[OpenWrt-Devel] Why nftables does not work in OpenWrt ?
Hauke Mehrtens
hauke at hauke-m.de
Sun May 20 06:09:08 EDT 2018
On 05/20/2018 11:42 AM, Rosysong wrote:
> Hi all,
> Using nftables to control the traffic flow through ip address has been succeed on my Linux PC, then I ported the same
> nft script into OpenWrt trunk. Unfortunately, it failed (has no effect on restricting the speed of client). Is there any conflict between iptables and nftables ? Or
> it needs some other kernel module for nftables ?
>
> Below is the information about my system and configuration on network.
>
> root at OpenWrt:~# ifconfig
> br-lan Link encap:Ethernet HWaddr F2:B4:29:EC:D6:69
> inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fd04:bbd9:3e95::1/60 Scope:Global
> inet6 addr: fe80::f0b4:29ff:feec:d669/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:35191 errors:0 dropped:0 overruns:0 frame:0
> TX packets:32796 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:14724584 (14.0 MiB) TX bytes:2621401 (2.4 MiB)
>
> eth0 Link encap:Ethernet HWaddr F0:B4:29:EC:D6:69
> inet6 addr: fe80::f2b4:29ff:feec:d669/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:35219 errors:0 dropped:0 overruns:0 frame:0
> TX packets:61209 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:15360136 (14.6 MiB) TX bytes:12673750 (12.0 MiB)
> Interrupt:5
>
> eth0.1 Link encap:Ethernet HWaddr F2:B4:29:EC:D6:69
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:35191 errors:0 dropped:0 overruns:0 frame:0
> TX packets:32786 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:14724584 (14.0 MiB) TX bytes:2620173 (2.4 MiB)
>
> eth0.2 Link encap:Ethernet HWaddr F0:B4:29:EC:D6:69
> inet6 addr: fe80::f2b4:29ff:feec:d669/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:28280 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:9539976 (9.0 MiB)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:65536 Metric:1
> RX packets:9824 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9824 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:668032 (652.3 KiB) TX bytes:668032 (652.3 KiB)
>
>
>
>
> root at OpenWrt:/tmp# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere /* !fw3 */
> input_rule all -- anywhere anywhere /* !fw3: Custom input rule chain */
> ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
> syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
> zone_lan_input all -- anywhere anywhere /* !fw3 */
> zone_wan_input all -- anywhere anywhere /* !fw3 */
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> forwarding_rule all -- anywhere anywhere /* !fw3: Custom forwarding rule chain */
> ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
> zone_lan_forward all -- anywhere anywhere /* !fw3 */
> zone_wan_forward all -- anywhere anywhere /* !fw3 */
> reject all -- anywhere anywhere /* !fw3 */
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere /* !fw3 */
> output_rule all -- anywhere anywhere /* !fw3: Custom output rule chain */
> ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
> zone_lan_output all -- anywhere anywhere /* !fw3 */
> zone_wan_output all -- anywhere anywhere /* !fw3 */
>
> Chain forwarding_lan_rule (1 references)
> target prot opt source destination
>
> Chain forwarding_rule (1 references)
> target prot opt source destination
>
> Chain forwarding_wan_rule (1 references)
> target prot opt source destination
>
> Chain input_lan_rule (1 references)
> target prot opt source destination
>
> Chain input_rule (1 references)
> target prot opt source destination
>
> Chain input_wan_rule (1 references)
> target prot opt source destination
>
> Chain output_lan_rule (1 references)
> target prot opt source destination
>
> Chain output_rule (1 references)
> target prot opt source destination
>
> Chain output_wan_rule (1 references)
> target prot opt source destination
>
> Chain reject (3 references)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere /* !fw3 */ reject-with tcp-reset
> REJECT all -- anywhere anywhere /* !fw3 */ reject-with icmp-port-unreachable
>
> Chain syn_flood (1 references)
> target prot opt source destination
> RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
> DROP all -- anywhere anywhere /* !fw3 */
>
> Chain zone_lan_dest_ACCEPT (4 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere /* !fw3 */
>
> Chain zone_lan_forward (1 references)
> target prot opt source destination
> forwarding_lan_rule all -- anywhere anywhere /* !fw3: Custom lan forwarding rule chain */
> zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone lan to wan forwarding policy */
> ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
> zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
>
> Chain zone_lan_input (1 references)
> target prot opt source destination
> input_lan_rule all -- anywhere anywhere /* !fw3: Custom lan input rule chain */
> ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
> zone_lan_src_ACCEPT all -- anywhere anywhere /* !fw3 */
>
> Chain zone_lan_output (1 references)
> target prot opt source destination
> output_lan_rule all -- anywhere anywhere /* !fw3: Custom lan output rule chain */
> zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
>
> Chain zone_lan_src_ACCEPT (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
>
> Chain zone_wan_dest_ACCEPT (2 references)
> target prot opt source destination
> DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
> ACCEPT all -- anywhere anywhere /* !fw3 */
>
> Chain zone_wan_dest_REJECT (1 references)
> target prot opt source destination
> reject all -- anywhere anywhere /* !fw3 */
>
> Chain zone_wan_forward (1 references)
> target prot opt source destination
> forwarding_wan_rule all -- anywhere anywhere /* !fw3: Custom wan forwarding rule chain */
> zone_lan_dest_ACCEPT esp -- anywhere anywhere /* !fw3: Allow-IPSec-ESP */
> zone_lan_dest_ACCEPT udp -- anywhere anywhere udp dpt:isakmp /* !fw3: Allow-ISAKMP */
> ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
> zone_wan_dest_REJECT all -- anywhere anywhere /* !fw3 */
>
> Chain zone_wan_input (1 references)
> target prot opt source destination
> input_wan_rule all -- anywhere anywhere /* !fw3: Custom wan input rule chain */
> ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
> ACCEPT icmp -- anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */
> ACCEPT igmp -- anywhere anywhere /* !fw3: Allow-IGMP */
> ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
> zone_wan_src_REJECT all -- anywhere anywhere /* !fw3 */
>
> Chain zone_wan_output (1 references)
> target prot opt source destination
> output_wan_rule all -- anywhere anywhere /* !fw3: Custom wan output rule chain */
> zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
>
> Chain zone_wan_src_REJECT (1 references)
> target prot opt source destination
> reject all -- anywhere anywhere /* !fw3 */
>
>
> root at OpenWrt:/tmp# nft list table filter
> table ip filter {
> chain input {
> type filter hook input priority 0; policy accept;
> ip daddr 192.168.1.100 limit rate over 64 bytes/second drop
> }
>
> chain output {
> type filter hook output priority 0; policy accept;
> ip saddr 192.168.1.100 limit rate over 64 bytes/second drop
> }
> }
What target are you using? I had problems with big endian system where
even the first examples I found on the Internet did not work.
This fixed my problem:
https://git.openwrt.org/f9aca01a53b041973496528af96d91b551bdeb1d
I would not be surprised if there are more problems with non x86 platforms.
Hauke
Hauke
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
http://lists.infradead.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list