Firewall4 custom nftables rule with dup statement results in "Unknown Family"

Hi, I'm trying to include a custom nftables rule in fw4 config. The nftables rule contains a dup statement in order to duplicate the packets on a different interface. After adding the rule and doing fw4 check, it complains with Unknown Family, underlining dup to ... statement. Here are the relevant sections of the config files:

# /etc/config/firewall
config include
        option type 'nftables'
        option path '/etc/custom-fw-rules/multicast_repeat.nft'
        option position 'chain-post'
        option chain 'mangle_prerouting'
# /etc/custom-fw-rules/multicast_repeat.nft
ip daddr iifname "br-lan" ip saddr != dup to device "br-iot" notrack comment "!fw4: Repeat-mDNS-LAN-IOT"

Openwrt version: v22.03.0

I suspected that a kernel module might be missing, searched for the relevant kernel module for dup statement, but could not find anything. So I installed kmod-nft-* packages one by one and checked if that made a difference, but no luck.

1 Like

My reading of the man page seems to indicate that the 'to' address must be a gateway, not a broadcast address. Maybe try it with just dup to "br-iot" and see if that works?

       Table 72. Dup statement values
       β”‚Expression β”‚ Description                                       β”‚ Type                                              β”‚
       β”‚address    β”‚ Specifies that the copy of the packet should be   β”‚ ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can β”‚
       β”‚           β”‚ sent to a new gateway.                            β”‚ use a mapping, e.g. ip saddr map { :  β”‚
       β”‚           β”‚                                                   β”‚ }                                        β”‚
       β”‚device     β”‚ Specifies that the copy should be transmitted via β”‚ string                                            β”‚
       β”‚           β”‚ device.                                           β”‚                                                   β”‚
       Using the dup statement.
           # copy raw frame to another interface
           netdev ingress dup to "eth0"
           dup to "eth0"

Thanks for the answer. Still the same error:

In file included from /dev/stdin:248:3-54:
/etc/custom-fw-rules/multicast_repeat.nft:1:63-77: Error: unsupported family
ip daddr iifname "br-lan" ip saddr != dup to "br-iot" notrack comment "!fw4: Repeat-mDNS-LAN-IOT"

It looks like the kernel might not be built with CONFIG_NFT_DUP_IPV4.

Oh No! Can't I enable at the runtime even if that is the case? I realized that the same build config file also has # CONFIG_NF_CONNTRACK is not set, but I have conntrack without a custom build :slight_smile:

I was trying to accomplish the same as @kmotoko, relaying mDNS traffic between VLANs for Google Home speaker discovery. I got the same error message. I assume as of now the only way to achieve it this way is by recompiling the kernel?
Is it possible to include nftables "dup" support via a kernel module in the furure?

Hi, someone find a solution to use dup?