Chicken or egg with netfilter LED trigger

psherman · February 10, 2023, 1:00am

I've run into an issue while attempting to setup a netfilter based LED trigger.

Specifically, I'm trying to setup a trigger to blink an LED when I have an incoming print job on my OpenWrt print server. I'm following the led configuration > net filter dcumentation... but when I try to setup the trigger, I get an error. (for now, I'm just using the ssh example and will change it later for the printer on port 9100)

root@PandoraPrinter:~# iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
iptables v1.6.2: unknown option "--led-trigger-id"
Try `iptables -h' or 'iptables --help' for more information.

I found a really old thread where @anomeome mentioned a chicken or egg situation... you can't set the netfilter trigger until you have the led trigger available, but of course you can't add or set the trigger type until until it is defined elsewhere.

root@PandoraPrinter:~# cat /sys/class/leds/tp-link:green:wps/trigger
[none] timer default-on netdev usbport phy0rx phy0tx phy0assoc phy0radio phy0tpt 
root@PandoraPrinter:~# echo netfilter-ssh > /sys/class/leds/tp-link:green:wps/trigger
ash: write error: Invalid argument

But that thread old didn't seem to have a resolution...Any ideas of how to solve this?

FWIW, I'm running this on a very old version of OpenWrt (18.06.9)... in this case, the device is too small to run a more recent version. The device is wired to a trusted network with wifi disabled. It has no exposure to the internet and the only services running are ssh and p910nd.

anomeome · February 10, 2023, 3:04am

The resolution was the example in the thread (for the egg bit):

need kmod- (s) , at least that would be my guess, but long time passing.

iptables -h, cannot recall if when right knods your get the option.

psherman · February 10, 2023, 3:09am

Thanks @anomeome... I was hoping you'd be online to see this.

I built my image with iptables and kmod-ipt-led (per the documentation). Is there another kmod or other package needed?

psherman · February 10, 2023, 3:15am

I don't see it in the iptables -h output (which is no surprise)... is that help output dynamic insofar as adding a kmod will add additional options to the help info?

iptables -h

iptables v1.6.2

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --check   -C chain            Check for the existence of a rule
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
                                Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
    --ipv4      -4              Nothing (line is ignored by ip6tables-restore)
    --ipv6      -6              Error (line is ignored by iptables-restore)
[!] --protocol  -p proto        protocol: by number or name, eg. `tcp'
[!] --source    -s address[/mask][...]
                                source specification
[!] --destination -d address[/mask][...]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --wait        -w [seconds]    maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs]    wait time to try to acquire xtables lock
                                default is 1 second
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.

slh · February 10, 2023, 3:23am

github.com

torvalds/linux/blob/master/net/netfilter/Kconfig#L949


      
          	  response to particular packets passing through your machine.
          
          
	  This can be used to turn a spare LED into a network activity LED,
          	  which only flashes in response to FTP transfers, for example.  Or
          	  you could have an LED which lights up for a minute or two every time
          	  somebody connects to your machine via SSH.
          
          
	  You will need support for the "led" class to make this work.
          
          
	  To create an LED trigger for incoming SSH traffic:
          	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
          
          
	  Then attach the new trigger to an LED on your system:
          	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
          
          
	  For more information on the LEDs available on your system, see
          	  Documentation/leds/leds-class.rst
          
          
config NETFILTER_XT_TARGET_LOG
          	tristate "LOG target support"
          	select NF_LOG_SYSLOG

points towards NETFILTER_XT_TARGET_LED

Having a look at

github.com

openwrt/openwrt/blob/master/include/netfilter.mk#L252


      
          $(eval $(call nf_add,NF_SOCKET,CONFIG_NF_SOCKET_IPV4, $(P_V4)nf_socket_ipv4))
          $(eval $(call nf_add,NF_SOCKET,CONFIG_NF_SOCKET_IPV6, $(P_V6)nf_socket_ipv6))
          $(eval $(call nf_add,IPT_SOCKET,CONFIG_NETFILTER_XT_MATCH_SOCKET, $(P_XT)xt_socket))
          
          
# tproxy
          $(eval $(call nf_add,NF_TPROXY,CONFIG_NF_TPROXY_IPV4, $(P_V4)nf_tproxy_ipv4))
          $(eval $(call nf_add,NF_TPROXY,CONFIG_NF_TPROXY_IPV6, $(P_V6)nf_tproxy_ipv6))
          $(eval $(call nf_add,IPT_TPROXY,CONFIG_NETFILTER_XT_TARGET_TPROXY, $(P_XT)xt_TPROXY))
          
