- [x] ~~shorewall6-lite~~
- [x] ~~shorewall-lite~~
- [x] simple-adblock
- [x] sqm-scripts
- [ ] strongswan
- [ ] trafficshaper
- [ ] uacme
- [x] v2raya (https://github.com/openwrt/packages/pull/18052)
- [ ] vpnbypass
- [ ] vpnc-scripts
- [ ] vpn-policy-routing
- [ ] wifidog
- [ ] xtables-addons
Heads up for routing.git: https://github.com/openwrt/routing/issues/731 Heads up for luci.git: https://github.com/openwrt/luci/issues/5409
As the package maintainer of the mwan3, I would also like to know what I have to do to make the mwan3 fit for nftables. I did see that there was a firewall4, but I wasn't aware that it should already include as default firewall backend in the next release!
It's possible, an idea to be discussed. There is no definite decision yet, however ideally maintainer start looking at firewall4 to have an idea what could change. Long term there might be a firewall5 package using eBPF things are moving :)
My concern is over 'ipset' equivalent functionality support. dnsmasq v2.87 (not yet released) has immature support. adblock & banip rely heavily on ipsets and will need adjusting. miniupnpd has nftables support, the integration into fw4 will need looking it.
Is the plan to ship the iptables-nft compability binary? And is there an overview somewhere of how firewall4 differs in which table names it uses compared with firewall3?
Off the top of my head, at least sqm-scripts and bcp38 contain iptables invocations.
Also acme does some iptables command https://github.com/openwrt/packages/blob/6c73457c09f838279b240bef59730cbff60ae799/net/acme/files/run.sh#L127-L133
On 6 October 2021 12:31:12 CEST, Florian Eckert @.***> wrote:
Also acme does some iptables command https://github.com/openwrt/packages/blob/6c73457c09f838279b240bef59730cbff60ae799/net/acme/files/run.sh#L127-L133
Ah yes, so it does - totally forgot about that. Thanks for the reminder!
adblock is purely DNS and doesn't use any direct iptables calls. Maybe simple-adblock is affected here - I don't know.
I would expand the list a little further:
feeds/packages $ grep -E "(ip6?tables(-save|-restore)?( |$|\"|'|\))|lib/iptables|\+iptables)" -R */ | cut -d/ -f2 | sort -u
acme
adblock
apfree-wifidog
banip
bcp38
collectd
coova-chilli
dockerd
etherwake-nfqueue
fail2ban
frr
fwknop
gnunet
https-dns-proxy
jool
keepalived
libreswan
miniupnpd
mwan3
podman
pppossh
redsocks
shadowsocks-libev
shorewall
shorewall6
shorewall6-lite
shorewall-lite
simple-adblock
sqm-scripts
strongswan
trafficshaper
uacme
v2raya
vpnbypass
vpnc-scripts
vpn-policy-routing
wifidog
xtables-addons
Except from shorewall and xtables-addons, which are clearly not compatible with firewall4/nftable, the rest is still open. Anything that depends on iptables or calls iptables(-save/-restore) needs some testing, specially if iptables-nft is in use.
Maybe we could edit this issue description mentioning maintainers after the package to ping them all?
I doubt that iptables-nft will be installed by default and I think fw3 will still be available as a fallback. It would be interesting to see how we deal with dependencies when both standard iptables and iptables-nft are available and the user could either use fw3 or fw4. Some packages might require iptables/nftables flavors.
@luizluca the adblock packages mentions iptables in it's readme
adblock does not use error prone external iptables rulesets
@stangri please track those packages here and not at luci.git
https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing https://github.com/openwrt/packages/tree/master/net/vpnbypass
I've also started working on a fork of the former called pbr and it's also iptables-dependent.
@stangri please track those packages here and not at luci.git
https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing https://github.com/openwrt/packages/tree/master/net/vpnbypass I've also started working on a fork of the former called pbr and it's also iptables-dependent.
Sorry, didn't see notification about this issue until after this quote.
If there's no compatibility binary to allow iptables calls while using nftables, both vpn-policy-routing and vpnbypass are in trouble. They are heavily iptables dependent and it may take me a while to find the time to figure out the switch to nftables.
Both https-dns-proxy and simple-adblock are good to go.
