OpenWRT Switches From iptables To nftables!

fossjon

So after many years of using and learning iptables, one of my favourite firewalls, I had to translate my command line ruleset into a new format/syntax. It wasn’t too bad but with the added power and flexibility of nftables, it can be harder to find the order/priority of the rules for a given filter hook, for example, INPUT. However, I really appreciate how the new firewall incorporates some previous features that I used to have to install via iptables modules like ipset and hashlimit, which provides the rate limiting functionality!

hook="input"
nft list ruleset                               \
  | sed -e 's/counter.*[0-9]//g'               \
  | tr '\t' ' ' | tr '\r\n' '~' | tr '{}' '\n' \
  | grep -i "hook.${hook}"                     \
  | tr '~' '\n'                                \
  | grep -i '[a-z]'                            \
  | sed -e 's/^[ ]*//'

type filter hook input priority filter; policy accept;
iifname "lo"  accept
iifname "lan" udp dport 67  accept
iifname "wan" ct state established,related  accept
drop
Advertisement
OpenWRT Switches From iptables To nftables!

One thought on “OpenWRT Switches From iptables To nftables!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s