CONFIG_NFT_CONNLIMIT in the kernel

I'm using masmbit's router firmware for the Netgear-R9000:

But noticing that CONFIG_NFT_CONNLIMIT is disabled:

Because:

root@OWRT-Khufu:~# bash /etc/firewall.user
Error: Could not process rule: No such file or directory
add rule ip filter FORWARD ip protocol tcp ip saddr 192.168.100.0/24 ct count over 50 add @connlimit0 { ip saddr } counter jump logdrop
                                                                     ^^^^^^^^^^^^^^^^

and the 8545 link above is dated. Is it generally recommended to roll a custom image where more kernel functionality needs to be supported or is there a way to allow "ct count over" to work?

I'm transitioning my iptables rules to nft, but running into these challenges where not everything for nft is enabled.

Cheers,

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

True. I was looking for Netgear X10 R9000 firmware from OpenWRT. After some reading, it appears the only one that supports it was the build I noted below:

Based on your comment though, appears I might be able to just use the OpenWRT that matches this CPU?

ARMv7 Processor rev 4 (v7l)

I'll poke around and try the usual builds of OpenWRT and see if that works. Appears your post is alluding to that.

Cheers,

Please post output of

ubus call system board
cat /etc/firewall.user

note that iptables-nft requires xt kmods for syntax parsing AND nft kmods to use nftables rules.

Hoping you won't mind if I don't post my entire NFT rules ( Have ~500 rules, comments etc ) so I'll toss in the relevant lines. Below is some additional information. I'm seeing how easy it would be to transition from DD-WRT to OpenWRT for this Netgear X10 R9000 router, so I'm converting the iptables rules to NFT.

For the most part, everything works except the connection limits. The iptables equivalent rules, work just fine. All of them. No errors whatsoever. But I'm trying to transition to something newer as it appears NFT is the way to go with Linux, so why not try it.

root@OWRT-Khufu:~#
root@OWRT-Khufu:~#
root@OWRT-Khufu:~# cat /etc/firewall.user | grep -Ei "ct count over" -B5 -A5
# Change the IP address to the IP of your guest network such as x.x.x.x/24
# iptables -I FORWARD -p tcp -s 192.168.100.0/24 -m connlimit --connlimit-above 50 -j logdrop
# iptables -I FORWARD -p tcp -s 192.168.100.0/24 -m connlimit --connlimit-above 25 -j logdrop

nft 'add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }'
nft 'add rule ip filter FORWARD ip protocol tcp ip saddr 192.168.100.0/24 ct count over 50 add @connlimit0 { ip saddr } counter jump logdrop'


# Block guest access to router services
iptables -I INPUT -i br1 -p tcp -m multiport --dports telnet,ssh,www,https -j logdrop

root@OWRT-Khufu:~#
root@OWRT-Khufu:~#
root@OWRT-Khufu:~# ubus call system board
{
        "kernel": "6.6.63",
        "hostname": "OWRT-Khufu.mds.xyz",
        "system": "ARMv7 Processor rev 4 (v7l)",
        "model": "Annapurna Labs Alpine Dev Board",
        "board_name": "netgear,r9000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r28285-3fe891d0c5",
                "target": "alpine/generic",
                "description": "OpenWrt SNAPSHOT r28285-3fe891d0c5",
                "builddate": "1733913412"
        }
}
root@OWRT-Khufu:~# apk list -I |grep -Ei nft
cni-plugins-nft-1.0.12-r2 arm_cortex-a15_neon-vfpv4 {feeds/packages/utils/cni-plugins-nft} (Apache-2.0) [installed]
ip6tables-nft-1.8.10-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/network/utils/iptables} (GPL-2.0) [installed]
iptables-nft-1.8.10-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/network/utils/iptables} (GPL-2.0) [installed]
kmod-nft-compat-6.6.63-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/kernel/linux} (GPL-2.0-only) [installed]
kmod-nft-core-6.6.63-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/kernel/linux} (GPL-2.0-only) [installed]
kmod-nft-fib-6.6.63-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/kernel/linux} (GPL-2.0-only) [installed]
kmod-nft-nat-6.6.63-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/kernel/linux} (GPL-2.0-only) [installed]
kmod-nft-offload-6.6.63-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/kernel/linux} (GPL-2.0-only) [installed]
libiptext-nft0-1.8.10-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/network/utils/iptables} (GPL-2.0) [installed]
libnftnl11-1.2.8-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/libs/libnftnl} (GPL-2.0-or-later) [installed]
nftables-json-1.1.1-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/network/utils/nftables} (GPL-2.0) [installed]
xtables-nft-1.8.10-r1 arm_cortex-a15_neon-vfpv4 {feeds/base/network/utils/iptables} (GPL-2.0) [installed]
root@OWRT-Khufu:~#
root@OWRT-Khufu:~#