There is iptables-nft which is however not available upstream at this point. I'm currently trying to run a CI to offer binaries including it, will post on updates.
You can ignore shorewall, it is an ip(6)tables preprocessor, so no need to port it to nftables.
iptables-nft can use ipset, esp for places where only access list is ipset. nft has own sets, but traditional ipset command does not bridge the gap
aside from the command-line iptables/ip6tables, do we also need to keep an eye open for all packages which depend on kmod-ipt.*?
miniupnpd has nftables support, the integration into fw4 will need looking it.
@ldir-EDB0 As ex maintainer, would you mind having a look at #17094?
I would expand the list a little further:
feeds/packages $ grep -E "(ip6?tables(-save|-restore)?( |$|\"|'|\))|lib/iptables|\+iptables)" -R */ | cut -d/ -f2 | sort -u acme adblock apfree-wifidog banip bcp38 collectd coova-chilli dockerd etherwake-nfqueue fail2ban frr fwknop gnunet https-dns-proxy jool keepalived libreswan miniupnpd mwan3 podman pppossh redsocks shadowsocks-libev shorewall shorewall6 shorewall6-lite shorewall-lite simple-adblock sqm-scripts strongswan trafficshaper uacme v2raya vpnbypass vpnc-scripts vpn-policy-routing wifidog xtables-addonsExcept from shorewall and xtables-addons, which are clearly not compatible with firewall4/nftable, the rest is still open. Anything that depends on iptables or calls iptables(-save/-restore) needs some testing, specially if iptables-nft is in use.
Maybe we could edit this issue description mentioning maintainers after the package to ping them all?
I doubt that iptables-nft will be installed by default and I think fw3 will still be available as a fallback. It would be interesting to see how we deal with dependencies when both standard iptables and iptables-nft are available and the user could either use fw3 or fw4. Some packages might require iptables/nftables flavors.
Not aware of support for nftables in strongswan. @Thermi?
Also, locally we use ipset for blocking traffic from non-essential devices after hours so they don't interfere with remote backups... as well as xtgeoip from xtables-addons to block traffic from hostile countries.
Should add that we do all of that in /etc/firewall.user.
aside from the command-line iptables/ip6tables, do we also need to keep an eye open for all packages which depend on kmod-ipt.*?
This list can be pared down to ignore kmod-ipt-* and iptables-mod-* entries:
$ grep -e 'Package:' -e 'Depends:.*kmod-ipt' tmp/.packageinfo | grep -B1 'Depends:'
Package: kmod-ipt-conntrack
Depends: +kmod-ipt-core +kmod-nf-conntrack
Package: kmod-ipt-conntrack-extra
Depends: +kmod-ipt-core +kmod-ipt-conntrack
Package: kmod-ipt-conntrack-label
Depends: +kmod-ipt-core +kmod-ipt-conntrack
Package: kmod-ipt-filter
Depends: +kmod-ipt-core +kmod-lib-textsearch +kmod-ipt-conntrack
Package: kmod-ipt-offload
Depends: +kmod-ipt-core +kmod-nf-flow
Package: kmod-ipt-ipopt
Depends: +kmod-ipt-core
Package: kmod-ipt-ipsec
Depends: +kmod-ipt-core
Package: kmod-ipt-ipset
Depends: +kmod-ipt-core +kmod-nfnetlink
Package: kmod-nf-ipvs
Depends: @IPV6 +kmod-lib-crc32c +kmod-ipt-conntrack +kmod-nf-conntrack +kmod-ipt-core +kmod-ipt-conntrack
--
Package: kmod-ipt-nat
Depends: +kmod-ipt-core +kmod-nf-nat
Package: kmod-ipt-raw
Depends: +kmod-ipt-core
Package: kmod-ipt-raw6
Depends: @IPV6 +kmod-ipt-core +kmod-ip6tables
Package: kmod-ipt-nat6
Depends: @IPV6 +kmod-ipt-core +kmod-nf-nat6 +kmod-ipt-core +kmod-ipt-conntrack +kmod-ipt-core +kmod-ipt-nat +kmod-ipt-core +kmod-ip6tables
Package: kmod-ipt-nat-extra
Depends: +kmod-ipt-core +kmod-ipt-nat
--
Package: kmod-nf-nathelper-extra
Depends: +kmod-nf-nat +kmod-lib-textsearch +kmod-ipt-raw +kmod-asn1-decoder
Package: kmod-ipt-ulog
Depends: +kmod-ipt-core
Package: kmod-ipt-nflog
Depends: +kmod-ipt-core +kmod-nfnetlink-log
Package: kmod-ipt-nfqueue
Depends: +kmod-ipt-core +kmod-nfnetlink-queue
Package: kmod-ipt-debug
Depends: +kmod-ipt-core +kmod-ipt-raw +IPV6:kmod-ipt-raw6
Package: kmod-ipt-led
Depends: +kmod-ipt-core
