In OpenWRT 23, the default firewall is fw4; the nftables counterpart is nftset. I will introduce the creation of gfwlist-based rules for shadowsocks redir using dnsmasq-full/nftset/nftables.


Edit /etc/nftables.d/gfwlist.nft to set the initial configuration of nftset, adding the IP segment for Telegram, and the forwarding rules 1:

set gfwlist {
	type ipv4_addr
	flags interval
	elements = {
		# telegram start,,,,,,,,,
		#telegram end

chain gfwlist-redirect {
	type nat hook prerouting priority 0; policy accept;
	ip daddr @gfwlist ip protocol tcp redirect to :1100

The above configuration assumes that ss-redir listens on port 1100. Restart the firewall:

service firewall restart

Manual configuration

Temporarily add IPs to or remove them from gfwlist2:

nft add element inet fw4 gfwlist { }
nft delete element inet fw4 gfwlist { }


Switch to dnsmasq-full

opkg remove dnsmasq
opkg install dnsmasq-full

service dnsmasq restart

Create Dnsmasq Configuration

The default configuration directory is'/tmp/dnsmaseq. d ', so it is best to place the configuration file in another location:

mkdir -p /root/gfwlist/nftset

And automatically copies the configuration file at startup:

cp -f /root/gfwlist/nftset/*.conf /tmp/dnsmasq.d

Manual configuration

If we have a manually maintained configuration file /root/gfwlist/nftset/dnsmasq_gfwlist_nftset_custom.conf:


Create deployment script

cp -f /root/gfwlist/nftset/*.conf /tmp/dnsmasq.d && service dnsmasq restart


The script that converts gfwlist to a dnsmasq profile only supports ipset and requires some editing:

- ipset=/\1/'$IPSET_NAME'#g' > $CONF_TMP_FILE
+ nftset=/\1/4\#inet\#fw4\#'$IPSET_NAME'#g' > $CONF_TMP_FILE

Write it to the script file /root/gfwlist/nftset/ Create another

sh /root/gfwlist/nftset/ -s gfwlist -o /root/gfwlist/nftset/dnsmasq_gfwlist_nftset.conf && /root/gfwlist/nftset/

Edit /etc/rc.local, add:

sh /root/gfwlist/nftset/

Add crontab task:

0 0 1 * * ?     sh /root/gfwlist/nftset/


Most of the articles on the Internet use the example of going over the gfw, and this scenario has been chosen for the content of this article. In fact, another useful case is to use services such as Residential IP Access ChatGPT.


  1. 99010. dnsmasq-full + nftset + nftables透明代理. 恩山无线论坛. 2023.

  2. 6.4. Using sets in nftables commands. Red Hat.