          
# led
          $(eval $(call nf_add,IPT_LED,CONFIG_NETFILTER_XT_TARGET_LED, $(P_XT)xt_LED))
          
          
# tee
          
          
$(eval $(call nf_add,IPT_TEE,CONFIG_NETFILTER_XT_TARGET_TEE, $(P_XT)xt_TEE))
          $(eval $(if $(NF_KMOD),$(call nf_add,IPT_TEE,CONFIG_NF_DUP_IPV4, $(P_V4)nf_dup_ipv4),))
          $(eval $(if $(NF_KMOD),$(call nf_add,IPT_TEE,CONFIG_NF_DUP_IPV6, $(P_V6)nf_dup_ipv6),))
          
          
# u32
          
          
$(eval $(call nf_add,IPT_U32,CONFIG_NETFILTER_XT_MATCH_U32, $(P_XT)xt_u32))

then suggests kmod-ipt-led.

psherman · February 10, 2023, 3:30am

So I did build my image with that included... is there a way to ensure that it's actually loading that module?

EDIT:
lsmod reveals this:

x_tables               11344 14 iptable_mangle,iptable_filter,ipt_REJECT,ip_tables,xt_time,xt_tcpudp,xt_multiport,xt_mark,xt_mac,xt_limit,xt_comment,xt_TCPMSS,xt_LOG,xt_LED

the xt_LED in particular sees to be the specific function you were mentioning @slh . So I think it's loading the kmod properly.

slh · February 10, 2023, 3:35am

According to

github.com

torvalds/linux/blob/master/net/netfilter/Makefile#L160


      
          
          
# targets
          obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_CHECKSUM) += xt_CHECKSUM.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) += xt_LOG.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_NETMAP) += xt_NETMAP.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_REDIRECT) += xt_REDIRECT.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_MASQUERADE) += xt_MASQUERADE.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
          obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o

the module would be called xt_LED, which it indeed is on my general purpose linux.

$ /sbin/modinfo xt_LED 
filename:       /lib/modules/$(uname -r)/kernel/net/netfilter/xt_LED.ko
alias:          ip6t_LED
alias:          ipt_LED
description:    Xtables: trigger LED devices on packet match
author:         Adam Nielsen <a.nielsen@shikadi.net>
license:        GPL
srcversion:     6053A24C4AE0734123C1C0B
depends:        x_tables
retpoline:      Y
intree:         Y
name:           xt_LED
vermagic:       $(uname -r) SMP preempt mod_unload modversions

I would expect it to show up under ls -al /sys/class/ (as xt_LED) then.

psherman · February 10, 2023, 3:38am

This is what I see...

root@PandoraPrinter:/sys/class# ls -al
drwxr-xr-x   22 root     root             0 Dec 31  1969 .
dr-xr-xr-x   11 root     root             0 Dec 31  1969 ..
drwxr-xr-x    2 root     root             0 Dec 31  1969 bdi
drwxr-xr-x    2 root     root             0 Dec 31  1969 block
drwxr-xr-x    2 root     root             0 Dec 31  1969 devcoredump
drwxr-xr-x    2 root     root             0 Dec 31  1969 firmware
drwxr-xr-x    2 root     root             0 Dec 31  1969 gpio
drwxr-xr-x    2 root     root             0 Feb  9 18:22 ieee80211
drwxr-xr-x    2 root     root             0 Dec 31  1969 leds
drwxr-xr-x    2 root     root             0 Dec 31  1969 mdio_bus
drwxr-xr-x    2 root     root             0 Dec 31  1969 mem
drwxr-xr-x    2 root     root             0 Dec 31  1969 misc
drwxr-xr-x    2 root     root             0 Dec 31  1969 mtd
drwxr-xr-x    2 root     root             0 Dec 31  1969 net
drwxr-xr-x    2 root     root             0 Dec 31  1969 pci_bus
drwxr-xr-x    2 root     root             0 Dec 31  1969 phy
drwxr-xr-x    2 root     root             0 Dec 31  1969 power_supply
drwxr-xr-x    2 root     root             0 Dec 31  1969 rtc
drwxr-xr-x    2 root     root             0 Dec 31  1969 spi_master
drwxr-xr-x    2 root     root             0 Dec 31  1969 tty
drwxr-xr-x    2 root     root             0 Feb  9 19:36 usbmisc
drwxr-xr-x    2 root     root             0 Dec 31  1969 watchdog

