Certain upstream switch to firewall4 aka nftables instead of iptables

[aparcar]

Hi all, especially @openwrt/routing-write,

for the next OpenWrt release firewall4 is considered as a replacement of the current iptables based firewall package. While the configuration stays within /etc/config/firewall, packages using iptables directly may see trouble.

This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible.

Compatible with firewall4:

• OLSR

Heads up for packages.git: openwrt/packages#16818
Heads up for luci.git: openwrt/luci#5409

[PolynomialDivision]

OLSR is affected.

[pmelange]

OLSR is affected.

with a git grep -i iptables i see that nodogsplash and opennds both require "iptables-mod-ipopt". What would be the equivalent package in fw4?

In OLSR, it seems like only olsrd/files/olsrd.sh is using iptables and ip6tables in a script. Is there a syntax change on the command line going from iptables to fw4?

I didn't look at any of the source code of any of the packages, just at the repo itself.

[pmelange]

I just did a git grep -i kmod-ipt and the following have kmod dependencies:

bmx6
bmx7

[zioproto]

@PolynomialDivision is it olsrd core code affected or it is an extension/plugin ? Is it just the Smart Gateway extension broken ?

[aparcar]

@openwrt/routing-write heads up, firewall4 gets into a fine state (thanks to @stintel and @jow- )and I'm planing to make it the default within the next week. For all scripts that require legacy iptables please test your apps with iptables-nft and report back!

[bluewavenet]

@aparcar
Where is iptables-nft? (It is probably hidden in clear sight, ie I can't find it :-D )
openNDS works fine with it on "Generic Linux" eg Debian, et al, so should be good here as well at least as an interim solution.

[wfleurant]

i found something in LuCI. When I Save & Apply a rule under "Traffic Rules" it does not restart the firewall.
when manually running /etc/init.d/firewall restart then all of the rules I enabled/disabled work as expected.
compiled against your aparcar/openwrt:fw4 (8af05a1) .. tested on rpi4

My fault, i didn't see the link to openwrt/luci#5409 -- Infinity Thanks @aparcar

[castillofrancodamian]

@aparcar Where is iptables-nft? (It is probably hidden in clear sight, ie I can't find it :-D ) openNDS works fine with it on "Generic Linux" eg Debian, et al, so should be good here as well at least as an interim solution.

The iptables-nft package is already there.

[aparcar]

As discussed at yesterdays meeting I merged the changes. The next release will use firewall4 as default and all packages incompatible (e.g. using ipset) should add a negative dependency. Our considerations are that the default (WiFI home router) setup works fine wir firewall4 and special cases can always replace firewall4 with firewall3, which should work at least until the upcoming 5.15 Kernels.

[PolynomialDivision]

Firewall4 fails when adding:

config rule
        option name 'DSCP olsr'
        list proto 'udp'
        option dest 'freifunk'
        option dest_port '698'
        option target 'DSCP'
        option set_dscp 'EF'

/proc/self/fd/0:182:21-27: Error: Byteorder mismatch: expected big endian, got host endian

@jow-

[jow-]

Please attach the output of fw4 print. Looks like an nftables upstream bug though

[PolynomialDivision]

table inet fw4
flush table inet fw4

table inet fw4 {
	#
	# Set definitions
	#


	#
	# Defines
	#

	define freifunk_devices = { "switch0.42", "wlan5-mesh", "wg_*" }
	define freifunk_subnets = { 10.31.96.0/28, 2001:bf7:830:8901::/64, 10.31.96.16, 2001:bf7:830:89ff::1 }
	define dhcp_devices = { "br-dhcp" }
	define dhcp_subnets = { 10.31.142.128/25, 2001:bf7:830:8900::/64 }

	#
	# User includes
	#

	include "/etc/nftables.d/*.nft"


	#
	# Filter rules
	#

	chain input {
		type filter hook input priority filter; policy accept;

		iifname "lo" accept comment "!fw4: Accept traffic from loopback"

		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "wg_*" jump input_freifunk comment "!fw4: Handle freifunk IPv4/IPv6 input traffic"
		iifname { "switch0.42", "wlan5-mesh" } jump input_freifunk comment "!fw4: Handle freifunk IPv4/IPv6 input traffic"
		iifname "br-dhcp" jump input_dhcp comment "!fw4: Handle dhcp IPv4/IPv6 input traffic"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;

		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "wg_*" jump forward_freifunk comment "!fw4: Handle freifunk IPv4/IPv6 forward traffic"
		iifname { "switch0.42", "wlan5-mesh" } jump forward_freifunk comment "!fw4: Handle freifunk IPv4/IPv6 forward traffic"
		iifname "br-dhcp" jump forward_dhcp comment "!fw4: Handle dhcp IPv4/IPv6 forward traffic"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy accept;

