22.03.2 unable to use "ct count" nft rules

Installing and Using OpenWrt
1

As outlined here:
https://wiki.nftables.org/wiki-nftables/index.php/Connlimits

I cannot create any rule using "ct count".

Executing this on cli:

nft add rule inet fw4 forward tcp dport 22 ct count 10 accept

Results in this:

Error: Could not process rule: No such file or directory
add rule inet fw4 forward tcp dport 22 ct count 10 accept
                                       ^^^^^^^^^^^

Can anyone else confirm that this works? The nftables wiki article also reads:

Note: connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10

But 22.03.2 is running nftables 1.0.2 and Linux kernel 5.10.146. Exactly which file and/or directory does it need? Is there something missing in the 22.03.2 OpenWRT kernel that it needs?

Thanks in advance for any/all help.

2

The module CONFIG_NFT_CONNLIMIT is not built in OpenWrt.

2 Likes
3

Thanks for the timely feedback, I'll stop trying to make it work now. Not sure if I feel like building a custom kernel to get this functionality... :slight_smile:

I now see that there is an .ipk package for iptables - "iptables-mod-conntrack-extra" which includes connection limiting and other similar functionality. Hopefully a similar package can be created for fw4/nftables.

1 Like
4

A similar issue related to NFT_DUP was recently posted. You might chime in there for the CONNLIMIT functionality.

5

Thanks for the suggestion, that makes sense to me and I will post in that thread as well.

6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.