Help me update my HFSC shaper scripts for fw4/nftables

Several people have asked about updating the SimpleHFSCGamerScript stuff from

the main issue is the script uses iptables scripts in dscptag.sh which need to be translated to nftables and we need to figure out how to hook that into fw4.

What I need to know is where do we put the nft scripts so the firewall will pick them up? And then I need some volunteers to test, because I don't have any OpenWrt devices to test with!

@Lynx has been fiddling with nftables stuff recently, maybe he can suggest how to hook into the fw4. Then please say hi anyone who is interested in testing!

Let's go!

notices to @di_Niko and @dave14305 and @segal_72 and whoever else might be interested...

4 Likes

Hello Daniel,
From what I could see by viewing scripts on the forum based on nftables seems to reside in the root folder, ./xxxx.sh will set up the rules in fw4. if others can confirm this?

I think there are some include folders? something like /etc/fw4/... or something like that. I don't have any OpenWrt devices to look!

In any case I am writing a direct translation of the dscptag.sh rules at the moment... will post when it's ready for basic testing.

I think @elan will be able to bring beneficial and constructive answers for the update Script.

Ok, I've pushed a new file dscptag.nft into the devel branch of my repository linked above. I haven't checked it for syntax errors or anything... so if someone could test it out, make some effort to figure out if there are some obvious typos or bugs... etc and report back It'd help.

I think to install it you need to put the file in /etc/nftables.d/ then reload the firewall... you'll likely get errors, almost 100% guaranteed at this point.

1 Like

When the next 22.03 rc or final is released, or latest snapshot, firewall4 will recognize includes under /usr/share/nftables.d/ with a location subdirectory. Since you want to add a new table, you would place the include in /usr/share/nftables.d/ruleset-post/ so it comes after the default table inet fw4.

If you want to test right now with 22.03-rc6, you have to specify an include in /etc/config/firewall:

config include
  option type nftables
  option path /etc/dscptag.nft
  option position ruleset-append
2 Likes

and does it handle entire table includes, or just individual chains in existing table? because I'm writing this like it's just a separate table entirely...

Using the syntax I gave, it will add your include AFTER the fw4 table definition is closed.

Thanks @dlakelan @dave14305

Im using the latest snapshot and placing file in /usr/share/nftables.d/ nftables does not recognize automatically, so I used the latest advice and moved file to /etc and with include string in firewall

the output is:

Summary
root@OpenWrt:/usr/share/nftables.d# service firewall restart
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
root@OpenWrt:/usr/share/nftables.d# service firewall restart
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:2:1-11: Error: syntax error, unexpected string
udpbulkport = {51413}
^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:3:1-11: Error: syntax error, unexpected string
tcpbulkport = {51413,6881-6889}
^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:4:1-12: Error: syntax error, unexpected string
vidconfports = {10000,3478:3479,8801:8802,19302:19309,5938,53}
^^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:5:1-9: Error: syntax error, unexpected string
realtime4 = {192.168.1.55} # example, just add all your game console here
^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:6:1-9: Error: syntax error, unexpected string
realtime6 = {fd90::129a} ## example only replace with game console
^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:7:1-11: Error: syntax error, unexpected string
lowpriolan4 = {192.168.1.100} # example, add your low priority lan machines here
^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:8:1-11: Error: syntax error, unexpected string
lowpriolan6 = {fd90::129a} ## example, add your low priority lan ipv6 PUBLIC addr here
^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:10:1-7: Error: syntax error, unexpected string
ackrate = 300
^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:12:1-8: Error: syntax error, unexpected string
downrate = 850000 # kbits/sec ... CHANGE ME
^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:13:1-6: Error: syntax error, unexpected string
uprate = 855000 # kbits/sec ... CHANGE ME
^^^^^^

unfortunately for me its not clear where is the typo..

Try adding define before each variable at the top of the dscptag.nft file.

Do you still have an old firewall.user listed in /etc/config/firewall? That might cause the fw4_compatible warnings.