Package: kmod-ipt-tproxy
Depends: +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +IPV6:kmod-ip6tables +kmod-ipt-core
Package: kmod-ipt-tee
Depends: +kmod-ipt-conntrack +kmod-ipt-core
Package: kmod-ipt-u32
Depends: +kmod-ipt-core
Package: kmod-ipt-checksum
Depends: +kmod-ipt-core
Package: kmod-ipt-iprange
Depends: +kmod-ipt-core
Package: kmod-ipt-cluster
Depends: +kmod-ipt-core +kmod-nf-conntrack
Package: kmod-ipt-clusterip
Depends: +kmod-ipt-core +kmod-nf-conntrack
Package: kmod-ipt-extra
Depends: +kmod-ipt-core
Package: kmod-ipt-physdev
Depends: +kmod-ipt-core +kmod-br-netfilter
Package: kmod-ip6tables
Depends: @IPV6 +kmod-nf-reject6 +kmod-nf-ipt6 +kmod-ipt-core
--
Package: kmod-arptables
Depends: +kmod-ipt-core
Package: kmod-br-netfilter
Depends: +kmod-ipt-core
Package: kmod-ebtables
Depends: +kmod-ipt-core
--
Package: kmod-nf-conntrack-netlink
Depends: +kmod-nfnetlink +kmod-ipt-conntrack
Package: kmod-ipt-hashlimit
Depends: +kmod-ipt-core
Package: kmod-ipt-rpfilter
Depends: +kmod-ipt-core
--
Package: kmod-vxlan
Depends: +kmod-iptunnel +kmod-udptunnel4 +IPV6:kmod-udptunnel6
Package: kmod-geneve
Depends: +kmod-iptunnel +kmod-udptunnel4 +IPV6:kmod-udptunnel6
--
Package: kmod-ipip
Depends: +kmod-iptunnel +kmod-iptunnel4
--
Package: kmod-ipsec4
Depends: kmod-ipsec +kmod-iptunnel4
Package: kmod-ipsec6
Depends: @IPV6 kmod-ipsec +kmod-iptunnel6
--
Package: kmod-ip-vti
Depends: +kmod-iptunnel +kmod-iptunnel4 +kmod-ipsec4
Package: kmod-ip6-vti
Depends: @IPV6 +kmod-iptunnel +kmod-ip6-tunnel +kmod-ipsec6
--
Package: kmod-sit
Depends: @IPV6 +kmod-iptunnel +kmod-iptunnel4
Package: kmod-fou
Depends: +kmod-iptunnel +kmod-udptunnel4 +IPV6:kmod-udptunnel6
--
Package: kmod-ip6-tunnel
Depends: @IPV6 +kmod-iptunnel6
Package: kmod-gre
Depends: +kmod-iptunnel
Package: kmod-gre6
Depends: @IPV6 +kmod-iptunnel +kmod-ip6-tunnel +kmod-gre
--
Package: kmod-sched-connmark
Depends: +kmod-sched-core +kmod-ipt-core +kmod-ipt-conntrack-extra
Package: kmod-sched-ctinfo
Depends: +kmod-sched-core +kmod-ipt-core +kmod-ipt-conntrack-extra
Package: kmod-sched-ipset
Depends: +kmod-sched-core +kmod-ipt-ipset
--
Package: kmod-sched
Depends: +kmod-sched-core +kmod-ipt-core +kmod-lib-crc32c
--
Package: kmod-mpls
Depends: +kmod-iptunnel
--
Package: firewall
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
--
Package: dnsmasq-full
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +libubus +PACKAGE_dnsmasq_full_dnssec:libnettle +PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack
--
Package: libipset
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +kmod-ipt-ipset +libmnl
Package: ipset
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +kmod-ipt-ipset +libmnl +libipset
--
Package: iptables
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
--
Package: iptables-mod-conntrack-extra
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-conntrack-extra +kmod-ipt-raw
Package: iptables-mod-conntrack-label
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-conntrack-label @IPTABLES_CONNLABEL
Package: iptables-mod-extra
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-extra
Package: iptables-mod-physdev
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-physdev
Package: iptables-mod-filter
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-filter
Package: iptables-mod-ipopt
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipopt
Package: iptables-mod-ipsec
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipsec
Package: iptables-mod-nat-extra
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-nat-extra
Package: iptables-mod-iprange
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-iprange
Package: iptables-mod-cluster
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-cluster
Package: iptables-mod-clusterip
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-clusterip
Package: iptables-mod-ulog
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ulog
Package: iptables-mod-hashlimit
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-hashlimit