and under leds:

root@PandoraPrinter:/sys/class/leds# ls -al
drwxr-xr-x    2 root     root             0 Dec 31  1969 .
drwxr-xr-x   22 root     root             0 Dec 31  1969 ..
lrwxrwxrwx    1 root     root             0 Feb  9 18:35 ath9k-phy0 -> ../../devices/platform/ar933x_wmac/leds/ath9k-phy0
lrwxrwxrwx    1 root     root             0 Dec 31  1969 tp-link:green:3g -> ../../devices/platform/leds-gpio/leds/tp-link:green:3g
lrwxrwxrwx    1 root     root             0 Dec 31  1969 tp-link:green:lan -> ../../devices/platform/leds-gpio/leds/tp-link:green:lan
lrwxrwxrwx    1 root     root             0 Dec 31  1969 tp-link:green:wlan -> ../../devices/platform/leds-gpio/leds/tp-link:green:wlan
lrwxrwxrwx    1 root     root             0 Dec 31  1969 tp-link:green:wps -> ../../devices/platform/leds-gpio/leds/tp-link:green:wps

Finally... looking at the WPS LED (which is my preferred one for this use, but they're all addressable the same way):

root@PandoraPrinter:/sys/devices/platform/leds-gpio/leds/tp-link:green:wps# ls -al
drwxr-xr-x    2 root     root             0 Dec 31  1969 .
drwxr-xr-x    6 root     root             0 Dec 31  1969 ..
-rw-r--r--    1 root     root          4096 Feb  9 18:22 brightness
lrwxrwxrwx    1 root     root             0 Feb  9 18:35 device -> ../../../leds-gpio
-r--r--r--    1 root     root          4096 Feb  9 18:35 max_brightness
lrwxrwxrwx    1 root     root             0 Feb  9 18:35 subsystem -> ../../../../../class/leds
-rw-r--r--    1 root     root          4096 Feb  9 18:40 trigger
-rw-r--r--    1 root     root          4096 Feb  9 18:35 uevent
root@PandoraPrinter:/sys/devices/platform/leds-gpio/leds/tp-link:green:wps# cat trigger 
[none] timer default-on netdev usbport phy0rx phy0tx phy0assoc phy0radio phy0tpt

psherman · February 10, 2023, 3:44am

For completeness, this is what I see when I check the modinfo (essentially the same, I think, except that it doesn't have the name field -- is that the problem here??

root@PandoraPrinter:/sys/devices/platform/leds-gpio/leds/tp-link:green:3g/ports# /sbin/modinfo xt_LED
module:         /lib/modules/4.9.243/xt_LED.ko
alias:          ip6t_LED
alias:          ipt_LED
license:        GPL
depends:        x_tables

slh · February 10, 2023, 3:48am

What happens if you modprobe xt_LED? (well, given the old kernel, you may have to insmod it and its dependencies, modprobe and module loader behaviour isn't that old, for OpenWrt).

Disclaimer: general purpose linux (my OpenWrt systems are current master, with fw4, so loading iptables modules would be a tad difficult).

$ ls -al /sys/module/ | grep -i led
drwxr-xr-x   5 root root 0  9. Feb 20:27 ledtrig_audio
drwxr-xr-x   5 root root 0 10. Feb 04:44 xt_LED

psherman · February 10, 2023, 3:50am

root@PandoraPrinter:/# modprobe xt_LED
xt_LED is already loaded
root@PandoraPrinter:/# ls -al /sys/module/ | grep -i led
drwxr-xr-x    3 root     root             0 Feb  9 19:50 ledtrig_usbport
drwxr-xr-x    3 root     root             0 Feb  9 19:50 xt_LED

slh · February 10, 2023, 3:52am

Any error messages in dmesg? As in module dependency errors?

psherman · February 10, 2023, 3:56am

I'm not seeing any dmesg issues...

