[22.03.2] Firewall4 custom nftables rule : Resource busy

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi, I'm trying to include a custom nftables rule in fw4 config.

config include
	option type 'nftables'
	option path '/root/fw/sshlimit.nft'
	option position 'chain-pre'
	option chain 'forward_wan'

# cat /root/fw/sshlimit.nft 
tcp dport 22 meter sshlimit { ip saddr timeout 60s limit rate over 1/minute burst 3 packets} counter drop comment "custom: sshlimit"

The first time I reload rules, the configuration is reloaded fine. Then, If I reload again the configuration, I get this error :

In file included from /dev/stdin:52013:3-34:
/root/fw/sshlimit.nft:1:14-92: Error: Could not process rule: Resource busy
tcp dport 22 meter sshlimit { ip saddr timeout 60s limit rate over 1/minute burst 3 packets} counter drop comment "custom: sshlimit"
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It seems at each reload, the include statement is added again and again. When generating the nft configuration with

ACTION=start utpl -S /usr/share/firewall4/main.uc

I see a duplicate line at each reload.

...
       chain forward_wan {
                include "/root/fw/sshlimit.nft"
                include "/root/fw/sshlimit.nft"
                include "/root/fw/sshlimit.nft"
                meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
...

ditto in the json file /tmp/run/fw4.state

  ...
"includes": [
    {
      "enabled": true,
      "path": "/root/fw/sshlimit.nft",
      "type": "nftables",
      "fw4_compatible": true,
      "position": "chain-prepend",
      "chain": "forward_wan"
    },
    {
      "enabled": true,
      "path": "/root/fw/ipset.nft",
      "type": "nftables",
      "fw4_compatible": true,
      "position": "chain-prepend",
      "chain": "forward_lan"
    },
...

Is it a bug ?

2

What version of firewall4 is installed?

# opkg list-installed firewall4
firewall4 - 2022-10-18-7ae5e14b-1

Is the include really duplicated in the state file? You only show us 2 different includes in your post.

3

This is wrong in that it doesn’t remove the state file in between executions. You should use fw4 reload instead.

1 Like
4 
# opkg list-installed firewall4
firewall4 - 2022-10-18-7ae5e14b-1

Yes really duplicated in the state file, My cut and past is wrong.

I just solved my issue by adding a meter set.

config include
	option type 'nftables'
	option path '/root/fw/sshlimit-meter.nft'
	option position 'table-pre'

config include
	option type 'nftables'
	option path '/root/fw/sshlimit.nft'
	option position 'chain-pre'
	option chain 'forward_wan'

# cat sshlimit-meter.nft
set ssh_meter {type ipv4_addr ; flags timeout, dynamic ;}
# cat sshlimit.nft 
tcp dport 22 add @ssh_meter { ip saddr timeout 60s limit rate over 1/minute burst 3 packets} drop comment "custom: sshlimit"