Some more tests:

root@OWRT-Khufu:~# zcat /proc/config.gz | grep -Ei "CONFIG_NFT_CT|CONFIG_NFT_SET_RBTREE|CONFIG_NFT_CT_EXPR|CONFIG_NF_CONNTRACK_EVENTS"
# CONFIG_NF_CONNTRACK_EVENTS is not set
CONFIG_NFT_CT=m
root@OWRT-Khufu:~# nft add rule ip filter test ct state established,related accept
Error: Could not process rule: No such file or directory
add rule ip filter test ct state established,related accept
                   ^^^^
root@OWRT-Khufu:~#

Thinking without the kernel parameters, can't use "ct count over" . Wondering, if you could run:

zcat /proc/config.gz | grep -Ei "CONFIG_NFT_CT|CONFIG_NFT_SET_RBTREE|CONFIG_NFT_CT_EXPR|CONFIG_NF_CONNTRACK_EVENTS"

to confirm it the recommended OpenWRT also has those Kernel compilation flags set for reference?

Cheers,

oOps, forgot to add:

root@OWRT-Khufu:~# lsmod|grep -Ei nft
nf_conntrack           77824 17 xt_connlimit,nf_conncount,xt_state,xt_nat,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_REDIRECT,xt_MASQUERADE,nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table
nf_flow_table          28672  2 nft_flow_offload,nf_flow_table_inet
nf_nat                 28672  8 iptable_nat,xt_nat,xt_REDIRECT,xt_MASQUERADE,nft_redir,nft_nat,nft_masq,nft_chain_nat
nf_reject_ipv4         12288  3 ipt_REJECT,nft_reject_ipv4,nft_reject_inet
nf_reject_ipv6         12288  3 nft_reject_ipv6,nft_reject_inet,ip6t_REJECT
nf_tables             20070418645 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_fib_inet,nft_ct,nft_chain_nat,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_quota,nft_numgen,nft_log,nft_limit,nft_hash,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_compat
nfnetlink              12288  3 nft_compat,nf_tables,ip_set
nft_chain_nat          12288  4
nft_compat             16384259
nft_ct                 16384249
nft_fib                12288  3 nft_fib_inet,nft_fib_ipv6,nft_fib_ipv4
nft_fib_inet           12288  0
nft_fib_ipv4           12288  1 nft_fib_inet
nft_fib_ipv6           12288  1 nft_fib_inet
nft_flow_offload       12288  0
nft_hash               12288  0
nft_limit              12288  5
nft_log                12288101
nft_masq               12288 17
nft_nat                12288128
nft_numgen             12288  0
nft_quota              12288  0
nft_redir              12288  0
nft_reject             12288  3 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet
nft_reject_inet        12288  2
nft_reject_ipv4        12288  0
nft_reject_ipv6        12288  0
x_tables               20480 40 xt_connlimit,iptable_nat,xt_state,xt_nat,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_REDIRECT,xt_MASQUERADE,ipt_REJECT,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_recent,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_ecn,xt_dscp,xt_comment,xt_TCPMSS,xt_LOG,xt_HL,xt_DSCP,xt_CLASSIFY,nft_compat,iptable_mangle,iptable_filter,ipt_ECN,ip_tables,xt_set,ip6table_mangle,ip6table_filter,ip6_tables,ip6t_REJECT
root@OWRT-Khufu:~#

The error here is because you have not defined chain test in table filter before adding the rule.
By default, ct state established,related is supported.