dmesg output

[    0.000000] Linux version 4.9.243 (buildbot@d6b0edf6d597) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r8077-7cbbab7246) ) #0 Wed Nov 11 20:09:58 2020
[    0.000000] MyLoader: sysp=b05cbf4e, boardp=573960b5, parts=5fba3108
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR9330 rev 1
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 02000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000001ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000001ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000001ffffff]
[    0.000000] On node 0 totalpages: 8192
[    0.000000] free_area_init_node: node 0, pgdat 80446a44, node_mem_map 81000020
[    0.000000]   Normal zone: 64 pages used for memmap
[    0.000000]   Normal zone: 0 pages reserved
[    0.000000]   Normal zone: 8192 pages, LIFO batch:0
[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[    0.000000] pcpu-alloc: [0] 0 
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
[    0.000000] Kernel command line:  board=TL-MR3020  console=ttyATH0,115200 rootfstype=squashfs noinitrd
[    0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[    0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 27604K/32768K available (3412K kernel code, 163K rwdata, 424K rodata, 216K init, 211K bss, 5164K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51
[    0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 9556302233 ns
[    0.000013] sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 10737418237ns
[    0.007597] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[    0.088757] pid_max: default: 32768 minimum: 301
[    0.093339] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.099512] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.110150] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.118192] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.125838] NET: Registered protocol family 16
[    0.130759] MIPS: machine is TP-LINK TL-MR3020
[    0.434189] clocksource: Switched to clocksource MIPS
[    0.439193] NET: Registered protocol family 2
[    0.443308] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.448710] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.454764] TCP: Hash tables configured (established 1024 bind 1024)
[    0.460936] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.466421] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.472669] NET: Registered protocol family 1
[    0.476585] PCI: CLS 0 bytes, default 32
[    0.481754] Crashlog allocated RAM at address 0x1f00000
[    0.487039] workingset: timestamp_bits=30 max_order=13 bucket_order=0
[    0.502187] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.506433] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.529115] io scheduler noop registered
[    0.531482] io scheduler deadline registered (default)
[    0.537043] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.546441] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART
[    0.554279] console [ttyATH0] enabled
[    0.561069] bootconsole [early0] disabled
[    0.577337] m25p80 spi0.0: found s25sl032p, expected m25p80
[    0.581476] m25p80 spi0.0: s25sl032p (4096 Kbytes)
[    0.587380] 5 tp-link partitions found on MTD device spi0.0
[    0.591791] Creating 5 MTD partitions on "spi0.0":
[    0.596643] 0x000000000000-0x000000020000 : "u-boot"
[    0.604303] 0x000000020000-0x00000016ddd4 : "kernel"
[    0.610674] 0x00000016ddd4-0x0000003f0000 : "rootfs"
[    0.616518] mtd: device 2 (rootfs) set to be root filesystem
[    0.620776] 1 squashfs-split partitions found on MTD device rootfs
[    0.626997] 0x000000380000-0x0000003f0000 : "rootfs_data"
[    0.635438] 0x0000003f0000-0x000000400000 : "art"
[    0.641571] 0x000000020000-0x0000003f0000 : "firmware"
[    0.649694] libphy: Fixed MDIO Bus: probed
[    0.672289] libphy: ag71xx_mdio: probed
[    1.305900] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY]
[    1.314646] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[    1.322124] NET: Registered protocol family 10
[    1.330642] NET: Registered protocol family 17
[    1.333700] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    1.346791] 8021q: 802.1Q VLAN Support v1.8
[    1.353259] hctosys: unable to open rtc device (rtc0)
[    1.362256] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[    1.369591] Freeing unused kernel memory: 216K
[    1.372575] This architecture does not have kernel memory protection.
[    2.179553] init: Console is alive
[    2.181787] init: - watchdog -
[    2.504407] random: fast init done
[    3.160858] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    3.282971] usbcore: registered new interface driver usbfs
[    3.287201] usbcore: registered new interface driver hub
[    3.292451] usbcore: registered new device driver usb
[    3.304706] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    3.311882] ehci-platform: EHCI generic platform driver
[    3.315855] ehci-platform ehci-platform: EHCI Host Controller
[    3.321459] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[    3.331453] ehci-platform ehci-platform: irq 3, io mem 0x1b000000
[    3.364238] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[    3.370350] hub 1-0:1.0: USB hub found
[    3.373237] hub 1-0:1.0: 1 port detected
[    3.377896] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    3.394590] init: - preinit -
[    4.177192] usb 1-1: new full-speed USB device number 2 using ehci-platform
[    4.381951] random: procd: uninitialized urandom read (4 bytes read)
[    4.441911] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    6.495672] eth0: link up (100Mbps/Full duplex)
[    6.498791] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    7.698367] jffs2: notice: (409) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[    7.714467] mount_root: switching to jffs2 overlay
[    7.751858] urandom-seed: Seeding with /etc/urandom.seed
[    8.026686] eth0: link down
[    8.045410] procd: - early -
[    8.046969] procd: - watchdog -
[    8.650295] procd: - watchdog -
[    8.652333] procd: - ubus -
[    8.835874] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.843540] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.849147] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.856121] procd: - init -
[    9.266817] kmodloader: loading kernel modules from /etc/modules.d/*
[    9.279466] Loading modules backported from Linux version wt-2017-11-01-0-gfe248fc2c180
[    9.286112] Backport generated by backports.git v4.14-rc2-1-31-g86cf0e5d
[    9.308821] usblp 1-1:1.0: usblp0: USB Bidirectional printer dev 2 if 0 alt 1 proto 2 vid 0x067B pid 0x2305
[    9.317369] usbcore: registered new interface driver usblp
[    9.343127] xt_time: kernel timezone is -0000
[    9.446052] ip_tables: (C) 2000-2006 Netfilter Core Team
[    9.536125] ath: EEPROM regdomain: 0x0
[    9.536139] ath: EEPROM indicates default country code should be used
[    9.536144] ath: doing EEPROM country->regdmn map search
[    9.536164] ath: country maps to regdmn code: 0x3a
[    9.536172] ath: Country alpha2 being used: US
[    9.536177] ath: Regpair used: 0x3a
[    9.547905] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[    9.554049] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2
[    9.711148] kmodloader: done loading kernel modules from /etc/modules.d/*
[   11.056942] urandom_read: 5 callbacks suppressed
[   11.056954] random: jshn: uninitialized urandom read (4 bytes read)
[   21.307744] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   23.375762] eth0: link up (100Mbps/Full duplex)
[   23.378894] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[  121.144029] random: crng init done