Package: iptables-mod-rpfilter
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-rpfilter
Package: iptables-mod-led
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-led
Package: iptables-mod-tproxy
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-tproxy
Package: iptables-mod-tee
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-tee
Package: iptables-mod-u32
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-u32
Package: iptables-mod-nflog
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-nfnetlink-log +kmod-ipt-nflog
Package: iptables-mod-trace
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-debug
Package: iptables-mod-nfqueue
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-nfnetlink-queue +kmod-ipt-nfqueue
Package: iptables-mod-checksum
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-checksum
--
Package: ip6tables-mod-nat
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread ip6tables +kmod-ipt-nat6
--
Package: apfree-wifidog
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +zlib +iptables-mod-extra +iptables-mod-ipopt +kmod-ipt-nat +iptables-mod-nat-extra +libjson-c +ipset +libip4tc +libevent2 +libevent2-openssl +libuci +px5g
--
Package: kmod-ipt-coova
Depends: coova-chilli +kmod-ipt-core +libxtables
--
Package: libreswan
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +IPV6:kmod-ip6-vti +IPV6:kmod-ipsec6 +ip-full +iptables-mod-ipsec +kmod-crypto-aead +kmod-crypto-authenc +kmod-crypto-gcm +kmod-crypto-hash +kmod-crypto-rng +kmod-ip-vti +kmod-ipsec +kmod-ipsec4 +kmod-ipt-ipsec +kmod-xfrm-interface +libevent2 +libevent2-pthreads +libldns +librt +libunbound +nss-utils +nspr +libcap-ng
--
Package: kmod-openvswitch
Depends: +kmod-lib-crc32c +kmod-nf-nat +IPV6:kmod-nf-nat6 +kmod-nf-conntrack +IPV6:kmod-nf-conntrack6 +kmod-nsh +kmod-ipt-conntrack-extra
--
Package: kmod-openvswitch-intree
Depends: +kmod-lib-crc32c +kmod-nf-nat +IPV6:kmod-nf-nat6 +kmod-nf-conntrack +kmod-udptunnel4 +kmod-ipt-conntrack-extra @IPV6 @DEVEL
--
Package: shorewall
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +ip +iptables +kmod-ipt-hashlimit +kmod-ipt-raw +iptables-mod-hashlimit +shorewall-core +perl +perlbase-autoloader +perlbase-autouse +perlbase-dynaloader +perlbase-digest +perlbase-findbin +perlbase-getopt +perlbase-hash
--
Package: shorewall6
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +ip +ip6tables +kmod-ipt-hashlimit +kmod-ipt-raw6 +iptables-mod-hashlimit +shorewall-core +perl +perlbase-autoloader +perlbase-autouse +perlbase-dynaloader +perlbase-digest +perlbase-findbin +perlbase-getopt +perlbase-hash
--
Package: strongswan
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +libpthread +ip +kmod-crypto-authenc +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6 +kmod-ipt-ipsec +iptables-mod-ipsec
--
Package: strongswan-mod-forecast
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread strongswan +kmod-ipt-conntrack-extra
--
Package: v2raya
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread @(aarch64||arm||i386||i686||mips||mips64||mips64el||mipsel||powerpc64||x86_64) +ca-bundle +iptables-mod-conntrack-extra +iptables-mod-extra +iptables-mod-filter +iptables-mod-tproxy +kmod-ipt-nat6 +xray-core
--
Package: vpn-policy-routing
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +jshn +ipset +iptables +resolveip +kmod-ipt-ipset +iptables-mod-ipopt +ip-full
--
Package: kmod-ipt-compat-xtables
Depends: +kmod-ipt-core +IPV6:kmod-ip6tables
Package: kmod-ipt-nathelper-rtsp
Depends: +kmod-ipt-core +kmod-ipt-conntrack-extra +kmod-ipt-nat
Package: iptables-mod-account
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-account
Package: kmod-ipt-account
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-chaos
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-chaos
Package: kmod-ipt-chaos
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables +kmod-ipt-delude +kmod-ipt-tarpit
Package: iptables-mod-condition
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-condition
Package: kmod-ipt-condition