However ct count over requires, if I remember correctly, the package kmod-nf-conntrack .
I cannot tell if you have this installed as you have filtered on nft.

Easier translate is to create dormant ip/ip6 tables filter then use iptables-nft to add rules, then translate hook names to table inet fw4 and add include chains duplicating fw4 base chains as /etc/nftables.d/whatever.nft

Pasted the wrong command. That test line was from debugging suggestions I was using. I'm aware filter 'test' is not defined.

Sorry about this.

The rule that is giving me the issue is:

root@OWRT-Khufu:~#
root@OWRT-Khufu:~#
root@OWRT-Khufu:~# nft 'add rule ip filter FORWARD ip saddr 192.168.100.0/24 ip protocol tcp connlimit connlimit-above 50 counter log prefix "TOO MANY CONNS" level warning drop'
Error: syntax error, unexpected counter
add rule ip filter FORWARD ip saddr 192.168.100.0/24 ip protocol tcp connlimit connlimit-above 50 counter log prefix "TOO MANY CONNS" level warning drop
                                                                                                  ^^^^^^^
root@OWRT-Khufu:~# lsmod | grep nft_connlimit
root@OWRT-Khufu:~# modprobe nft_connlimit
failed to find a module named nft_connlimit
root@OWRT-Khufu:~# zcat /proc/config.gz | grep NFT_CONNLIMIT
# CONFIG_NFT_CONNLIMIT is not set
root@OWRT-Khufu:~#
root@OWRT-Khufu:~#

The full lsmod list:

