luci: custom firewall rules don't show up with fw4

[YoavNahumus]

Is there an existing issue for this?

• I have searched the existing issues

screenshots or captures

No response

Actual behaviour

In the network>firewall tab of the GUI, the custom rules tab does not show up
I was able to fix this by removing the dependency of /usr/share/fw3/helpers.conf from the
/usr/share/luci/menu.d/luci-app-firewall.json file

Expected behaviour

The custom tab in the firewall will show up and allow the user to put nftables commands for rules

Steps to reproduce

go to: Network -> Firewall and look at the tabs on a device using firewall4

Additional Information

NAME="OpenWrt"
VERSION="23.05.2"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 23.05.2"
VERSION_ID="23.05.2"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r23630-842932a63d"
OPENWRT_BOARD="ipq40xx/generic"
OPENWRT_ARCH="arm_cortex-a7_neon-vfpv4"
OPENWRT_TAINTS="no-all busybox"
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 23.05.2 r23630-842932a63d"

What browsers do you see the problem on?

No response

Relevant log output

No response

[PalebloodSky]

Why not start with latest stable, 23.05.5, to make sure it's not fixed?

[YoavNahumus]

Why not start with latest stable, 23.05.5, to make sure it's not fixed?

the luci-app-firewall.json still has the dependency there

[systemcrash]

In the network>firewall tab of the GUI, the custom rules tab does not show up I was able to fix this by removing the dependency of /usr/share/fw3/helpers.conf from the /usr/share/luci/menu.d/luci-app-firewall.json file

One of the many idiosyncrasies in the system: it's a hold-over from fw3 days. Not everyone runs fw4; some still use iptables, and the custom rules window is meant for fw3 and iptables commands.

Those are written to /etc/firewall.user.

https://github.com/openwrt/firewall4/blob/dfbcc1cd127c78fc61bb870d36d2512b571d223b/root/usr/share/ucode/fw4.uc#L3210-L3212

https://github.com/openwrt/firewall4/blob/dfbcc1cd127c78fc61bb870d36d2512b571d223b/tests/06_includes/02_firewall.user_include#L42-L57

[brada4]

You can add inserts to rules in /etc/nftables.d/*.nft
They go in

table inet fw4 {
   ... setup interfaces variables....
   ... offload if present ...

... your file starts ....
   chain yourchain {
     hook xxx prio yyy;
      iifname lo counter
   }
... your file ends ....

  ... bulk of generated rules ...

Or in /usr/share in other places.

some deeply creative rules like maps vmaps are not yet parsed.

[systemcrash]

Perhaps we can parse that folder content as an alternative when the user runs fw4.
@stokito @dannil @Ramon00 any takers for that?

[stokito]

I'm not an expert here. It looks like the /usr/sbin/nft list ruleset command returns all the rules.
The nft format looks so similar to JSON but it isn't.
I think there should be the ubus/rpcd service to show the nfts and it may convert them to json.

The first that I found is some script in Python
https://github.com/RedHatInsights/insights-core/blob/master/insights/parsers/nftables.py
Maybe ChatGPG can convert or write from scratch.

[systemcrash]

/usr/sbin/nft --json?

[stokito]

oh, didn't know about it /usr/sbin/nft --json list ruleset works. Then it should be enough to implement UI, right?

[systemcrash]

That's basically what the firewall status page uses so I don’t see why not. Although here the idea was actual file content. What did you have in mind?

[Ramon00]

Is it just an matter of removing the depend?
"admin/network/firewall/custom": { "title": "Custom Rules", "order": 50, "action": { "type": "view", "path": "firewall/custom" }, "depends": { "fs": { "/usr/share/fw3/helpers.conf": "file" } } }

[skleeschulte]

One of the many idiosyncrasies in the system: it's a hold-over from fw3 days. Not everyone runs fw4; some still use iptables, and the custom rules window is meant for fw3 and iptables commands.

Those are written to /etc/firewall.user.

The wiki says it a bit different: Custom rule inclusion through a shell script works similarly as fw3, but the script should use nftables. (See Config include section with shell script)

Adding rules with shell commands can be a quick and easy way to test rules, e.g. just copy some commands from a tutorial and restart the firewall.

My use case is another one: On OpenWrt 23.05.5 with fw4 I installed packages iptables-nft and iptables-mod-ipopt to be able to increase packages' ttl, which apparently cannot be done with nftables. I created /etc/firewall.user, chmod it to 0600 and added to the file:

iptables -t mangle -F
iptables -t mangle -A PREROUTING -i br-lan -d 239.255.255.250 -j TTL --ttl-inc 1

Works like a charm, and would be handy to be able to do it from the GUI.

[brada4]

ttl-inc option is not ported to iptables-nft.

iptables-translate -t mangle -A PREROUTING -i br-lan -d 239.255.255.250 -j TTL --ttl-inc 1
iptables-translate v1.8.10 (nf_tables): unknown option "--ttl-inc"
Try `iptables-translate -h' or 'iptables-translate --help' for more information.

[brada4]

You have to use set ttl probably with

map ttlinc ttl : ttl {
  1:2 .2:3 .... 254:255
}

(not guaranteed to work, jut meta-guess that it coudl)

[skleeschulte]

ttl-inc option is not ported to iptables-nft.

iptables-translate -t mangle -A PREROUTING -i br-lan -d 239.255.255.250 -j TTL --ttl-inc 1
iptables-translate v1.8.10 (nf_tables): unknown option "--ttl-inc"
Try `iptables-translate -h' or 'iptables-translate --help' for more information.

On my system, the output looks different:

root@openwrt:~# iptables-translate -t mangle -A PREROUTING -i br-lan -d 239.255.255.250 -j TTL --ttl-inc 1
nft # -t mangle -A PREROUTING -i br-lan -d 239.255.255.250 -j TTL --ttl-inc 1

The commands in /etc/firewall.user listed in my post above also work well - an xt-ttl-rule is added to nftables and the ttl-inc rule is added to iptables. Maybe the package iptables-mod-ipopt is missing in your test-environment?

But my main point was: there are use cases for using command line firewall rules with fw4/nftables, and thus it would still be nice to have an easy way to edit /etc/firewall.user.

[brada4]

I have xt bridge blacklisted intentionally.