gilaro
August 5, 2024, 5:56pm
1
Hi!
I have an issue with my custom netdev
firewall table. The virtual interface needs to be created before fw4
starts.
table netdev filter {
chain egress {
type filter hook egress device "eth1.832" priority filter; policy accept;
}
}
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 11.731222] Backport generated by backports.git v6.1.97-1-29-gf1d24a3683b2
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 11.742630] sfp sfp-1: Host maximum power 3.0W
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 11.747690] sfp sfp-2: Host maximum power 3.0W
Tue Jul 23 22:03:08 2024 user.info kernel: [ 11.840893] urngd: v1.0.2 started.
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 12.212478] mt798x-wmac 18000000.wifi: HW/SW Version: 0x8a108a10, Build Time: 20221012174743a
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 12.212478]
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 12.345696] mt798x-wmac 18000000.wifi: WM Firmware Version: ____000000, Build Time: 20221012174805
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 12.450033] mt798x-wmac 18000000.wifi: WA Firmware Version: DEV_000000, Build Time: 20221012174937
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 12.555482] mt798x-wmac 18000000.wifi: registering led 'mt76-phy0'
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 12.563186] mt798x-wmac 18000000.wifi: registering led 'mt76-phy1'
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 15.220534] PPP generic driver version 2.4.2
Tue Jul 23 22:03:08 2024 kern.info kernel: [ 15.225518] NET: Registered PF_PPPOX protocol family
Tue Jul 23 22:03:08 2024 user.info kernel: [ 15.232371] kmodloader: done loading kernel modules from /etc/modules.d/*
Tue Jul 23 22:03:08 2024 kern.warn kernel: [ 15.653380] sfp sfp-1: please wait, module slow to respond
Tue Jul 23 22:03:13 2024 authpriv.info dropbear[1735]: Not backgrounding
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:6:41-57: Error: No such file or directory; did you mean chain βegressβ in table netdev βfilterβ?
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: type filter hook egress device "eth1.832" priority filter; policy accept;
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: ^^^^^^^^^^^^^^^^^
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:5:15-20: Error: Could not process rule: No such file or directory
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: chain egress {
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: ^^^^^^
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:5:15-20: Error: Could not process rule: No such file or directory
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: chain egress {
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: ^^^^^^
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:5:15-20: Error: Could not process rule: No such file or directory
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: chain egress {
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: ^^^^^^
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:5:15-20: Error: Could not process rule: No such file or directory
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: chain egress {
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: ^^^^^^
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: bonding
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: 8021ad
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: 8021q
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: macvlan
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: veth
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: bridge
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: Network device
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: tunnel
Tue Jul 23 22:03:14 2024 daemon.notice procd: /etc/rc.d/S25packet_steering: pid 340's current affinity list: 0-3
Tue Jul 23 22:03:14 2024 daemon.notice procd: /etc/rc.d/S25packet_steering: pid 340's new affinity list: 0
brada4
August 5, 2024, 6:42pm
2
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
gilaro
August 6, 2024, 7:26am
3
Here is the requested information.
gilaro@OpenWrt:~$ sudo ubus call system board
{
"kernel": "6.6.43",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Bananapi BPI-R3",
"board_name": "bananapi,bpi-r3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r27055+5-e6fec638d2",
"target": "mediatek/filogic",
"description": "OpenWrt SNAPSHOT r27055+5-e6fec638d2"
}
}
gilaro@OpenWrt:~$ sudo cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1/8'
config globals 'globals'
option ula_prefix 'π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅'
config device
option type '8021q'
option ifname 'eth1'
option vid '832'
option name 'eth1.832'
option egress_qos_mapping '6:6'
config interface 'wan'
option proto 'dhcp'
option device 'eth1.832'
option reqopts '1 3 6 15 28 51 58 59 90 119 120 125'
option vendorid 'π΅π΅π΅π΅π΅π΅π΅'
option clientid 'π΅π΅π΅π΅π΅π΅π΅π΅'
option sendopts '77:π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅ 90:π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1.832'
option reqaddress 'none'
option reqopts '11 17 23 24'
option clientid 'π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅'
option userclass 'π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅'
option vendorclass 'π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅'
option sendopts '11:π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅π΅'
option noclientfqdn '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'sfp2'
list ports 'wan'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config bridge-vlan
option device 'br-lan'
option vlan '20'
option ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '832'
option ports 'wan:t'
config interface 'home'
option device 'br-lan.10'
option proto 'static'
option ip6assign '64'
config interface 'dmz'
option device 'br-lan.20'
option proto 'static'
option ip6assign '64'
config interface 'livebox'
option device 'br-lan.832'
option proto 'static'
option ipaddr '192.168.30.1/24'
option ip6assign '64'
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'home'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option enabled '1'
option type 'nftables'
option path '/etc/custom-netdev-table.nft'
option position 'ruleset-post'
config include
option enabled '1'
option type 'nftables'
option path '/etc/custom-postrouting-chain.nft'
option chain 'mangle_postrouting'
option position 'chain-append'
config include
option enabled '1'
option type 'nftables'
option path '/etc/custom-arp-table.nft'
option position 'ruleset-post'
config zone
option name 'dmz'
option network 'dmz'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config rule
option name 'Allow-DMZ-DHCPv6'
option src 'dmz'
option proto 'udp'
option dest_port '547'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-DMZ-ICMPv6-Input'
option src 'dmz'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-solicitation'
option family 'ipv6'
option target 'ACCEPT'
config zone
option name 'livebox'
option network 'livebox'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
gilaro
August 6, 2024, 7:38am
4
gilaro@OpenWrt:~$ sudo cat /etc/custom-netdev-table.nft
table netdev filter
flush table netdev filter
table netdev filter {
chain egress {
type filter hook egress device "eth1.832" priority filter; policy accept;
udp dport 547 meta priority set 0:6 ip6 dscp set cs6 counter
udp dport 67 meta priority set 0:6 ip dscp set cs6 counter
}
}
gilaro@OpenWrt:~$ sudo nft list chain inet fw4 mangle_postrouting
table inet fw4 {
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname "eth1.832" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
oifname "eth1.832" icmpv6 type { nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } meta priority set 0:6 ip6 dscp set cs6 counter packets 0 bytes 0
}
}
gilaro@OpenWrt:~$ sudo nft list table arp filter
table arp filter {
chain output {
type filter hook output priority filter; policy accept;
oifname "eth1.832" meta priority set 0:6 counter packets 0 bytes 0
}
}
gilaro
August 6, 2024, 8:20am
6
I'm going to test my IPv6 connectivity without the rules in the file /etc/custom-netdev-table.nft
. I will set the PCP with the skpriority
option (IPv6) in /etc/config/network
. Thus, maybe I will know if my SFP and network configuration work.