Can't create nftables rule (tcp dport) on bridge

Hello!
I'm experimenting with nftables bridge filtering. I want to intercept some bridge ethernet packets and route into local service. I did some research on this in several sources. I'm trying to setup a simple nftables intercept rule.
I use this OpenWRT Docs page as example: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge
I do:

nft add table bridge filter
nft add chain bridge filter prerouting { type filter hook prerouting priority 0\; }
nft add rule bridge filter prerouting meta l4proto { tcp, udp } th dport 53 log

and get

Error: Could not process rule: No such file or directory
nft add rule bridge filter prerouting meta l4proto { tcp, udp } th dport 53 log
                                      ^^^^^^^^^^^^

I tried other syntax (inspired by this) with same result:

nft add rule bridge filter prerouting tcp dport 53 log
Error: Could not process rule: No such file or directory
nft add rule bridge filter prerouting tcp dport 53 log
                                      ^^^^^^^^^

I'm using OpenWRT 22.03.7-x86-64-generic-squashfs-combined in a VirtualBox VM
I tried the same commands on an AntiX Linux VM, and got no errors.
I suppose, there might be some kernel configuration issues with my OpenWRT. But I din't change any settings since installation, except setting up bridge device in /etc/config/network.
As per above OpenWRT Docs page, I tried to execute
lsmod | grep -e bridge
and got empty result

Thanks for any help.

opkg update; opkg install kmod-nft-bridge
2 Likes

You can use script-style syntax:

#!/sbin/nft -c -f
table bridge filter {
	chain prerouting {
		type filter hook prerouting priority 0; policy accept;
		meta l4proto { tcp, udp } th dport 53 log
		tcp dport 53 log
	}
}

Or in config/firewall

config redirect 'dns-int-log'
        option name 'log-intercept-dns'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option family 'any'
        option target 'DNAT'
        option log '1'
1 Like

Tried this already with no effect. Nftables should work without it since kernel 5.3

Nope, it is modular just like iptables.

2 Likes
root@MikroTik:~# lsmod | grep -e bridge
nf_conntrack           79488 17 xt_connlimit,nf_conncount,xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_CT,nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table,nf_conntrack_netlink,nf_conntrack_bridge
nf_conntrack_bridge     3360  0
nf_defrag_ipv6          6288  2 nf_conntrack_bridge,nf_conntrack
nf_reject_ipv4          3968  4 ipt_REJECT,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge
nf_reject_ipv6          4512  4 nft_reject_ipv6,nft_reject_inet,nft_reject_bridge,ip6t_REJECT
nf_tables             176976459 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_fib_inet,nft_ct,nft_chain_nat,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_xfrm,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge,nft_reject,nft_quota,nft_objref,nft_numgen,nft_meta_bridge,nft_log,nft_limit,nft_hash,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_counter,nft_compat
nft_meta_bridge         1344  0
nft_reject              1184  4 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge
nft_reject_bridge       1376  0

root@MikroTik:~# nft add table bridge filter
root@MikroTik:~# nft add chain bridge filter prerouting { type filter hook prerouting priority 0\; }
root@MikroTik:~# nft add rule bridge filter prerouting meta l4proto { tcp, udp } th dport 53 log
root@MikroTik:~# nft list table bridge filter
table bridge filter {
        chain prerouting {
                type filter hook prerouting priority 0; policy accept;
                meta l4proto { tcp, udp } th dport 53 log
        }
}

root@MikroTik:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "MikroTik",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "MikroTik RouterBOARD 750Gr3",
        "board_name": "mikrotik,routerboard-750gr3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

Hmmm. I decided to make everything from scratch and installed kmod-nft-bridge . Executed modprobe br_netfilter and rebooted. lsmod now outputs several lines similar to yours.
I now got another error:

Error: Could not process rule: No such file or directory
add rule bridge filter prerouting meta l4proto { tcp, udp } th dport 53 log
                                                                        ^^^

install nf_log or just use default image which has that included?

Installed kmod-nf-log . Still getting same error (maybe I should enable it somehow?)
Sorry, I'm not sure what you mean under "default image". I'm using image from here: https://archive.openwrt.org/releases/22.03.7/targets/x86/64/

No idea how you broke it, log module is in kmod-nft-core package

Logging actually works. After executing nft add rule fw4 input log there is no error and log lines immediately start appearing over the console.
But

#!/sbin/nft -f
table bridge filter {
	chain prerouting {
		type filter hook prerouting priority 0; policy accept;
		log
	}
}

gives error on 'log'

I observe the same behavior on 22.03. Move to 23.05.

Got it. I'll try and report back.

1 Like

Just to confirm: no errors on 23.05 , logging works ok.
Thank you.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.