Help creating Nftables tables

I'm trying to create nftables tables with the commands I'll put below, I just wanted to know how I can keep them in openwrt, because when I restart the router they disappear, I'm a layman on the subject, but it's just for study purposes, and I still don't I found a solution, thank you all in advance.

#Create a table again
nft add table inet games

#Add strings with high priority
nft add chain inet gaming input_high_priority {type filter hook input priority 1; }
nft add chain inet gaming output_high_priority { type filter hook output priority 1 ; }

#Add top priority rules with packet marking
nft add rule inet gaming input_high_priority udp dport 3074 meta mark set 0x1 accept
nft add rule inet gaming input_high_priority tcp dport 3074 meta mark set 0x1 accept
nft add rule inet gaming output_high_priority udp sport 3074 meta mark set 0x2 accept
nft add rule inet gaming output_high_priority tcp sport 3074 meta mark set 0x2 accept

#Add default priority chains
nft add chain inet gaming input {type filter hook input priority 0; }
nft add chain inet gaming output { type filter hook output priority 0 ; }
nft add chain inet gaming forward { type filter hook forward priority 0 ; }

There should be something more changing meta mark to priority
https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority
Are you sure you posted full context?

Also please format non-markdown with 3 backticks ``` because comment in your original turns into paragraph title in markdown.

1 Like

.... and use english.

1 Like

Translate:

# create new table
# add high priority chains
# add maximum priority rules with packet marking
# add normal priority chains
2 Likes

Those rules are slightly off. They do not prioritize traffic.
You can insert fragments inside table inet fw4 by placing fragments in /etc/nftables.d/aleatorio.nft files

1 Like

I already made the correction, but I wanted to know when I type these commands in ssh they are added to the fw, but if I restart the router these rules are practically deleted.

But they do nothing, just slow down your gaming traffic due to per-packet inspection and meta setup....
Ill get back to you later from PC, not very easy to type correct nftable segments with mobile.

1 Like

Yes, I understand that they are wrong, but it's just to learn.

Oki, main idea is to create fragments under table inet fw4 in place of gaming.
See here for inspirations. https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables yours looks like translated from iptables-save.

1 Like

I'm from Brazil, I don't understand English very much, lol

Si te ayuda puedo escribir una copia en Español :slight_smile: But i will write in simplified English unless you say you do not understand completely.

1 Like

ours would be of great help.

use https://translate.google.com/

2 Likes

I've been trying to configure my router for games for some time now, but I always fail, I used sqm, but I never got a good result, I know there are variables to manipulate openwrt which is a very powerful tool. But here in Brazil, few people have this knowledge.

1 Like

Yes, I'm going to start using it, it's just that sometimes I forget that there is this type of translation, and I use the first translator in the search lol.

You need to change qdisc to something with priorites like pfifo_fast or sfq

1 Like

You could do remote access here, and configure some things, I would look and I would already have an idea

Does not work like that....

1 Like

unfortunately I will be sailing adrift again

Your table will look like this:

table inet gaming {
	chain input_high_priority {
		type filter hook input priority filter + 1; policy accept;
		udp dport 3074 meta mark set 0x00000001 accept
		tcp dport 3074 meta mark set 0x00000001 accept
	}

	chain output_high_priority {
		type filter hook output priority filter + 1; policy accept;
		udp sport 3074 meta mark set 0x00000002 accept
		tcp sport 3074 meta mark set 0x00000002 accept
	}

	chain input {
		type filter hook input priority filter; policy accept;
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
	}
}

Let us remove default chains:

table inet gaming {
	chain input_high_priority {
		type filter hook input priority filter + 1; policy accept;
		udp dport 3074 meta mark set 0x00000001 accept
		tcp dport 3074 meta mark set 0x00000001 accept
	}

	chain output_high_priority {
		type filter hook output priority filter + 1; policy accept;
		udp sport 3074 meta mark set 0x00000002 accept
		tcp sport 3074 meta mark set 0x00000002 accept
	}
}

Now lets reduce to a fragment to insert into inet fw4 table:


	chain input_high_priority {
		type filter hook input priority filter + 1; policy accept;
		udp dport 3074 meta mark set 0x00000001 accept
		tcp dport 3074 meta mark set 0x00000001 accept
	}

	chain output_high_priority {
		type filter hook output priority filter + 1; policy accept;
		udp sport 3074 meta mark set 0x00000002 accept
		tcp sport 3074 meta mark set 0x00000002 accept
	}

Now save last fragment as /etc/nftables.d/juego.nft and packets will be marked.
fw4 check - verify that rules are correct
service firewall restart - activate rules

You can observe marking activity with conntrack -E

I think you need to set "priority" not "mark" but if you show origin of your rules we may be able to transport good idea to nftables.

1 Like