Firewall4 custom nftables rule with dup statement results in "Unknown Family"

Hi, I'm trying to include a custom nftables rule in fw4 config. The nftables rule contains a dup statement in order to duplicate the packets on a different interface. After adding the rule and doing fw4 check, it complains with Unknown Family, underlining dup to ... statement. Here are the relevant sections of the config files:

# /etc/config/firewall
config include
        option type 'nftables'
        option path '/etc/custom-fw-rules/multicast_repeat.nft'
        option position 'chain-post'
        option chain 'mangle_prerouting'
# /etc/custom-fw-rules/multicast_repeat.nft
ip daddr 224.0.0.251 iifname "br-lan" ip saddr != 192.168.1.1 dup to 224.0.0.251 device "br-iot" notrack comment "!fw4: Repeat-mDNS-LAN-IOT"

Openwrt version: v22.03.0

I suspected that a kernel module might be missing, searched for the relevant kernel module for dup statement, but could not find anything. So I installed kmod-nft-* packages one by one and checked if that made a difference, but no luck.

1 Like

My reading of the man page seems to indicate that the 'to' address must be a gateway, not a broadcast address. Maybe try it with just dup to "br-iot" and see if that works?

       Table 72. Dup statement values
       ┌───────────┬───────────────────────────────────────────────────┬───────────────────────────────────────────────────┐
       │Expression │ Description                                       │ Type                                              │
       ├───────────┼───────────────────────────────────────────────────┼───────────────────────────────────────────────────┤
       │address    │ Specifies that the copy of the packet should be   │ ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can │
       │           │ sent to a new gateway.                            │ use a mapping, e.g. ip saddr map { 192.168.1.2 :  │
       │           │                                                   │ 10.1.1.1 }                                        │
       ├───────────┼───────────────────────────────────────────────────┼───────────────────────────────────────────────────┤
       │device     │ Specifies that the copy should be transmitted via │ string                                            │
       │           │ device.                                           │                                                   │
       └───────────┴───────────────────────────────────────────────────┴───────────────────────────────────────────────────┘
       Using the dup statement.
...
           # copy raw frame to another interface
           netdev ingress dup to "eth0"
           dup to "eth0"

Thanks for the answer. Still the same error:

In file included from /dev/stdin:248:3-54:
/etc/custom-fw-rules/multicast_repeat.nft:1:63-77: Error: unsupported family
ip daddr 224.0.0.251 iifname "br-lan" ip saddr != 192.168.1.1 dup to "br-iot" notrack comment "!fw4: Repeat-mDNS-LAN-IOT"

It looks like the kernel might not be built with CONFIG_NFT_DUP_IPV4.

Oh No! Can't I enable at the runtime even if that is the case? I realized that the same build config file also has # CONFIG_NF_CONNTRACK is not set, but I have conntrack without a custom build :slight_smile:

I was trying to accomplish the same as @kmotoko, relaying mDNS traffic between VLANs for Google Home speaker discovery. I got the same error message. I assume as of now the only way to achieve it this way is by recompiling the kernel?
Is it possible to include nftables "dup" support via a kernel module in the furure?

Hi, someone find a solution to use dup?

More on this here: OpenWrt 22.03 build - kernel modules compiling BUT missing in install image