Curl and 'Operation not permitted error'

I rebuilt curl with openssl support for tls1.3 connections( to use zapret for bypassing my ISP censorship), but for some reason I sometimes get the error rawsend: sendto: Operation not allowed, when I disable fw4 the error doesn't seem to appear.
I am using OpenWRT 23.05.0 on an Archer C6U
Why does this error occur and how I can solve this issue?

You may have some killswitch which doesn't allow the packets to leave. Having a look at the firewall configuration may shed some light.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export firewall; \
nft list ruleset
1 Like
nft ruleset
table inet fw4 {
	chain input {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "wan", "pppoe-wan" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "br-wifi" jump input_lan_wifi comment "!fw4: Handle lan_wifi IPv4/IPv6 input traffic"
		jump handle_reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname { "wan", "pppoe-wan" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname "br-wifi" jump forward_lan_wifi comment "!fw4: Handle lan_wifi IPv4/IPv6 forward traffic"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname { "wan", "pppoe-wan" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname "br-wifi" jump output_lan_wifi comment "!fw4: Handle lan_wifi IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		iifname "br-wifi" jump helper_lan_wifi comment "!fw4: Handle lan_wifi IPv4/IPv6 helper assignment"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_lan_wifi comment "!fw4: Accept lan to lan_wifi forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_lan
	}

	chain helper_lan {
	}

	chain accept_from_lan {
		iifname "br-lan" counter packets 26590 bytes 1797399 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "br-lan" counter packets 1213 bytes 92831 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 564 bytes 18048 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		jump reject_to_wan
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname { "wan", "pppoe-wan" } ct state invalid counter packets 727 bytes 92591 drop comment "!fw4: Prevent NAT leakage"
		oifname { "wan", "pppoe-wan" } counter packets 11993 bytes 1482741 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname { "wan", "pppoe-wan" } counter packets 10013 bytes 3274677 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname { "wan", "pppoe-wan" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain input_lan_wifi {
		meta nfproto ipv4 udp dport 67 counter packets 12 bytes 4057 accept comment "!fw4: Allow-DHCP-WIFI"
		tcp dport 53 counter packets 0 bytes 0 accept comment "!fw4: Allow-DNS-WIFI"
		udp dport 53 counter packets 871 bytes 65613 accept comment "!fw4: Allow-DNS-WIFI"
		ip saddr 192.168.2.235 counter packets 133 bytes 33010 accept comment "!fw4: Allow-Router-my-phone"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_lan_wifi
	}

	chain output_lan_wifi {
		jump accept_to_lan_wifi
	}

	chain forward_lan_wifi {
		ip saddr 192.168.2.235 counter packets 473 bytes 236159 accept comment "!fw4: Allow-Traffic-my-phone "
		jump accept_to_wan comment "!fw4: Accept lan_wifi to wan forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump reject_to_lan_wifi
	}

	chain helper_lan_wifi {
	}

	chain accept_to_lan_wifi {
		oifname "br-wifi" counter packets 14 bytes 4103 accept comment "!fw4: accept lan_wifi IPv4/IPv6 traffic"
	}

	chain reject_from_lan_wifi {
		iifname "br-wifi" counter packets 47 bytes 2626 jump handle_reject comment "!fw4: reject lan_wifi IPv4/IPv6 traffic"
	}

	chain reject_to_lan_wifi {
		oifname "br-wifi" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject lan_wifi IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
		iifname "br-wifi" jump dstnat_lan_wifi comment "!fw4: Handle lan_wifi IPv4/IPv6 dstnat traffic"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "wan", "pppoe-wan" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
	}