root@OWRT-Khufu:~# lsmod
ahci                   24576  0
al_eth_drv            102400  0
ath                    24576  1 ath10k_core
ath10k_core           450560  1 ath10k_pci
ath10k_pci             49152  0
blake2b_generic        32768  0
btrfs                1085440  0
cfg80211              331776  4 ath10k_core,ath,wil6210,mac80211
cmac                   12288  4
compat                 12288  4 ath10k_core,wil6210,mac80211,cfg80211
crc_ccitt              12288  1 ppp_async
curve25519_neon        24576  1 wireguard
ehci_fsl               12288  0
ehci_hcd               49152  3 ehci_pci,ehci_platform,ehci_fsl
ehci_pci               12288  0
ehci_platform          12288  0
ext4                  483328  0
fat                    61440  2 msdos,vfat
fsl_mph_dr_of          12288  0
geniv                  12288  1 seqiv
gpio_button_hotplug    12288  0
ip_set                 32768 17 xt_set,ip_set_list_set,ip_set_hash_netportnet,ip_set_hash_netport,ip_set_hash_netnet,ip_set_hash_netiface,ip_set_hash_net,ip_set_hash_mac,ip_set_hash_ipportnet,ip_set_hash_ipportip,ip_set_hash_ipport,ip_set_hash_ipmark,ip_set_hash_ipmac,ip_set_hash_ip,ip_set_bitmap_port,ip_set_bitmap_ipmac,ip_set_bitmap_ip
ip_set_bitmap_ip       16384  0
ip_set_bitmap_ipmac    16384  0
ip_set_bitmap_port     12288  0
ip_set_hash_ip         32768  0
ip_set_hash_ipmac      32768  0
ip_set_hash_ipmark     32768  2
ip_set_hash_ipport     36864  0
ip_set_hash_ipportip   32768  0
ip_set_hash_ipportnet   36864  0
ip_set_hash_mac        20480  0
ip_set_hash_net        36864  5
ip_set_hash_netiface   36864  0
ip_set_hash_netnet     40960  0
ip_set_hash_netport    36864  0
ip_set_hash_netportnet   40960  0
ip_set_list_set        16384  1
ip_tables              20480  3 iptable_nat,iptable_mangle,iptable_filter
ip6_tables             20480  2 ip6table_mangle,ip6table_filter
ip6_udp_tunnel         12288  1 wireguard
ip6t_REJECT            12288  0
ip6table_filter        12288  0
ip6table_mangle        12288  0
ipt_ECN                12288  0
ipt_REJECT             12288  0
iptable_filter         12288  0
iptable_mangle         12288  0
iptable_nat            12288  0
jbd2                   81920  1 ext4
leds_gpio              12288  0
ledtrig_usbport        12288  0
libahci                24576  1 ahci
libata                151552  2 ahci,libahci
libchacha20poly1305    12288  1 wireguard
libcrc32c              12288  2 nf_tables,btrfs
libcurve25519_generic   16384  2 wireguard,curve25519_neon
mac80211              634880  1 ath10k_core
macvlan                20480  0
mbcache                12288  1 ext4
mdio_al_gpio           12288  0
mdio_i2c               12288  1 sfp
msdos                  16384  0
nat46                  32768  0
nf_conncount           16384  1 xt_connlimit
nf_conntrack           77824 17 xt_connlimit,nf_conncount,xt_state,xt_nat,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_REDIRECT,xt_MASQUERADE,nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table
nf_defrag_ipv4         12288  1 nf_conntrack
nf_defrag_ipv6         16384  2 nf_conntrack,nat46
nf_flow_table          28672  2 nft_flow_offload,nf_flow_table_inet
nf_flow_table_inet     12288  0
nf_log_syslog          16384118
nf_nat                 28672  8 iptable_nat,xt_nat,xt_REDIRECT,xt_MASQUERADE,nft_redir,nft_nat,nft_masq,nft_chain_nat
nf_reject_ipv4         12288  3 ipt_REJECT,nft_reject_ipv4,nft_reject_inet
nf_reject_ipv6         12288  3 nft_reject_ipv6,nft_reject_inet,ip6t_REJECT
nf_tables             20070418645 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_fib_inet,nft_ct,nft_chain_nat,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_quota,nft_numgen,nft_log,nft_limit,nft_hash,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_compat
nfnetlink              12288  3 nft_compat,nf_tables,ip_set
nft_chain_nat          12288  4
nft_compat             16384259
nft_ct                 16384249
nft_fib                12288  3 nft_fib_inet,nft_fib_ipv6,nft_fib_ipv4
nft_fib_inet           12288  0
nft_fib_ipv4           12288  1 nft_fib_inet
nft_fib_ipv6           12288  1 nft_fib_inet
nft_flow_offload       12288  0
nft_hash               12288  0
nft_limit              12288  5
nft_log                12288101
nft_masq               12288 17
nft_nat                12288128
nft_numgen             12288  0
nft_quota              12288  0
nft_redir              12288  0
nft_reject             12288  3 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet
nft_reject_inet        12288  2
nft_reject_ipv4        12288  0
nft_reject_ipv6        12288  0
nls_cp437              12288  0
nls_iso8859_1          12288  0
nls_utf8               12288  0
ohci_hcd               32768  2 ohci_pci,ohci_platform
ohci_pci               12288  0
ohci_platform          12288  0
poly1305_arm           20480  1 libchacha20poly1305
ppp_async              16384  0
ppp_generic            32768  3 pppoe,ppp_async,pppox
pppoe                  16384  0
pppox                  12288  1 pppoe
raid6_pq               98304  1 btrfs
scsi_common            12288  4 usb_storage,libata,sd_mod,scsi_mod
