Gargoyle 1.15.x nftables EXPERIMENTAL BETA - 2025-05-13

[Lantis]

Gargoyle 1.15.x nftables is an EXPERIMENTAL BETA switching Gargoyle from firewall3 (iptables) to firewall4 (nftables). This is a large rewrite of significant portions of the Gargoyle firewall infrastructure and is therefore prone to bugs being introduced.
Please keep in mind that while I need your feedback, I cannot guarantee this as a stable release, and should only be tested by the adventurous and/or those who are willing to troubleshoot and/or rollback to a previous firmware.
The fantastic news is that this release is 100% configuration compatible with the 1.15.x releases in this thread, so you can move back and forth between them as you wish.

This work is a stepping stone to then move to OpenWrt 24.10 based builds, so it is important to get this right and get it finalised.

Configs should generally not be preserved between 1.14 (and earlier) and 1.15.x. Do so at your own risk.

Please provide your feedback (positive or negative). If you do think you've found a problem it would be incredibly helpful if you also verified that the problem did not exist on the firewall3 1.15.x builds. I'm happy to fix bugs that also existed there, but will be focusing on regressions first.

"BETA - 2025-05-13" Notable changes:
- Switched Gargoyle to nftables


Known Issues
- nfs-kernel-server will not work due to a missing config file
- Email notifications may display no content in some mail clients

Downloads
Please find the downloads here
The plugin repositories are also found in the same location.

Blog Post
Click here to read this article on Tales from @Lantis

[Lantis]

As a vote of confidence, I've been running this build on my main router at home for several days without incident.

[phgerin]

Same, testing since a few days on Archer C7 V2, no problems.

[behappy]

Hi Lantis

Can you add Xiaomi Router AX3200 to the gargoyle branch since it is a cheap and effective router. Thanks a lot.

https://openwrt.org/toh/xiaomi/ax3200

[Lantis]

Hi Lantis

Can you add Xiaomi Router AX3200 to the gargoyle branch since it is a cheap and effective router. Thanks a lot.

https://openwrt.org/toh/xiaomi/ax3200

Have you built it yourself and verified it works?
The wiki page has more warnings than a bag of fertiliser. It looks like a device that is very difficult to get right as an end user.

[rg66]

Hi Lantis,

Is this ready to build or are you planning more commits in the near future?

Cheers

[Lantis]

No immediate changes, I’ve merged this work into the master branch.
I am aware of one issue (which was already a problem) with QoS and saving connection marks. Apparently it is fixed in kernel 6.13 which I will attempt to backport at some point.

There are a couple of fixes to WireGuard and Samba which are missing from this build. There’s also a reported issue with mvebu devices which I’m working on tonight.
I will probably provide a new build in the coming days that addresses these. It is likely to be the last build based on OpenWrt 23.05.

My next works (started as well) are getting us up to date with OpenWrt 24.10.

[rg66]

OK, cool. I do use QoS but only to put non static ip's into the slow class and haven't had any problems with it, the rest doesn't apply to my builds. I Will try a build tonight or tomorrow from Master for my Netgear R8000 and test it out for a while.

Thanks

[rg66]

Device Name:Gargoyle
Gargoyle Version:1.15.X (Built 20250614-1644 git@b9d08479)
Model:Netgear R8000 (BCM4709)
Device Configuration:Gateway
Memory Usage:44.2MB / 244.6MB (18%)

Did a lite build, preserved settings and flashed without any problems other than getting logged out every 10 seconds but a reboot sorted that.

It's only been three days but have had no issues at all. I'm using QoS and quotas and everything seems the same using nftables. The system logs are basically the same although I haven't seen any firewall restarts which I was getting before.

Thanks

[rg66]

I'm getting these errors in my logs when saving changes to Restrictions, Quotas or QoS.

Code: Select all

Thu Jun 19 07:42:14 2025 daemon.err uhttpd[2209]: Error: syntax error, unexpected '}'
Thu Jun 19 07:42:14 2025 daemon.err uhttpd[2209]: add rule inet fw4 mangle_qos_egress_bw ip6 saddr {} ct mark set ct mark & 0xF0FFFFFF | 0x0F000000
Thu Jun 19 07:42:14 2025 daemon.err uhttpd[2209]:                                                   ^
Thu Jun 19 07:42:14 2025 daemon.err uhttpd[2209]: Error: syntax error, unexpected '}'
Thu Jun 19 07:42:14 2025 daemon.err uhttpd[2209]: add rule inet fw4 qos_ingress_bw ip6 daddr {} ct mark set ct mark & 0xF0FFFFFF | 0x0F000000
Thu Jun 19 07:42:14 2025 daemon.err uhttpd[2209]:                                             ^
Thu Jun 19 07:42:16 2025 daemon.err uhttpd[2209]: Error: syntax error, unexpected '}'
Thu Jun 19 07:42:16 2025 daemon.err uhttpd[2209]: add rule inet fw4 mangle_qos_egress_bw ip6 saddr {} ct mark set ct mark & 0xF0FFFFFF | 0x0F000000
Thu Jun 19 07:42:16 2025 daemon.err uhttpd[2209]:                                                   ^
Thu Jun 19 07:42:16 2025 daemon.err uhttpd[2209]: Error: syntax error, unexpected '}'
Thu Jun 19 07:42:16 2025 daemon.err uhttpd[2209]: add rule inet fw4 qos_ingress_bw ip6 daddr {} ct mark set ct mark & 0xF0FFFFFF | 0x0F000000
Thu Jun 19 07:42:16 2025 daemon.err uhttpd[2209]: 

Cheers