My nftables are working fine after the migration. However, the migrated configuration looks quite messy. How can i reset it to default? I will gladly do custom configuration again, but I would like to eliminate the migration mess.
Describe mess. And post /etc/config/firewall redacting personal info
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
option forward 'DROP'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option sentinel_dynfw '1'
option sentinel_fwlogs '1'
option sentinel_minipot '1'
option haas_proxy '1'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone 'guest_turris'
option name 'tr_guest'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option enabled '0'
list network 'guest_turris'
config rule 'guest_turris_dns_rule'
option name 'guest dns rule'
option src 'tr_guest'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
option enabled '0'
config rule 'guest_turris_dhcp_rule'
option name 'guest dhcp rule'
option src 'tr_guest'
option proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
option enabled '0'
config rule 'guest_turris_Allow_DHCPv6'
option src 'tr_guest'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '546-547'
option dest_ip 'fe80::/10'
option dest_port '546-547'
option family 'ipv6'
option target 'ACCEPT'
config rule 'guest_turris_Allow_MLD'
option src 'tr_guest'
option proto 'icmp'
option src_ip 'fe80::/10'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
config rule 'guest_turris_Allow_ICMPv6_Input'
option src 'tr_guest'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
config rule 'wan_ssh_turris_rule'
option name 'wan_ssh_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '22'
option proto 'tcp'
option src 'wan'
config rule
option src 'wan'
option target 'ACCEPT'
option dest_port '12345'
option name 'wan_ssh_12345'
list proto 'tcp'
config rule 'wan_http_turris_rule'
option name 'wan_http_turris_rule'
option enabled '1'
option target 'ACCEPT'
option dest_port '80'
option proto 'tcp'
option src 'wan'
config rule 'wan_https_turris_rule'
option name 'wan_https_turris_rule'
option target 'ACCEPT'
option dest_port '443'
option proto 'tcp'
option src 'wan'
config rule 'turris_wan_6in4_rule'
option enabled '0'
config rule 'turris_wan_6to4_rule'
option enabled '0'
option target 'ACCEPT'
list proto 'tcp'
config redirect
option dest_port '22'
option src 'wan'
option src_dport '22'
option dest 'lan'
option dest_ip '10.x.x.x'
option target 'DNAT'
option name 'gitlab_ssh'
config redirect
option dest_port '80'
list proto 'tcp'
option src_dport '80'
option dest 'lan'
option dest_ip '10.x.x.x'
option src 'wan'
option target 'DNAT'
option name 'nginx_http'
config redirect
option dest_port '443'
list proto 'tcp'
option src_dport '443'
option dest 'lan'
option dest_ip '10.x.x.x'
option src 'wan'
option target 'DNAT'
option name 'nginx_https'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config forwarding
option dest 'lan'
option src 'wan'
config include 'sentinel_firewall'
option type 'script'
option path '/usr/libexec/sentinel/firewall.sh'
So your rules are fine. The warning is there probabbly because you have iptables-legacy installed. Get rid of that and optionally install iptables-nft for compatibility with mwan3 for example and the warning should go away.
As for the include parts you may add specifically:
option fw4_compatible '1'
Edit: which version of TOS are you on? Because I remember that some eairlier update fixed that automatically.
I found it!
It suppose to be done in 7.1.3:
root@router:~# opkg update > /dev/null && opkg list | grep fix-iptables-to-nftables
fix-iptables-to-nftables-packages - 1-65 - Change iptables version of packages to nftables if installed.
Its still there in the repo as package. So you may try to install it. Not sure how to actually run it.