	chain dstnat_lan {
		meta nfproto ipv4 tcp dport 53 counter packets 2 bytes 104 redirect to :53 comment "!fw4: local dns lan"
		meta nfproto ipv4 udp dport 53 counter packets 6506 bytes 422507 redirect to :53 comment "!fw4: local dns lan"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain dstnat_lan_wifi {
		meta nfproto ipv4 tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: local dns wifi"
		meta nfproto ipv4 udp dport 53 counter packets 655 bytes 48523 redirect to :53 comment "!fw4: local dns wifi"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
		jump pbr_prerouting comment "Jump into pbr prerouting chain"
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
		jump pbr_postrouting comment "Jump into pbr postrouting chain"
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
		jump pbr_input comment "Jump into pbr input chain"
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
		jump pbr_output comment "Jump into pbr output chain"
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		iifname { "wan", "pppoe-wan" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		oifname { "wan", "pppoe-wan" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
		jump pbr_forward comment "Jump into pbr forward chain"
	}

	chain pbr_forward {
	}

	chain pbr_input {
	}

	chain pbr_output {
	}

	chain pbr_prerouting {
	}

	chain pbr_postrouting {
	}
}
table inet zapret {
	set zapret {
		type ipv4_addr
		policy memory
		size 522288
		flags interval
		auto-merge
		elements = { There are over 4000 elements of this type:220.158.224.0/24, 222.122.198.0/24 }
	}

	set ipban {
		type ipv4_addr
		policy memory
		size 522288
		flags interval
		auto-merge
	}

	set nozapret {
		type ipv4_addr
		policy memory
		size 65536
		flags interval
		auto-merge
	}

	set zapret6 {
		type ipv6_addr
		policy memory
		size 522288
		flags interval
		auto-merge
		elements = { 2a02:26f0:9500:1c::1749:2c5,
			     2a02:26f0:9500:1c::1749:2cf }
	}

	set ipban6 {
		type ipv6_addr
		policy memory
		size 522288
		flags interval
		auto-merge
	}

	set nozapret6 {
		type ipv6_addr
		policy memory
		size 65536
		flags interval
		auto-merge
	}

	set lanif {
		type ifname
		elements = { "br-lan",
			     "br-wifi" }
	}

	set wanif {
		type ifname
		elements = { "pppoe-wan" }
	}

	set wanif6 {
		type ifname
	}

	map link_local {
		type ifname : ipv6_addr
	}
}

system board
{
	"kernel": "5.15.134",
	"hostname": "Archer",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link Archer C6U v1",
	"board_name": "tplink,archer-c6u-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd85:a15d:e26e::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username '*******'
	option password '*******'
	option ipv6 'auto'
	option keepalive '6 10'
	option mtu '1492'
	option peerdns '0'
	list dns '127.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-wifi'
	option bridge_empty '1'

config interface 'lan_wifi'
	option proto 'static'
	option device 'br-wifi'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'


firewall
package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-WIFI'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'lan_wifi'
	option family 'ipv4'
	option dest_port '67'

config rule
	option name 'Allow-DNS-WIFI'
	option src 'lan_wifi'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-Traffic-my-phone '
	list proto 'all'
	option src 'lan_wifi'
	list src_ip '192.168.2.235'
	option dest '*'
	option target 'ACCEPT'

config rule
	option name 'Allow-Router-my-phone'
	list proto 'all'
	option src 'lan_wifi'
	list src_ip '192.168.2.235'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'lan_wifi'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan_wifi'

config forwarding
	option src 'lan_wifi'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'lan_wifi'

config redirect
	option target 'DNAT'
	option name 'local dns lan'
	option src 'lan'
	option src_dport '53'

config redirect
	option target 'DNAT'
	option name 'local dns wifi'
	option src 'lan_wifi'
	option src_dport '53'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'


pbr is not configured or even enabled
I also have WIFI network clients on a separate lan_wifi subnet, only my phone has access to the lan subnet and to the router,and I also use stubby for DoT

I'm communicating with him, but he doesn't understand why it's an error, saying that I have an error somewhere in the network configuration.
His words:

It's not working properly. It randomly pops up `not permitted`, the reason for which is not clear. Pure openwrt doesn't produce this.
...
Obviously you have nfqws not working for some reason, and clearly it has to do with `not permitted` or not selecting the correct network interface to send packets on.
2 Likes