		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"

		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		oifname "wg_*" jump output_freifunk comment "!fw4: Handle freifunk IPv4/IPv6 output traffic"
		oifname { "switch0.42", "wlan5-mesh" } jump output_freifunk comment "!fw4: Handle freifunk IPv4/IPv6 output traffic"
		oifname "br-dhcp" jump output_dhcp comment "!fw4: Handle dhcp IPv4/IPv6 output traffic"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_freifunk {
		jump accept_from_freifunk
	}

	chain output_freifunk {
		jump accept_to_freifunk
	}

	chain forward_freifunk {
		meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter jump accept_to_dhcp comment "!fw4: Allow-ICMPv6-Forward-dhcp"
		meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second counter jump accept_to_dhcp comment "!fw4: Allow-ICMPv6-Forward-dhcp"
		jump accept_to_freifunk comment "!fw4: Accept freifunk to freifunk forwarding"
		jump reject_to_freifunk
	}

	chain accept_from_freifunk {
		iifname "wg_*" counter accept comment "!fw4: accept freifunk IPv4/IPv6 traffic"
		iifname { "switch0.42", "wlan5-mesh" } counter accept comment "!fw4: accept freifunk IPv4/IPv6 traffic"
	}

	chain accept_to_freifunk {
		oifname "wg_*" counter accept comment "!fw4: accept freifunk IPv4/IPv6 traffic"
		oifname { "switch0.42", "wlan5-mesh" } counter accept comment "!fw4: accept freifunk IPv4/IPv6 traffic"
	}

	chain reject_to_freifunk {
		oifname "wg_*" counter jump handle_reject comment "!fw4: reject freifunk IPv4/IPv6 traffic"
		oifname { "switch0.42", "wlan5-mesh" } counter jump handle_reject comment "!fw4: reject freifunk IPv4/IPv6 traffic"
	}

	chain input_dhcp {
		jump accept_from_dhcp
	}

	chain output_dhcp {
		jump accept_to_dhcp
	}

	chain forward_dhcp {
		jump accept_to_freifunk comment "!fw4: Accept dhcp to freifunk forwarding"
		jump reject_to_dhcp
	}

	chain accept_from_dhcp {
		iifname "br-dhcp" counter accept comment "!fw4: accept dhcp IPv4/IPv6 traffic"
	}

	chain accept_to_dhcp {
		oifname "br-dhcp" counter accept comment "!fw4: accept dhcp IPv4/IPv6 traffic"
	}

	chain reject_to_dhcp {
		oifname "br-dhcp" counter jump handle_reject comment "!fw4: reject dhcp IPv4/IPv6 traffic"
	}


	#
	# NAT rules
	#

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
	}


	#
	# Raw rules (notrack & helper)
	#

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifname "wg_*" jump helper_freifunk comment "!fw4: freifunk IPv4/IPv6 CT helper assignment"
		iifname { "switch0.42", "wlan5-mesh" } jump helper_freifunk comment "!fw4: freifunk IPv4/IPv6 CT helper assignment"
		iifname "br-dhcp" jump helper_dhcp comment "!fw4: dhcp IPv4/IPv6 CT helper assignment"
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain helper_freifunk {
	}

	chain helper_dhcp {
	}


	#
	# Mangle rules
	#

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type filter hook output priority mangle; policy accept;
		meta nfproto ipv4 oifname { "switch0.42", "wlan5-mesh", "wg_*" } udp dport 698 counter ip dscp set 0x2e comment "!fw4: DSCP olsr"
		meta nfproto ipv6 oifname { "switch0.42", "wlan5-mesh", "wg_*" } udp dport 698 counter ip6 dscp set 0x2e comment "!fw4: DSCP olsr"
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
	}
}

[dave14305]

Please attach the output of fw4 print. Looks like an nftables upstream bug though

Like this one?
http://git.netfilter.org/nftables/commit/?id=4788869a3346b5b3f1f6a3cdb12fdf79da961ef9

nftables 1.0.2 was released recently.

[BKPepe]

nftables 1.0.2 was released recently.

openwrt/openwrt#9402

[PolynomialDivision]

Sorry for closing. This was automatically done by merging a PR.

[BKPepe]

Why this was re-opened? It is not clear to me. OP issue was solved. The issue related to nftables or firewall4 should be moved to somewhere else. :)

[PolynomialDivision]

Probably @aparcar wants to decide when to close. ;)

[aparcar]

If OLSR is the only package affected by firewall4 this can be closed.