Depends: +kmod-ipt-core
Package: iptables-mod-delude
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-delude
Package: kmod-ipt-delude
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-dhcpmac
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-dhcpmac
Package: kmod-ipt-dhcpmac
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-dnetmap
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-dnetmap
Package: kmod-ipt-dnetmap
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables +kmod-ipt-nat
Package: iptables-mod-fuzzy
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-fuzzy
Package: kmod-ipt-fuzzy
Depends: +kmod-ipt-core
Package: iptables-mod-geoip
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-geoip
Package: kmod-ipt-geoip
Depends: +kmod-ipt-core
Package: iptables-mod-iface
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-iface
Package: kmod-ipt-iface
Depends: +kmod-ipt-core
Package: iptables-mod-ipmark
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipmark
Package: kmod-ipt-ipmark
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-ipp2p
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipp2p
Package: kmod-ipt-ipp2p
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-ipv4options
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-ipv4options
Package: kmod-ipt-ipv4options
Depends: +kmod-ipt-core
Package: iptables-mod-length2
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-length2
Package: kmod-ipt-length2
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-logmark
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-logmark
Package: kmod-ipt-logmark
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
Package: iptables-mod-lscan
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-lscan
Package: kmod-ipt-lscan
Depends: +kmod-ipt-core
Package: iptables-mod-lua
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-lua
Package: kmod-ipt-lua
Depends: +kmod-ipt-core +kmod-ipt-conntrack-extra
Package: iptables-mod-proto
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-proto
Package: kmod-ipt-proto
Depends: +kmod-ipt-core
Package: iptables-mod-psd
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-psd
Package: kmod-ipt-psd
Depends: +kmod-ipt-core
Package: iptables-mod-quota2
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-quota2
Package: kmod-ipt-quota2
Depends: +kmod-ipt-core
Package: iptables-mod-sysrq
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-sysrq
Package: kmod-ipt-sysrq
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables +kmod-crypto-hash
Package: iptables-mod-tarpit
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread iptables +kmod-ipt-tarpit
Package: kmod-ipt-tarpit
Depends: +kmod-ipt-core +kmod-ipt-compat-xtables
--
Package: bmx6
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +kmod-ip6-tunnel +kmod-iptunnel6 +kmod-tun
--
Package: bmx7-tun
Depends: +libc +USE_GLIBC:librt +USE_GLIBC:libpthread bmx7 +kmod-ip6-tunnel +kmod-iptunnel6 +kmod-tun
--
Package: kmod-ipt-rtpengine
Depends: +PACKAGE_kmod-ipt-rtpengine:kmod-crypto-hash +PACKAGE_kmod-ipt-rtpengine:kmod-ipt-core
$
Hi, none natively, just via translation layer.
Am 13. November 2021 00:32:13 UTC schrieb Philip Prindeville @.***>:
I would expand the list a little further:
feeds/packages $ grep -E "(ip6?tables(-save|-restore)?( |$|\"|'|\))|lib/iptables|\+iptables)" -R */ | cut -d/ -f2 | sort -u acme adblock apfree-wifidog banip bcp38 collectd coova-chilli dockerd etherwake-nfqueue fail2ban frr fwknop gnunet https-dns-proxy jool keepalived libreswan miniupnpd mwan3 podman pppossh redsocks shadowsocks-libev shorewall shorewall6 shorewall6-lite shorewall-lite simple-adblock sqm-scripts strongswan trafficshaper uacme v2raya vpnbypass vpnc-scripts vpn-policy-routing wifidog xtables-addonsExcept from shorewall and xtables-addons, which are clearly not compatible with firewall4/nftable, the rest is still open. Anything that depends on iptables or calls iptables(-save/-restore) needs some testing, specially if iptables-nft is in use.
