Help creating Nftables tables

Rafumfps · June 19, 2024, 1:24pm

I'm trying to create nftables tables with the commands I'll put below, I just wanted to know how I can keep them in openwrt, because when I restart the router they disappear, I'm a layman on the subject, but it's just for study purposes, and I still don't I found a solution, thank you all in advance.

#Create a table again
nft add table inet games

#Add strings with high priority
nft add chain inet gaming input_high_priority {type filter hook input priority 1; }
nft add chain inet gaming output_high_priority { type filter hook output priority 1 ; }

#Add top priority rules with packet marking
nft add rule inet gaming input_high_priority udp dport 3074 meta mark set 0x1 accept
nft add rule inet gaming input_high_priority tcp dport 3074 meta mark set 0x1 accept
nft add rule inet gaming output_high_priority udp sport 3074 meta mark set 0x2 accept
nft add rule inet gaming output_high_priority tcp sport 3074 meta mark set 0x2 accept

#Add default priority chains
nft add chain inet gaming input {type filter hook input priority 0; }
nft add chain inet gaming output { type filter hook output priority 0 ; }
nft add chain inet gaming forward { type filter hook forward priority 0 ; }

brada4 · June 19, 2024, 1:36pm

There should be something more changing meta mark to priority
https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority
Are you sure you posted full context?

Also please format non-markdown with 3 backticks ``` because comment in your original turns into paragraph title in markdown.

frollic · June 19, 2024, 1:37pm

.... and use english.

brada4 · June 19, 2024, 1:41pm

Translate:

# create new table
# add high priority chains
# add maximum priority rules with packet marking
# add normal priority chains

brada4 · June 19, 2024, 1:46pm

Those rules are slightly off. They do not prioritize traffic.
You can insert fragments inside table inet fw4 by placing fragments in /etc/nftables.d/aleatorio.nft files

Rafumfps · June 19, 2024, 1:46pm

I already made the correction, but I wanted to know when I type these commands in ssh they are added to the fw, but if I restart the router these rules are practically deleted.

brada4 · June 19, 2024, 1:48pm

But they do nothing, just slow down your gaming traffic due to per-packet inspection and meta setup....
Ill get back to you later from PC, not very easy to type correct nftable segments with mobile.

Rafumfps · June 19, 2024, 1:49pm

Yes, I understand that they are wrong, but it's just to learn.

brada4 · June 19, 2024, 1:50pm

Oki, main idea is to create fragments under table inet fw4 in place of gaming.
See here for inspirations. https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables yours looks like translated from iptables-save.

Rafumfps · June 19, 2024, 1:50pm

I'm from Brazil, I don't understand English very much, lol

brada4 · June 19, 2024, 1:52pm

Si te ayuda puedo escribir una copia en Español But i will write in simplified English unless you say you do not understand completely.

Rafumfps · June 19, 2024, 1:53pm

ours would be of great help.

frollic · June 19, 2024, 1:54pm

use https://translate.google.com/

Rafumfps · June 19, 2024, 1:59pm

I've been trying to configure my router for games for some time now, but I always fail, I used sqm, but I never got a good result, I know there are variables to manipulate openwrt which is a very powerful tool. But here in Brazil, few people have this knowledge.

Rafumfps · June 19, 2024, 2:04pm

Yes, I'm going to start using it, it's just that sometimes I forget that there is this type of translation, and I use the first translator in the search lol.

brada4 · June 19, 2024, 2:09pm

You need to change qdisc to something with priorites like pfifo_fast or sfq

Rafumfps · June 19, 2024, 2:22pm

You could do remote access here, and configure some things, I would look and I would already have an idea

brada4 · June 19, 2024, 2:24pm

Does not work like that....

Rafumfps · June 19, 2024, 2:30pm

unfortunately I will be sailing adrift again

brada4 · June 19, 2024, 2:33pm

Your table will look like this:

table inet gaming {
	chain input_high_priority {
		type filter hook input priority filter + 1; policy accept;
		udp dport 3074 meta mark set 0x00000001 accept
		tcp dport 3074 meta mark set 0x00000001 accept
	}

	chain output_high_priority {
		type filter hook output priority filter + 1; policy accept;
		udp sport 3074 meta mark set 0x00000002 accept
		tcp sport 3074 meta mark set 0x00000002 accept
	}

	chain input {
		type filter hook input priority filter; policy accept;
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
	}
}

Let us remove default chains:

table inet gaming {
	chain input_high_priority {
		type filter hook input priority filter + 1; policy accept;
		udp dport 3074 meta mark set 0x00000001 accept
		tcp dport 3074 meta mark set 0x00000001 accept
	}

	chain output_high_priority {
		type filter hook output priority filter + 1; policy accept;
		udp sport 3074 meta mark set 0x00000002 accept
		tcp sport 3074 meta mark set 0x00000002 accept
	}
}

Now lets reduce to a fragment to insert into inet fw4 table:


	chain input_high_priority {
		type filter hook input priority filter + 1; policy accept;
		udp dport 3074 meta mark set 0x00000001 accept
		tcp dport 3074 meta mark set 0x00000001 accept
	}

	chain output_high_priority {
		type filter hook output priority filter + 1; policy accept;
		udp sport 3074 meta mark set 0x00000002 accept
		tcp sport 3074 meta mark set 0x00000002 accept
	}

Now save last fragment as /etc/nftables.d/juego.nft and packets will be marked.
fw4 check - verify that rules are correct
service firewall restart - activate rules

You can observe marking activity with conntrack -E

I think you need to set "priority" not "mark" but if you show origin of your rules we may be able to transport good idea to nftables.