1 Like

That basically depends on where you include it, see https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/usr/share/nftables.d/README for details.

# "table-pre" would be included here

table inet fw4 {
  # "ruleset-pre" would be included here

  chain input {
    type filter hook input priority filter; policy accept;
    # "chain-pre/input" would be included here
    iifname "lo" accept comment "!fw4: Accept traffic from loopback"
    ...other fw4 rules...
    # "chain-post/input" would be included here
  }

  ...other fw4 chains...

  chain mangle_forward {
    type filter hook forward priority mangle; policy accept;
    # "chain-pre/mangle_forward" would be included here
    ...fw4 rules...
    # "chain-post/mangle_forward" would be included here
  }

  # "ruleset-post" would be included here
}

# "table-post" would be included here
2 Likes

i'm on my way, sorry maybe @segal_72 should be interested he's trying to improve the connection all the time :wink: if you pass by

Thanks @dave14305 removed old firewall.user and the message gone, but, the syntax errors still there after adding define option for variables:

root@OpenWrt:/usr/share/nftables.d# service firewall restart
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:15:8-12: Error: syntax error, unexpected table, expecting string
define table inet dscptag {
       ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:21:12-13: Error: syntax error, unexpected ip
        ip ip dscp set cs0
           ^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:22:13-15: Error: syntax error, unexpected ip6
        ip6 ip6 dscp set cs0 
            ^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:24:12-16: Error: syntax error, unexpected string
        ip proto udp udp sport = $udpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:25:35-35: Error: syntax error, unexpected '='
        ip6 nexthdr udp udp sport = $udpbulkport ip6 dscp set cs1
                                  ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:27:12-16: Error: syntax error, unexpected string
        ip proto udp udp dport = $udpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:28:35-35: Error: syntax error, unexpected '='
        ip6 nexthdr udp udp dport = $udpbulkport ip6 dscp set cs1
                                  ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:30:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp sport = $tcpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:31:35-35: Error: syntax error, unexpected '='
        ip6 nexthdr tcp tcp sport = $tcpbulkport ip6 dscp set cs1
                                  ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:32:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp dport = $tcpbulkport ip dscp set cs1

Remove define from this line. Only the variables above it need it.

Thanks, this was a typo, removed the line already! :slight_smile:

Does it work now?

nft list ruleset

Nope, the syntax error still there:

root@OpenWrt:~# service firewall restart
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:14:1-5: Error: syntax error, unexpected table
table inet dscptag {
^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:20:12-13: Error: syntax error, unexpected ip
       ip ip dscp set cs0
          ^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:21:13-15: Error: syntax error, unexpected ip6
       ip6 ip6 dscp set cs0 
           ^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:23:12-16: Error: syntax error, unexpected string
       ip proto udp udp sport = $udpbulkport ip dscp set cs1
          ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:24:35-35: Error: syntax error, unexpected '='
       ip6 nexthdr udp udp sport = $udpbulkport ip6 dscp set cs1
                                 ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:26:12-16: Error: syntax error, unexpected string
       ip proto udp udp dport = $udpbulkport ip dscp set cs1
          ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:27:35-35: Error: syntax error, unexpected '='
       ip6 nexthdr udp udp dport = $udpbulkport ip6 dscp set cs1
                                 ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:29:12-16: Error: syntax error, unexpected string
       ip proto tcp tcp sport = $tcpbulkport ip dscp set cs1
          ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:30:35-35: Error: syntax error, unexpected '='
       ip6 nexthdr tcp tcp sport = $tcpbulkport ip6 dscp set cs1
                                 ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:31:12-16: Error: syntax error, unexpected string
       ip proto tcp tcp dport = $tcpbulkport ip dscp set cs1

maybe we are using wrong table?

So based on @jow post above I think our file should be included in table-post perhaps make sure that's how it's being included.

1 Like

Or maybe pre? Do you know if there is option to add table to postrouting ?

Post is fine, we can hook prerouting, post routing, forward, ingress whatever. Each table is separate

1 Like