Firewall4 / NFtables Tips and Tricks

If the content of that file is changed rarely enough non-atomicity is probably not going to be a big issue... the directory hierarchy thing sounds like for intermediate complexity configurations, but for simple quick and dirty testing having something with the same simplicity as firewall.user would be great (if need be that could be included at a fixed position).

Sorry if this question isn't constructive, but does SQM and Luci work with nftables yet? My WRT32X has a 50 day uptime on a master snapshot and it's been flawless, don't want to ruin my uptime until it's working :smiley:

EDIT: now I see this post, looks like not working yet: Firewall4 / NFtables Tips and Tricks - #26 by anomeome

So if you use a script like piece_of_cake.qos which does not use iptables, SQM will not care. The bigger problem is that currently iptables in in the dependencies of sqm (which you might overcome if you force the install or install it manually). Simple.qos actually uses iptables/ip6tables, but might/should work wit iptables-ft as well (although I have not tested that).

The work to straighten up the iptables / nftables / tc / iproute2 dependencies is still ongoing (but has started to some extent), as well as @tohojo's PR for SQM dependencies.

I am currently building with OpenWrt PR 5004 and 5007 plus packages PR 17671, and the dependencies do not take the old leagcy ipconfig into the build at all. And @jow has made a Luci PR 5652 for a firewall status page in LuCI.

(Including all those has removed dependency warnings from my build.)

Seems that the simple.qos will not work yet work regarding the DSCP classification, but seems to work for the main functionality. And like @moeller0 said, the cake script does not need that feature.

2 Likes

Thanks for the detailed reply, appreciate your efforts.

Been using SQM cake, piece_of_cake.qos on a 12/15/21 master snapshot. Mainly it's just the way I knew to get A+ bufferbloat/A+ quality with my 500/35Mbit cable modem (on WRT32X). Maybe better options are there, but regardless, I'll be patient and wait until nftables work is complete, things are perfectly stable right now.

A little OT here, but have you looked at the SQM-autorate project? CAKE /w Adaptive Bandwidth

3 Likes

As I reported previously here, I upgraded from firewall (iptables) to firewall4 (nftables) and it did not work.

Basically after the upgrade (preserving settings) firewall did not start, causing all devices in the network to lose Internet connectivity. At that moment I did not have time to further investigate the issue, and I rolled back to iptables.

Well, today I have some spare time and I decided to further investigate the issue. The root cause is actually two configurations in my previous firewall configuration file that broke firewall4:

  1. Some months ago I replaced my OpenVPN server by Wireguard. The following configuration was a leftover fromOpenVPN server. While it did not affect the original firewall, it does break firewall4 and causes its failure:
config zone 'lan'
	(...)
	list device 'tun+'
	(...)
  1. My router (Archer C6 v3.2) is an mt7621 device. I was using Hardware flow offload. However the current firewall4 does not support this configuration, and adding option flow_offloading_hw '1' to the /etc/config/firewall file causes firewall4 to stop working:
config defaults
	(...)
	option flow_offloading_hw '1'
	(...)

Error when using this configuration:

root@ap1-router:/etc/config# fw4 restart
/proc/self/fd/0:9:12-13: Error: Could not process rule: Not supported

/proc/self/fd/0:54:29-44: Error: Could not process rule: No such file or directory

Is there already a topic in the Developers section where I can report this?

I have a very basic firewall config, only a few port forwards, and I lose internet access pretty quickly after making only some very basic settings changes.

i have the following packages installed (I am not using SQM but it's installed). Could it be an issue with SQM being installed even though I'm not using it?

Here is a list of the packages.

curl
ddns-scripts
ddns-scripts-services
luci-app-ddns
irqbalance
openssh-sftp-server
6to4
openvpn-openssl
luci-app-openvpn
htop
luci-app-sqm

1 Like

I've noticed that saving and applying changes in LuCI doesn't work if I don't restart the firewall service. Some rules don't work either.