psherman · February 10, 2023, 4:05am

FWIW, I get the same error on a 22.03.3 system with iptables and kmod-ipt-led installed.

root@OpenWrt:~# iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh 
--led-delay 100
iptables v1.8.7 (nf_tables): unknown option "--led-trigger-id"

Since --led-trigger-id is the offending arguement, there must be some other way we're supposed to assign the trigger... but even the code above seems to indicate that this is the right syntax.

psherman · February 10, 2023, 4:09am

I have a virtual box installation of Ubuntu 20.04... ran the same exact command (with sudo), and no errors.

slh · February 10, 2023, 4:10am

I wouldn't be surprised if that would either need a -full packages of something or if that has been patched out, to save space.

psherman · February 10, 2023, 4:17am

That may be.... but given the space constrants on the print server, I'm guessing no -full packages will fit.. lol.

Presumably it worked back in the days of LEDE17.01 based on the documenation... maybe it broke in 18+ and nobody noticed or cared to fix it?

Since this seems like it might be a dead end... any other ideas for my intended goal?

I'd like to have the WPS LED light up (or blink) as traffic comes into the P910nd print server.

The idea I was trying was to use iptables + kmod-ipt-led to capture traffic on port 1900 and use that as the LED trigger. Obviously that isn't working because iptables is throwing the error. Is there any other way to form a trigger based on activity through P910nd?

slh · February 10, 2023, 4:28am

Personally, I'd probably be lazy (and wouldn't look at the LEDs anyways)

But patching p910nd to poke /sys/class/leds/…/brightness might be an alternative (get_lock() and free_lock() look promising, as a lazy man's approach, lines 642 and 653 might be more specific).

hnyman · February 10, 2023, 5:54am

psherman:

get the same error on a 22.03.3 system with iptables and kmod-ipt-led installed.
root@OpenWrt:~# iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh 
--led-delay 100
iptables v1.8.7 (nf_tables): unknown option "--led-trigger-id"

I would not be surprised if the nftables/iptables translation layer does not fully work with more exotic iptables modules.

hnyman · February 10, 2023, 6:17am

This makes me wonder if it is supported by nftables. See the unsupported section.
https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#LED