Maybe we could edit this issue description mentioning maintainers after the package to ping them all?
I doubt that iptables-nft will be installed by default and I think fw3 will still be available as a fallback. It would be interesting to see how we deal with dependencies when both standard iptables and iptables-nft are available and the user could either use fw3 or fw4. Some packages might require iptables/nftables flavors.
Not aware of support for
nftablesinstrongswan. @Thermi?Also, locally we use
ipsetfor blocking traffic from non-essential devices after hours so they don't interfere with remote backups... as well asxtgeoipfromxtables-addonsto block traffic from hostile countries.-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/openwrt/packages/issues/16818#issuecomment-967743789 -- Sent from mobile
Also, as far as I remember some plugins (connmark, forecast) link libiptc and libip4tc, so that whould need to be changed for proper nftables support.
I have added cni-plugins-nft for podman, so wouldn't that then check podman out?
@openwrt/packages-write heads up, firewall4 gets into a fine state (thanks to @stintel and @jow- )and I'm planing to make it the default within the next week. For all scripts that require legacy iptables please test your apps with iptables-nft and report back!
Getting this message in the latest snapshot - noticed that the router had connectivity, clients could connect to internet using IPV6 but not IPV4 - seemed a NAT/masquerade issue. No rules appeared in the firewall status. Checked the firewall - it did not seem to be running. Upon trying to start it, got the messages below.
root@OpenWrt:~# fw4 start Section @forwarding[4] option 'src' is mandatory but not set Reference error: left-hand side expression is not an array or object In anonymous function, file /usr/share/ucode/fw4.uc, line 1892, byte 21: called from function [arrow function] (/usr/share/ucode/fw4.uc:540:77) called from function foreach ([C]) called from function [anonymous function] (/usr/share/ucode/fw4.uc:540:78) called from function render_ruleset (/usr/share/firewall4/main.uc:100:24) called from anonymous function (/usr/share/firewall4/main.uc:167:28)
let f1 = fwd.src.zone ? fwd.src.zone.family : 0;
Near here -------------------^
(Raspberry Pi 4, a few VLANs and zones)
root@OpenWrt:~# fw4 start Section @forwarding[4] option 'src' is mandatory but not set Reference error: left-hand side expression is not an array or object In anonymous function, file /usr/share/ucode/fw4.uc, line 1892, byte 21: called from function [arrow function] (/usr/share/ucode/fw4.uc:540:77) called from function foreach ([C]) called from function [anonymous function] (/usr/share/ucode/fw4.uc:540:78) called from function render_ruleset (/usr/share/firewall4/main.uc10024) called from anonymous function (/usr/share/firewall4/main.uc:167:28)
let f1 = fwd.src.zone ? fwd.src.zone.family : 0;Near here -------------------^
Please attach your /etc/config/firewall/
root@OpenWrt:~# fw4 start Section @forwarding[4] option 'src' is mandatory but not set Reference error: left-hand side expression is not an array or object In anonymous function, file /usr/share/ucode/fw4.uc, line 1892, byte 21: called from function [arrow function] (/usr/share/ucode/fw4.uc:540:77) called from function foreach ([C]) called from function [anonymous function] (/usr/share/ucode/fw4.uc:540:78) called from function render_ruleset (/usr/share/firewall4/main.uc10024) called from anonymous function (/usr/share/firewall4/main.uc:167:28)
let f1 = fwd.src.zone ? fwd.src.zone.family : 0;Near here -------------------^Please attach your /etc/config/firewall/config defaults
Please see below. I entered all the rules using LUCI - I did not use the command line nor edited the file. As I was sanitizing it I noticed four forwarding rules with only dest or src. Perhaps they are what is causing the issue.
