Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revisionBoth sides next revision
releases:22.03:notes-22.03.0 [2022/09/05 18:31] – download links haukereleases:22.03:notes-22.03.0 [2022/09/05 21:13] – [Firewall4 based on nftables] zorun
Line 46: Line 46:
 ==== Firewall4 based on nftables ==== ==== Firewall4 based on nftables ====
  
-Firewall4 is used by default instead of ''firewall3'' in the OpenWrt default images. Firewall4 uses nftables instead of iptables to configure the Linux netfilters.+Firewall4 is used by default, superseding the iptables-based firewall3 implementation in the OpenWrt default images. Firewall4 uses nftables instead of iptables to configure the Linux netfilter ruleset.
  
-Firewall4 uses the same UCI firewall configuration syntax. Old firewall configurations should still work with firewall4they will simply use nftables as a backend.+Firewall4 keeps the same the UCI firewall configuration syntax and should work as a drop-in replacement for fw3 with most common setupsemitting nftables rules instead of iptables ones.
  
-However, including custom iptables rules is no longer possible. Firewall4 allows to include nftables snippets instead, see [[docs:guide-user:firewall:firewall_configuration#includes_for_2203_and_later_with_fw4|firewall includes with fw4]]. Some community packages that add firewall rules might not work for now, and will need to be adapted to fw4.+Including custom firewall rules through /etc/firewall.user still works, but requires marking the file as compatible first, otherwise it is ignored. Firewall4 additionally allows to include nftables snippets. The [[docs:guide-user:firewall:firewall_configuration|firewall documentation]] explains how to include custom firewall rules with firewall4. Some community packages that add firewall rules might not work for now, and will need to be adapted to fw4: this will happen gradually throughout the lifetime of the 22.03 release series. 
 + 
 +The legacy iptables utilities are not included in the default images anymore, but can be added back using opkg or the [[docs:guide-user:additional-software:imagebuilder|Image Builder]] if needed. The transitional packages ''iptables-nft'', ''arptables-nft'', ''ebtables-nft'' and ''xtables-nft'' can be used to create nftables rules using the old iptables command line syntax.
  
-''iptables'' is not included in the default images anymore, it can be added with opkg or [[docs:guide-user:additional-software:imagebuilder|ImageBuilder]] if needed. The packages ''iptables-nft'', ''arptables-nft'', ''ebtables-nft'' and ''xtables-nft'' provide the known command line interface from the old tools, but they will create nftables entries instead.  
  
 ==== Many new devices added ==== ==== Many new devices added ====
  • Last modified: 2022/09/09 14:01
  • by tmomas