Help creating Nftables tables

Rafumfps · June 19, 2024, 2:52pm

I will configure it here

brada4 · June 19, 2024, 2:55pm

Holding my breath, fingers crossed

I think you need to replace meta mark set 1 with meta priority set 0xef , to sthrow game traffic into internet telephony class.

Rafumfps · June 19, 2024, 3:16pm

I'm sorry, but I couldn't, because when I do this my firewall no longer works, I don't know if I'm following the right steps.

brada4 · June 19, 2024, 3:45pm

Delete file you created.

Copy / paste command:

cat > /etc/nftables.d/juegos.nft  << EOF
chain input_high_priority {
		type filter hook input priority filter + 1; policy accept;
		udp dport 3074 meta mark set 0x00000001 accept
		tcp dport 3074 meta mark set 0x00000001 accept
	}

	chain output_high_priority {
		type filter hook output priority filter + 1; policy accept;
		udp sport 3074 meta mark set 0x00000002 accept
		tcp sport 3074 meta mark set 0x00000002 accept
	}
EOF

Then:

fw4 check
service firewall restart

Rafumfps · June 19, 2024, 3:57pm

root@OpenWrt:~# fw4 check
Ruleset passes nftables check.
root@OpenWrt:~#

Rafumfps · June 19, 2024, 3:59pm

So there is no need to create another INET area, you can apply it directly to INET FW4 in this mode.

brada4 · June 19, 2024, 4:07pm

Yes, exactly to extend existing table

Rafumfps · June 19, 2024, 4:13pm

Thank you very much, this is already a great starting point for me.

brada4 · June 19, 2024, 4:17pm

You can learn "variables" with lists of interfaces via fw4 print

Or prepend your rules to existing "hook" tables by repeating default hook configuration:

chain mangle_postrouting {
    type filter hook postrouting priority mangle; policy accept;
    oif $wan_devices tcp flags syn / syn,ack,rst tcp option maxseg size set rt mtu
}

Rafumfps · June 19, 2024, 5:15pm

Right now I'm playing with doors, prioritizing each one of them.

brada4 · June 19, 2024, 5:39pm

No estas jugando con puertas
(he is experimenting with PORTS)

efahl · June 19, 2024, 6:00pm

It seems to me that you are misunderstanding priority in this context. It has nothing to do with giving packets special treatment, but merely dictates the order in which the rules are applied to packets as they pass through nftables: raw happens before mangle happens before filter happens before filter+1...

See https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook

brada4 · June 19, 2024, 6:10pm

Yes, im saying same, I suspect one intends to set priority, not flags.

efahl · June 19, 2024, 6:17pm

Yeah, this bit in his original post lead me to believe that speeding things up was the goal of the experiments, in which case experimenting with tc (traffic control) would be much more productive than playing with the firewall.

brada4 · June 19, 2024, 6:19pm

honestly I think it is mangle_prerouting ... ct state established .. tcpudp ... th port 1234.... set priority 0xef

Rafumfps · June 19, 2024, 6:57pm

I've done this so far, I don't know if it's right, but I'm testing it to learn

chain input_high_priority {
        type filter hook input priority filter + 1; policy accept;
        iifname "pppoe-wan" udp dport 3074 meta mark set 0x00000001 ip dscp set ef accept;
        iifname "pppoe-wan" tcp dport 3074 meta mark set 0x00000001 ip dscp set ef accept;
    }

    chain output_high_priority {
        type filter hook output priority filter + 1; policy accept;
        oifname "pppoe-wan" udp sport 3074 meta mark set 0x00000002 ip dscp set ef accept;
        oifname "pppoe-wan" tcp sport 3074 meta mark set 0x00000002 ip dscp set ef accept;
    }

    chain input_dns_priority {
        type filter hook input priority filter + 2; policy accept;
        iifname "pppoe-wan" udp dport 53 meta mark set 0x00000003 ip dscp set cs1 accept;
        iifname "pppoe-wan" tcp dport 53 meta mark set 0x00000003 ip dscp set cs1 accept;
    }

    chain output_dns_priority {
        type filter hook output priority filter + 2; policy accept;
        oifname "pppoe-wan" udp sport 53 meta mark set 0x00000004 ip dscp set cs1 accept;
        oifname "pppoe-wan" tcp sport 53 meta mark set 0x00000004 ip dscp set cs1 accept;
    }
    
    chain http_priority {
    type filter hook input priority filter + 2; policy accept;
        iifname "pppoe-wan" udp dport 443 meta mark set 0x00000005 ip dscp set cs1 accept;
        iifname "pppoe-wan" tcp dport 443 meta mark set 0x00000005 ip dscp set cs1 accept;
    }

    chain http_priority_output {
    type filter hook output priority filter + 2; policy accept;
    oifname "pppoe-wan" udp sport 443 meta mark set 0x00000006 ip dscp set cs1 accept;
    oifname "pppoe-wan" tcp sport 443 meta mark set 0x00000006 ip dscp set cs1 accept;
    }

Rafumfps · June 19, 2024, 7:03pm

The hard part is that there are no tutorials to teach you how to do this, if you have something please share it with us.

brada4 · June 19, 2024, 7:10pm

You can classify in tc too , iptables are good if it is easy to qualify....

Rafumfps · June 19, 2024, 7:40pm

I have to install the iptables packages for this, but that could mess everything up fw

NeMe_FuUuRyyyyY · June 19, 2024, 8:04pm

Hola Manito, Deixo para vocês este post que pode lhe interessar, é um script muito simples de instalar, é projetado para jogos.