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option input 'REJECT'
config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' list network 'lan' list network 'WG' option log '1' option forward 'REJECT'
config zone option name 'wan' option output 'ACCEPT' option masq '1' option mtu_fix '1' list network 'wan' list network 'wan6' option input 'DROP' option forward 'DROP'
config forwarding option src 'lan' option dest 'wan'
config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4'
config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT'
config rule option name 'Allow-IGMP' option src 'wan' option proto 'igmp' option family 'ipv4' option target 'ACCEPT'
config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fc00::/6' option dest_ip 'fc00::/6' option dest_port '546' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-MLD' option src 'wan' option proto 'icmp' option src_ip 'fe80::/10' list icmp_type '130/0' list icmp_type '131/0' list icmp_type '132/0' list icmp_type '143/0' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT'
config rule option name 'Allow-IPSec-ESP' option src 'wan' option proto 'esp' option target 'ACCEPT' option dest '*'
config rule option name 'Allow-ISAKMP' option src 'wan' option dest_port '500' option proto 'udp' option target 'ACCEPT' option dest '*'
config rule option name 'Support-UDP-Traceroute' option src 'wan' option dest_port '33434:33689' option proto 'udp' option family 'ipv4' option target 'REJECT' option enabled '0'
config include option path '/etc/firewall.user'
config zone option name 'IOT' option output 'ACCEPT' list network 'IOT' option input 'REJECT' option forward 'REJECT'
config zone option name 'Guest' option output 'ACCEPT' option input 'REJECT' option forward 'REJECT' list network 'Guest' list network 'WG1' option log '1'
config zone option name 'UIOT' option output 'ACCEPT' list network 'UIOT' option forward 'REJECT' option input 'REJECT'
config forwarding option src 'IOT' option dest 'wan'
config forwarding option src 'Guest' option dest 'wan'
config forwarding option src 'UIOT' option dest 'wan'
config rule option src 'UIOT' option target 'ACCEPT' option name 'DNS-vlan8' list proto 'tcp' list proto 'udp' option dest_port '53'
config rule option src 'UIOT' option target 'ACCEPT' option family 'ipv6' list proto 'udp' option name 'DHCP6-vlan8' option dest_port '546 547'
config rule option src 'UIOT' option target 'ACCEPT' option dest_port '67' option family 'ipv4' list proto 'udp' option name 'DHCP-vlan8'
config rule list proto 'udp' option src 'UIOT' option dest_port '5353' option target 'ACCEPT' option name 'mDNS-vlan8'
config rule option name 'Allow-ICMPv6-Input - vlan 8' option proto 'icmp' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' list icmp_type 'destination-unreachable' list icmp_type 'echo-reply' list icmp_type 'echo-request' list icmp_type 'neighbour-advertisement' list icmp_type 'neighbour-solicitation' list icmp_type 'packet-too-big' list icmp_type 'router-advertisement' list icmp_type 'router-solicitation' list icmp_type 'time-exceeded' option src 'UIOT'
config rule option src 'IOT' option target 'ACCEPT' option name 'DNS-vlan2' list proto 'tcp' list proto 'udp' option dest_port '53'
config rule option src 'IOT' option target 'ACCEPT' option family 'ipv6' list proto 'udp' option name 'DHCP6-vlan2' option dest_port '546 547'
config rule option src 'IOT' option target 'ACCEPT' option dest_port '67' option family 'ipv4' list proto 'udp' option name 'DHCP-vlan2'
config rule list proto 'udp' option src 'IOT' option dest_port '5353' option target 'ACCEPT' option name 'mDNS-vlan2'
config rule option name 'Allow-ICMPv6-Input - vlan 2' option proto 'icmp' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' list icmp_type 'destination-unreachable' list icmp_type 'echo-reply' list icmp_type 'echo-request' list icmp_type 'neighbour-advertisement' list icmp_type 'neighbour-solicitation' list icmp_type 'packet-too-big' list icmp_type 'router-advertisement' list icmp_type 'router-solicitation' list icmp_type 'time-exceeded' option src 'IOT'
config rule option src 'Guest' option target 'ACCEPT' option name 'DNS-vlan7' list proto 'tcp' list proto 'udp' option dest_port '53'
config rule option src 'Guest' option target 'ACCEPT' option family 'ipv6' list proto 'udp' option name 'DHCP6-vlan7' option dest_port '546 547'
