Help me update my HFSC shaper scripts for fw4/nftables

When the next 22.03 rc or final is released, or latest snapshot, firewall4 will recognize includes under /usr/share/nftables.d/ with a location subdirectory. Since you want to add a new table, you would place the include in /usr/share/nftables.d/ruleset-post/ so it comes after the default table inet fw4.

If you want to test right now with 22.03-rc6, you have to specify an include in /etc/config/firewall:

config include
  option type nftables
  option path /etc/dscptag.nft
  option position ruleset-append

and does it handle entire table includes, or just individual chains in existing table? because I'm writing this like it's just a separate table entirely...

Using the syntax I gave, it will add your include AFTER the fw4 table definition is closed.

Thanks @dlakelan @dave14305

Im using the latest snapshot and placing file in /usr/share/nftables.d/ nftables does not recognize automatically, so I used the latest advice and moved file to /etc and with include string in firewall

the output is:

root@OpenWrt:/usr/share/nftables.d# service firewall restart
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
root@OpenWrt:/usr/share/nftables.d# service firewall restart
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:2:1-11: Error: syntax error, unexpected string
udpbulkport = {51413}
^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:3:1-11: Error: syntax error, unexpected string
tcpbulkport = {51413,6881-6889}
^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:4:1-12: Error: syntax error, unexpected string
vidconfports = {10000,3478:3479,8801:8802,19302:19309,5938,53}
^^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:5:1-9: Error: syntax error, unexpected string
realtime4 = {192.168.1.55} # example, just add all your game console here
^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:6:1-9: Error: syntax error, unexpected string
realtime6 = {fd90::129a} ## example only replace with game console
^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:7:1-11: Error: syntax error, unexpected string
lowpriolan4 = {192.168.1.100} # example, add your low priority lan machines here
^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:8:1-11: Error: syntax error, unexpected string
lowpriolan6 = {fd90::129a} ## example, add your low priority lan ipv6 PUBLIC addr here
^^^^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:10:1-7: Error: syntax error, unexpected string
ackrate = 300
^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:12:1-8: Error: syntax error, unexpected string
downrate = 850000 # kbits/sec ... CHANGE ME
^^^^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:13:1-6: Error: syntax error, unexpected string
uprate = 855000 # kbits/sec ... CHANGE ME
^^^^^^

unfortunately for me its not clear where is the typo..

Try adding define before each variable at the top of the dscptag.nft file.

Do you still have an old firewall.user listed in /etc/config/firewall? That might cause the fw4_compatible warnings.

That basically depends on where you include it, see https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/usr/share/nftables.d/README for details.

# "table-pre" would be included here

table inet fw4 {
  # "ruleset-pre" would be included here

  chain input {
    type filter hook input priority filter; policy accept;
    # "chain-pre/input" would be included here
    iifname "lo" accept comment "!fw4: Accept traffic from loopback"
    ...other fw4 rules...
    # "chain-post/input" would be included here
  }

  ...other fw4 chains...

  chain mangle_forward {
    type filter hook forward priority mangle; policy accept;
    # "chain-pre/mangle_forward" would be included here
    ...fw4 rules...
    # "chain-post/mangle_forward" would be included here
  }

  # "ruleset-post" would be included here
}

# "table-post" would be included here

i'm on my way, sorry maybe @segal_72 should be interested he's trying to improve the connection all the time if you pass by

Thanks @dave14305 removed old firewall.user and the message gone, but, the syntax errors still there after adding define option for variables:

root@OpenWrt:/usr/share/nftables.d# service firewall restart
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:15:8-12: Error: syntax error, unexpected table, expecting string
define table inet dscptag {
       ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:21:12-13: Error: syntax error, unexpected ip
        ip ip dscp set cs0
           ^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:22:13-15: Error: syntax error, unexpected ip6
        ip6 ip6 dscp set cs0 
            ^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:24:12-16: Error: syntax error, unexpected string
        ip proto udp udp sport = $udpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:25:35-35: Error: syntax error, unexpected '='
        ip6 nexthdr udp udp sport = $udpbulkport ip6 dscp set cs1
                                  ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:27:12-16: Error: syntax error, unexpected string
        ip proto udp udp dport = $udpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:28:35-35: Error: syntax error, unexpected '='
        ip6 nexthdr udp udp dport = $udpbulkport ip6 dscp set cs1
                                  ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:30:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp sport = $tcpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:31:35-35: Error: syntax error, unexpected '='
        ip6 nexthdr tcp tcp sport = $tcpbulkport ip6 dscp set cs1
                                  ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:32:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp dport = $tcpbulkport ip dscp set cs1

Remove define from this line. Only the variables above it need it.

Thanks, this was a typo, removed the line already!

