Certain upstream switch to `firewall4` aka `nftables` instead of `iptables`

[aparcar]

Hi all, especially @openwrt/packages-write,

for the next OpenWrt release firewall4 is considered as a replacement of the current iptables based firewall package. While the configuration stays within /etc/config/firewall, packages using iptables directly may see trouble.

This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible.

Compatible with firewall4:

• acme
• adblock
• apfree-wifidog
• banip
• bcp38
• collectd (iptables plugin still uses iptables, no nftables plugin)
• coova-chilli
• dockerd
• etherwake-nfqueue
• fail2ban
• frr
• fwknop
• gnunet
• https-dns-proxy
• jool
• keepalived keepalived: enable nftables filtering #18058
• libreswan
• miniupnpd miniupnpd: bump version, drop igdv1 variant, add nftables support #17094
• mwan3 mwan3: update to version 2.11.0 #17940 only via iptables-nft
• phantap
• podman via dcbef6f
• pppossh
• redsocks
• shadowsocks-libev ((shadowsocks-libev: convert to using nft #17937)
• shorewall
• shorewall6
• shorewall6-lite
• shorewall-lite
• simple-adblock
• sqm-scripts
• strongswan
• trafficshaper
• uacme
• v2raya (v2raya: add iptables as dependency #18052)
• vpnbypass
• vpnc-scripts
• vpn-policy-routing
• wifidog
• xtables-addons

Heads up for routing.git: openwrt/routing#731
Heads up for luci.git: openwrt/luci#5409

[feckert]

As the package maintainer of the mwan3, I would also like to know what I have to do to make the mwan3 fit for nftables.
I did see that there was a firewall4, but I wasn't aware that it should already include as default firewall backend in the next release!

[aparcar]

It's possible, an idea to be discussed. There is no definite decision yet, however ideally maintainer start looking at firewall4 to have an idea what could change. Long term there might be a firewall5 package using eBPF things are moving :)

[ldir-EDB0]

My concern is over 'ipset' equivalent functionality support. dnsmasq v2.87 (not yet released) has immature support. adblock & banip rely heavily on ipsets and will need adjusting.
miniupnpd has nftables support, the integration into fw4 will need looking it.

[tohojo]

Is the plan to ship the iptables-nft compability binary? And is there an overview somewhere of how firewall4 differs in which table names it uses compared with firewall3?

Off the top of my head, at least sqm-scripts and bcp38 contain iptables invocations.

[feckert]

Also acme does some iptables command

packages/net/acme/files/run.sh

Lines 127 to 133 in 6c73457

	done
	iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
	ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
	debug "v4 input_rule: $(iptables -nvL input_rule)"
	debug "v6 input_rule: $(ip6tables -nvL input_rule)"
	return 0

[tohojo]

On 6 October 2021 12:31:12 CEST, Florian Eckert ***@***.***> wrote: Also acme does some iptables command https://github.com/openwrt/packages/blob/6c73457c09f838279b240bef59730cbff60ae799/net/acme/files/run.sh#L127-L133

Ah yes, so it does - totally forgot about that. Thanks for the reminder!

[dibdot]

adblock is purely DNS and doesn't use any direct iptables calls. Maybe simple-adblock is affected here - I don't know.

[alexeys85]

collectd iptables plugin depends on libiptc as far as I know

[luizluca]

I would expand the list a little further:

feeds/packages $ grep -E "(ip6?tables(-save|-restore)?( |$|\"|'|\))|lib/iptables|\+iptables)" -R */ | cut -d/ -f2 | sort -u
acme
adblock
apfree-wifidog
banip
bcp38
collectd
coova-chilli
dockerd
etherwake-nfqueue
fail2ban
frr
fwknop
gnunet
https-dns-proxy
jool
keepalived
libreswan
miniupnpd
mwan3
podman
pppossh
redsocks
shadowsocks-libev
shorewall
shorewall6
shorewall6-lite
shorewall-lite
simple-adblock
sqm-scripts
strongswan
trafficshaper
uacme
v2raya
vpnbypass
vpnc-scripts
vpn-policy-routing
wifidog
xtables-addons

Except from shorewall and xtables-addons, which are clearly not compatible with firewall4/nftable, the rest is still open. Anything that depends on iptables or calls iptables(-save/-restore) needs some testing, specially if iptables-nft is in use.

Maybe we could edit this issue description mentioning maintainers after the package to ping them all?

I doubt that iptables-nft will be installed by default and I think fw3 will still be available as a fallback. It would be interesting to see how we deal with dependencies when both standard iptables and iptables-nft are available and the user could either use fw3 or fw4. Some packages might require iptables/nftables flavors.

[aparcar]

@luizluca the adblock packages mentions iptables in it's readme

adblock does not use error prone external iptables rulesets

[aparcar]

@stangri please track those packages here and not at luci.git

https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing
https://github.com/openwrt/packages/tree/master/net/vpnbypass

I've also started working on a fork of the former called pbr and it's also iptables-dependent.