Firewall4 custom nftables rule with dup statement results in "Unknown Family"

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi, I'm trying to include a custom nftables rule in fw4 config. The nftables rule contains a dup statement in order to duplicate the packets on a different interface. After adding the rule and doing fw4 check, it complains with Unknown Family, underlining dup to ... statement. Here are the relevant sections of the config files:

# /etc/config/firewall
config include
        option type 'nftables'
        option path '/etc/custom-fw-rules/multicast_repeat.nft'
        option position 'chain-post'
        option chain 'mangle_prerouting'

# /etc/custom-fw-rules/multicast_repeat.nft
ip daddr 224.0.0.251 iifname "br-lan" ip saddr != 192.168.1.1 dup to 224.0.0.251 device "br-iot" notrack comment "!fw4: Repeat-mDNS-LAN-IOT"

Openwrt version: v22.03.0

I suspected that a kernel module might be missing, searched for the relevant kernel module for dup statement, but could not find anything. So I installed kmod-nft-* packages one by one and checked if that made a difference, but no luck.

1 Like
2

My reading of the man page seems to indicate that the 'to' address must be a gateway, not a broadcast address. Maybe try it with just dup to "br-iot" and see if that works?

       Table 72. Dup statement values
       β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
       β”‚Expression β”‚ Description                                       β”‚ Type                                              β”‚
       β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
       β”‚address    β”‚ Specifies that the copy of the packet should be   β”‚ ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can β”‚
       β”‚           β”‚ sent to a new gateway.                            β”‚ use a mapping, e.g. ip saddr map { 192.168.1.2 :  β”‚
       β”‚           β”‚                                                   β”‚ 10.1.1.1 }                                        β”‚
       β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
       β”‚device     β”‚ Specifies that the copy should be transmitted via β”‚ string                                            β”‚
       β”‚           β”‚ device.                                           β”‚                                                   β”‚
       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
       Using the dup statement.
...
           # copy raw frame to another interface
           netdev ingress dup to "eth0"
           dup to "eth0"
1 Like
3

Thanks for the answer. Still the same error:

In file included from /dev/stdin:248:3-54:
/etc/custom-fw-rules/multicast_repeat.nft:1:63-77: Error: unsupported family
ip daddr 224.0.0.251 iifname "br-lan" ip saddr != 192.168.1.1 dup to "br-iot" notrack comment "!fw4: Repeat-mDNS-LAN-IOT"
4

It looks like the kernel might not be built with CONFIG_NFT_DUP_IPV4.

5

Oh No! Can't I enable at the runtime even if that is the case? I realized that the same build config file also has # CONFIG_NF_CONNTRACK is not set, but I have conntrack without a custom build :slight_smile:

6

I was trying to accomplish the same as @kmotoko, relaying mDNS traffic between VLANs for Google Home speaker discovery. I got the same error message. I assume as of now the only way to achieve it this way is by recompiling the kernel?
Is it possible to include nftables "dup" support via a kernel module in the furure?

7

Hi, someone find a solution to use dup?

8

More on this here: OpenWrt 22.03 build - kernel modules compiling BUT missing in install image

9

I saw there is a module kmod-nft-dup-inet. I installed that on 24.10.2, rebooted, but still β€œdup” gives the β€œUnsupported family” error. Is it still necessary to rebuild the kernel?

10

dup statements work on ip,ip6 and netdev table families. They cannot be used on inet.

Rebuild the kernel as many times as you like, that does not change.

1 Like
11

The package is named β€œkmod-nft-dup-inet”. There is no package named β€œkmod-nft-dup-ip” in the software list, so I am assuming that β€œ*-inet” implements both ip and ip6, and that the β€œip saddr” match in the rule is enough to tell it that we’re dealing with β€œip”. Is one of these assumptions incorrect?

12

Yes. The family is set by the table that the rule is contained within.

The entire OpenWrt firewall is defined as inet fw4.

You are free to define a new table called ip myCustomTable, add appropriate hooks, and insert the rule there.

13

I see. In my case the rules are within a bridge table, and bridge isn’t one of the 3 for which dup works. Thanks.