This rule does work:

config rule
        option name 'AdGuardHome para invitados'
        option src 'invitados'
        option dest 'lan'
        list dest_ip '192.168.1.11'
        option dest_port '53'
        option target 'ACCEPT'

But not this one:

config rule
        option name 'Bloquear servidores DNS externos en invitados'
        option src 'invitados'
        option dest 'wan'
        option dest_port '53 853'
        option target 'DROP'

In fact HW flow offloading is due to nftables:

root@openwrt:~# nft -f fw4.conf
fw4.conf:9:12-13: Error: Could not process rule: Not supported
flowtable ft {
          ^^

Fixed with

Fixed with

5 Likes

hello do you mean i can enable the hwo with sqm enabled see qosify which is ebpf+cake? I have a gigabit connection in 1 month it would be really nice to be able to combine the two

forgive me if I'm wrong but using firewall 4 with nftables enables hw offloading with sqm is that fair? thank you

Does anyone having issues with firewall4 and udp. I've wireguard and openvpn installed on the router both configured to listen udp also there is a rule allowing openvpn and wireguard udp ports, after moving to firewall4 nothing can connect to router via udp port, changed openvpn to listen on tcp and it worked.

@ivanich @Dopam-IT_1987 @castillofrancodamian @vw-owrt @dsouza

I'm super happy to see all the firewall4/nftables discussions picking up momentum (!!!), but I would humbly ask if you are experiencing firewall4/nftables issues, you might consider opening a new thread for your issue.

This thread was originally intended for members of the community to share helpful tips and hints for those new to firewall4 and nftables.

Thanks for understanding! :slight_smile:

4 Likes

@ivanich - Wireguard on udp here without issue. I am running a snapshot I built today wherein this fix is applied. The fact that your experiencing differences tcp vs udp suggests that issue is not affecting you.

1 Like

I updated this morning, so have the latest changes and my UDP/53 port to allow inbound DNS traffic is no longer working, but the TCP/53 rule works fine, which sounds very similar to your wireguard/openvpn issue

I can't for the life of me figure out what's wrong, I'm not seeing any matches on the udp rule, but I don't see traffic being dropped with logging enabled either...

Actually, I think for some reason the traffic is being forwarded to an internal host....

So in my case, I had the below rule in /etc/config/firewall to forward both tcp and udp 60002 to the internal host

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_ip '192.168.1.2'
        option dest_port '60002'
        option src_dport '60002'

fw4 translated it to the below, it got the tcp rule right, but the udp rule is missing a port number so all udp traffic was forwarded to the internal host. I've worked around the issue by having separate rules for tcp and udp and as a bonus, nft makes a little more sense than it did this time yesterday :slight_smile:

 meta nfproto ipv4 tcp dport 60002 counter packets 9 bytes 476 dnat ip to 192.168.1.2:60002 
 meta nfproto ipv4 meta l4proto udp counter packets 12 bytes 1538 dnat ip to 192.168.1.2 
2 Likes

Can't reproduce it using test cases, but maybe there's another bug lurking there. Which target/device do you run OpenWrt on exactly?

@jow @noblem @darksky

Just another friendly request for moving issue discussion to separate threads, please :slight_smile: Would be great to get this topic back to its original intent. Thanks!

Done and sorry :slight_smile:

In the spirit of the original subject, hopefully the below will be of use to anyone new to nft and trying to do a bit of troubleshooting...

  • nft list tables This ones is pretty self explanatory and most people will only have table inet fw4, unless rules have also been added via iptables-nft
  • nft list table inet fw4 Lists everything in a given table
  • nft list ruleset Similar to the above, but lists everything
  • nft list chain inet fw4 dstnat_wan Lists the contents of a specific chain within the table

It's not quite as obvious as iptables, at least to me, but a lot of chains have counters which show packets/bytes matched, but only if they've been added with a counter. Logging also works, at least on the WAN side, by adding option log '0' to the wan zone in the firewall config file, which might help anyone trying to debug issues

Finally

  • nft add rule inet fw4 input udp dport 53 counter accept Adds a rule, however it's appended to the end of the chain
  • nft add rule inet fw4 input position 10 udp dport 53 counter accept Adds the same rule, but after the the one in position 10 (Adding -a to the list commands gives you the handle/position)
  • nft delete rule inet fw4 input handle 108 Delete a rule with the given handle, which seems to be the only way to delete a rule via nft
4 Likes