Does it work now?

nft list ruleset

Nope, the syntax error still there:

root@OpenWrt:~# service firewall restart
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:14:1-5: Error: syntax error, unexpected table
table inet dscptag {
^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:20:12-13: Error: syntax error, unexpected ip
       ip ip dscp set cs0
          ^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:21:13-15: Error: syntax error, unexpected ip6
       ip6 ip6 dscp set cs0 
           ^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:23:12-16: Error: syntax error, unexpected string
       ip proto udp udp sport = $udpbulkport ip dscp set cs1
          ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:24:35-35: Error: syntax error, unexpected '='
       ip6 nexthdr udp udp sport = $udpbulkport ip6 dscp set cs1
                                 ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:26:12-16: Error: syntax error, unexpected string
       ip proto udp udp dport = $udpbulkport ip dscp set cs1
          ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:27:35-35: Error: syntax error, unexpected '='
       ip6 nexthdr udp udp dport = $udpbulkport ip6 dscp set cs1
                                 ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:29:12-16: Error: syntax error, unexpected string
       ip proto tcp tcp sport = $tcpbulkport ip dscp set cs1
          ^^^^^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:30:35-35: Error: syntax error, unexpected '='
       ip6 nexthdr tcp tcp sport = $tcpbulkport ip6 dscp set cs1
                                 ^
In file included from /dev/stdin:218:2-28:
/etc/dscptag.nft:31:12-16: Error: syntax error, unexpected string
       ip proto tcp tcp dport = $tcpbulkport ip dscp set cs1

maybe we are using wrong table?

So based on @jow post above I think our file should be included in table-post perhaps make sure that's how it's being included.

Or maybe pre? Do you know if there is option to add table to postrouting ?

Post is fine, we can hook prerouting, post routing, forward, ingress whatever. Each table is separate

hi, i have the same error message. it looks to me the new table is not created at all which obviously would be needed to add chains/rules etc.
am not sure what is the exact syntax or should we have any creation line at all (ie. may automatically create a table if does not exist yet), but

add table inet dscptag
or
create table inet dscptag

in *.nft neither works.

also it looks ip ip set dscp cs0 is not valid but ip set dscp cs0 is accepted. at least adding manually only latter format is parsed successfully.

Ok, I just pushed to devel a version that put in all the missing "define" and also got rid of the ip ip and ip6 ip6 errors/typos.

There are two kinds of scripts in nftables. the nftables output format I'm using and the "script" style. I don't like the script style myself, and I don't think we should mix it. So there's no "add table ..." in the nftables output style.

https://wiki.nftables.org/wiki-nftables/index.php/Scripting

@grrr2 how are you loading the file? and what are the errors with the current version I just pushed?

i followed @jow's instruction: adding your nft file to /usr/share/nftables.d/table-post. sorry if that's not right way.

that sounds like the right way. But is different from what dave was suggesting above Help me update my HFSC shaper scripts for fw4/nftables - #6 by dave14305 so I guess it makes a difference which version of OpenWrt you have, sounds like the /usr/share/nftables.d/table-post method is only available in relatively recent versions (snapshots etc)

yes, i tried on snapshot.

i simplified your rules a bit for simpler troubleshooting, only for syntax checking purpose:

define udpbulkport = {51413}
define tcpbulkport = {51413,6881-6889}
define vidconfports = {10000,3478:3479,8801:8802,19302:19309,5938,53}
define realtime4 = {192.168.109.1} # example, just add all your game console here
define realtime6 = {fd90::129a} ## example only replace with game console
define lowpriolan4 = {192.168.109.2} # example, add your low priority lan machines here
define lowpriolan6 = {fd90::129a} ## example, add your low priority lan ipv6 PUBLIC addr here

define ackrate = 300

define downrate = 15000 # kbits/sec ... CHANGE ME
define uprate = 15000 # kbits/sec ... CHANGE ME


table inet dscptag {

    chain dscptag {
        type filter hook forward priority 0; policy accept;

        # wash all the DSCP to begin with ... you can comment this out
        ip dscp set cs0
        ip6 dscp set cs0

        udp sport $udpbulkport ip dscp set cs1
    }

}

I also tried with config include way by saving to /etc/dscptag.nft first. then service firewall restart. foremost it fails with

/etc/dscptag.nft:15:1-5: Error: syntax error, unexpected table
table inet dscptag {
^^^^^

so it does not create the table so cannot add any chains/rules. but as i said, with the /usr/share/nftables.d same problem.

also i think the correct rule format is as in my simplified version. if using your version there are many
errors like:

./dscptag.nft:28:12-14: Error: syntax error, unexpected udp
        ip udp sport = $udpbulkport ip dscp set cs1

or

./dscptag.nft:28:31-31: Error: syntax error, unexpected '='
        ip protocol udp sport = $udpbulkport ip dscp set cs1