config rule option src 'Guest' option target 'ACCEPT' option dest_port '67' option family 'ipv4' list proto 'udp' option name 'DHCP-vlan7'
config rule option proto 'icmp' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' list icmp_type 'destination-unreachable' list icmp_type 'echo-reply' list icmp_type 'echo-request' list icmp_type 'neighbour-advertisement' list icmp_type 'neighbour-solicitation' list icmp_type 'packet-too-big' list icmp_type 'router-advertisement' list icmp_type 'router-solicitation' list icmp_type 'time-exceeded' option src 'Guest' option name 'Allow-ICMPv6-Input - vlan 7'
config rule option name 'KaraokeGuest' option src 'Guest' list dest_ip '10.0.1.75' option dest_port '5000' option target 'ACCEPT' option family 'ipv4' option dest 'lan' list proto 'tcp'
config rule option name 'Wireguard' list proto 'udp' option src 'wan' option dest_port 'XXXXX' option target 'ACCEPT'
config forwarding option dest 'lan'
config forwarding option dest 'wan'
config forwarding option src 'lan'
config forwarding option src 'wan'
config redirect option target 'DNAT' option name 'DNS Redirect' option src 'IOT' option src_dip '8.8.8.8' option src_dport '53' option dest 'IOT' option dest_ip '10.0.2.1' option dest_port '53'
config forwarding option src 'lan' option dest 'IOT'
config forwarding option src 'lan' option dest 'Guest'
config forwarding option src 'lan' option dest 'UIOT'
config rule option name 'WireguardGuest' option src 'wan' option dest_port 'YYYYY' option target 'ACCEPT' list proto 'udp'
config rule list proto 'icmp' option target 'ACCEPT' option src 'IOT' option name 'Allow-ICMP-vlan2' option family 'ipv4'
config rule list proto 'icmp' option target 'ACCEPT' option name 'Allow-ICMP-vlan7' option src 'Guest' option family 'ipv4' list icmp_type 'echo-request'
config rule list proto 'icmp' option src 'UIOT' option target 'ACCEPT' option name 'Allow-ICMP-vlan8' option family 'ipv4' list icmp_type 'echo-request'
I manually deleted the odd-looking config forwarding rules - I have no idea how they got there. Firewall is working now.
However: The firewall status screen in LUCI is blank. Firewall LUCI screen gives me a "TypeError Cannot convert undefined or null to object" on the zones screen upon trying to make any change. The one odd thing is that I cannot ping FE80:: addresses from the router but the router replies if a ping is sent to it to its LL address.
I got the following error when I tried to start firewall4 with "option force_dns 1" inside /etc/config/https-dns-proxy :
# fw4 start
ubus rule (ubus:https-dns-proxy[instance1] rule 1) option 'src' specifies invalid value 'lan'
Reference error: left-hand side expression is not an array or object
In infer_family(), file /usr/share/ucode/fw4.uc, line 270, byte 20:
called from function [anonymous function] (/usr/share/ucode/fw4.uc:2158:5)
called from function [arrow function] (/usr/share/ucode/fw4.uc:548:85)
called from function map ([C])
called from function [anonymous function] (/usr/share/ucode/fw4.uc:548:86)
called from function render_ruleset (/usr/share/firewall4/main.uc:100:24)
called from anonymous function (/usr/share/firewall4/main.uc:167:28)
` if (!obj || obj.family == 0 || obj.family == res)`
Near here ------------------^
I got the following error when I tried to start firewall4 with "option force_dns 1" inside /etc/config/https-dns-proxy :
# fw4 start ubus rule (ubus:https-dns-proxy[instance1] rule 1) option 'src' specifies invalid value 'lan'
@KA2107 Thank you for testimg!
@aparcar @stintel here's the PROCD data used in the init script:
procd_open_data
json_add_array firewall
for p in $forceDNSPorts; do
if netstat -tuln | grep 'LISTEN' | grep ":${p}" >/dev/null 2>&1 || [ "$p" = '53' ]; then
json_add_object ''
json_add_string type redirect
json_add_string target DNAT
json_add_string src lan
json_add_string proto 'tcp udp'
json_add_string src_dport "$p"
json_add_string dest_port "$p"
json_add_boolean reflection 0
json_close_object
else
json_add_object ''
json_add_string type rule
json_add_string src lan
json_add_string dest '*'
json_add_string proto 'tcp udp'
json_add_string dest_port "$p"
json_add_string target REJECT
json_close_object
fi
done
json_close_array
procd_close_data
Any idea why lan is invalid value for src in fw4?