scsi_mod              118784  3 usb_storage,libata,sd_mod
sd_mod                 45056  0
seqiv                  12288  0
sfp                    28672  0
slhc                   12288  1 ppp_generic
tun                    40960  2
udp_tunnel             16384  1 wireguard
usb_storage            45056  0
vfat                   20480  0
wil6210               241664  0
wireguard              61440  0
x_tables               20480 40 xt_connlimit,iptable_nat,xt_state,xt_nat,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_REDIRECT,xt_MASQUERADE,ipt_REJECT,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_recent,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_ecn,xt_dscp,xt_comment,xt_TCPMSS,xt_LOG,xt_HL,xt_DSCP,xt_CLASSIFY,nft_compat,iptable_mangle,iptable_filter,ipt_ECN,ip_tables,xt_set,ip6table_mangle,ip6table_filter,ip6_tables,ip6t_REJECT
xhci_hcd              126976  2 xhci_plat_hcd,xhci_pci
xhci_pci               16384  0
xhci_plat_hcd          12288  0
xor                    12288  1 btrfs
xor_neon               12288  1 xor
xt_CLASSIFY            12288  0
xt_DSCP                12288  0
xt_HL                  12288  0
xt_LOG                 12288 17
xt_MASQUERADE          12288  7
xt_REDIRECT            12288  0
xt_TCPMSS              12288  2
xt_comment             12288 10
xt_connbytes           12288  0
xt_connlimit           12288  4
xt_connmark            12288  4
xt_conntrack           12288 34
xt_dscp                12288  0
xt_ecn                 12288  0
xt_helper              12288  0
xt_hl                  12288  0
xt_length              12288  0
xt_limit               12288  0
xt_mac                 12288  0
xt_mark                12288 16
xt_multiport           12288 92
xt_nat                 12288 26
xt_recent              16384  0
xt_set                 12288 10
xt_state               12288  0
xt_statistic           12288  0
xt_tcpmss              12288  0
xt_tcpudp              12288 37
xt_time                12288  0
xxhash_generic         12288  0
root@OWRT-Khufu:~# lsmod|grep -Ei nft
nf_conntrack           77824 17 xt_connlimit,nf_conncount,xt_state,xt_nat,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_REDIRECT,xt_MASQUERADE,nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table
nf_flow_table          28672  2 nft_flow_offload,nf_flow_table_inet
nf_nat                 28672  8 iptable_nat,xt_nat,xt_REDIRECT,xt_MASQUERADE,nft_redir,nft_nat,nft_masq,nft_chain_nat
nf_reject_ipv4         12288  3 ipt_REJECT,nft_reject_ipv4,nft_reject_inet
nf_reject_ipv6         12288  3 nft_reject_ipv6,nft_reject_inet,ip6t_REJECT
nf_tables             20070418645 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_fib_inet,nft_ct,nft_chain_nat,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_quota,nft_numgen,nft_log,nft_limit,nft_hash,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_compat
nfnetlink              12288  3 nft_compat,nf_tables,ip_set
nft_chain_nat          12288  4
nft_compat             16384259
nft_ct                 16384249
nft_fib                12288  3 nft_fib_inet,nft_fib_ipv6,nft_fib_ipv4
nft_fib_inet           12288  0
nft_fib_ipv4           12288  1 nft_fib_inet
nft_fib_ipv6           12288  1 nft_fib_inet
nft_flow_offload       12288  0
nft_hash               12288  0
nft_limit              12288  5
nft_log                12288101
nft_masq               12288 17
nft_nat                12288128
nft_numgen             12288  0
nft_quota              12288  0
nft_redir              12288  0
nft_reject             12288  3 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet
nft_reject_inet        12288  2
nft_reject_ipv4        12288  0
nft_reject_ipv6        12288  0
x_tables               20480 40 xt_connlimit,iptable_nat,xt_state,xt_nat,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_REDIRECT,xt_MASQUERADE,ipt_REJECT,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_recent,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_ecn,xt_dscp,xt_comment,xt_TCPMSS,xt_LOG,xt_HL,xt_DSCP,xt_CLASSIFY,nft_compat,iptable_mangle,iptable_filter,ipt_ECN,ip_tables,xt_set,ip6table_mangle,ip6table_filter,ip6_tables,ip6t_REJECT
root@OWRT-Khufu:~#

The problem is you are doing iptables-translate on different (older) system, so you are inserting semi-legacy syntax, not considering loaded module limitations.

Your translated syntax is watered down and not supposed to work.

I agree, and that's exactly what I was thinking and saw as well.

"Easier translate is to create dormant ip/ip6 tables filter then use iptables-nft to add rules, then translate hook names to table inet fw4 and add include chains duplicating fw4 base chains as /etc/nftables.d/whatever.nft"

Could I please ask you to elaborate a bit more on the comment above how I could do so properly? It's my first time working with nft rules so wouldn't mind getting more details and maybe an example or two?

Cheers,

table ip filter {
 flags dormant;
}
table ip6 filter {
 flags dormant;
}

then run your iptables-nft commands and use nft list ruleset to observe command outcomes without commands filtering packets