How do I create an interface before fw4 starts?

Hi!

I have an issue with my custom netdev firewall table. The virtual interface needs to be created before fw4 starts.


table netdev filter {
        chain egress {
                type filter hook egress device "eth1.832" priority filter; policy accept;
                
        }
}
Tue Jul 23 22:03:08 2024 kern.info kernel: [   11.731222] Backport generated by backports.git v6.1.97-1-29-gf1d24a3683b2
Tue Jul 23 22:03:08 2024 kern.info kernel: [   11.742630] sfp sfp-1: Host maximum power 3.0W
Tue Jul 23 22:03:08 2024 kern.info kernel: [   11.747690] sfp sfp-2: Host maximum power 3.0W
Tue Jul 23 22:03:08 2024 user.info kernel: [   11.840893] urngd: v1.0.2 started.
Tue Jul 23 22:03:08 2024 kern.info kernel: [   12.212478] mt798x-wmac 18000000.wifi: HW/SW Version: 0x8a108a10, Build Time: 20221012174743a
Tue Jul 23 22:03:08 2024 kern.info kernel: [   12.212478]
Tue Jul 23 22:03:08 2024 kern.info kernel: [   12.345696] mt798x-wmac 18000000.wifi: WM Firmware Version: ____000000, Build Time: 20221012174805
Tue Jul 23 22:03:08 2024 kern.info kernel: [   12.450033] mt798x-wmac 18000000.wifi: WA Firmware Version: DEV_000000, Build Time: 20221012174937
Tue Jul 23 22:03:08 2024 kern.info kernel: [   12.555482] mt798x-wmac 18000000.wifi: registering led 'mt76-phy0'
Tue Jul 23 22:03:08 2024 kern.info kernel: [   12.563186] mt798x-wmac 18000000.wifi: registering led 'mt76-phy1'
Tue Jul 23 22:03:08 2024 kern.info kernel: [   15.220534] PPP generic driver version 2.4.2
Tue Jul 23 22:03:08 2024 kern.info kernel: [   15.225518] NET: Registered PF_PPPOX protocol family
Tue Jul 23 22:03:08 2024 user.info kernel: [   15.232371] kmodloader: done loading kernel modules from /etc/modules.d/*
Tue Jul 23 22:03:08 2024 kern.warn kernel: [   15.653380] sfp sfp-1: please wait, module slow to respond
Tue Jul 23 22:03:13 2024 authpriv.info dropbear[1735]: Not backgrounding
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:6:41-57: Error: No such file or directory; did you mean chain β€˜egress’ in table netdev β€˜filter’?
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:                 type filter hook egress device "eth1.832" priority filter; policy accept;
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:                                         ^^^^^^^^^^^^^^^^^
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:5:15-20: Error: Could not process rule: No such file or directory
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:         chain egress {
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:               ^^^^^^
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:5:15-20: Error: Could not process rule: No such file or directory
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:         chain egress {
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:               ^^^^^^
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:5:15-20: Error: Could not process rule: No such file or directory
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:         chain egress {
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:               ^^^^^^
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: In file included from /dev/stdin:260:1-39:
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall: /etc/custom-netdev-table.nft:5:15-20: Error: Could not process rule: No such file or directory
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:         chain egress {
Tue Jul 23 22:03:13 2024 daemon.notice procd: /etc/rc.d/S19firewall:               ^^^^^^
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: bonding
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: 8021ad
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: 8021q
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: macvlan
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: veth
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: bridge
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: Network device
Tue Jul 23 22:03:14 2024 user.notice : Added device handler type: tunnel
Tue Jul 23 22:03:14 2024 daemon.notice procd: /etc/rc.d/S25packet_steering: pid 340's current affinity list: 0-3
Tue Jul 23 22:03:14 2024 daemon.notice procd: /etc/rc.d/S25packet_steering: pid 340's new affinity list: 0

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Here is the requested information.

gilaro@OpenWrt:~$ sudo ubus call system board
{
        "kernel": "6.6.43",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Bananapi BPI-R3",
        "board_name": "bananapi,bpi-r3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r27055+5-e6fec638d2",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r27055+5-e6fec638d2"
        }
}
gilaro@OpenWrt:~$ sudo cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1/8'

config globals 'globals'
	option ula_prefix '🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '832'
	option name 'eth1.832'
	option egress_qos_mapping '6:6'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1.832'
	option reqopts '1 3 6 15 28 51 58 59 90 119 120 125'
	option vendorid '🎡🎡🎡🎡🎡🎡🎡'
	option clientid '🎡🎡🎡🎡🎡🎡🎡🎡'
	option sendopts '77:🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡 90:🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'eth1.832'
	option reqaddress 'none'
	option reqopts '11 17 23 24'
	option clientid '🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡'
	option userclass '🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡'
	option vendorclass '🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡'
	option sendopts '11:🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡🎡'
	option noclientfqdn '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'sfp2'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	option ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '832'
	option ports 'wan:t'

config interface 'home'
	option device 'br-lan.10'
	option proto 'static'
	option ip6assign '64'

config interface 'dmz'
	option device 'br-lan.20'
	option proto 'static'
	option ip6assign '64'

config interface 'livebox'
	option device 'br-lan.832'
	option proto 'static'
	option ipaddr '192.168.30.1/24'
	option ip6assign '64'

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'home'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option enabled '1'
	option type 'nftables'
	option path '/etc/custom-netdev-table.nft'
	option position 'ruleset-post'

config include
	option enabled '1'
	option type 'nftables'
	option path '/etc/custom-postrouting-chain.nft'
	option chain 'mangle_postrouting'
	option position 'chain-append'

config include
	option enabled '1'
	option type 'nftables'
	option path '/etc/custom-arp-table.nft'
	option position 'ruleset-post'

config zone
	option name 'dmz'
	option network 'dmz'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config rule
	option name 'Allow-DMZ-DHCPv6'
	option src 'dmz'
	option proto 'udp'
	option dest_port '547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-DMZ-ICMPv6-Input'
	option src 'dmz'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-solicitation'
	option family 'ipv6'
	option target 'ACCEPT'

config zone
	option name 'livebox'
	option network 'livebox'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'


gilaro@OpenWrt:~$ sudo cat /etc/custom-netdev-table.nft
table netdev filter
flush table netdev filter

table netdev filter {
        chain egress {
                type filter hook egress device "eth1.832" priority filter; policy accept;
                udp dport 547 meta priority set 0:6 ip6 dscp set cs6 counter
                udp dport 67 meta priority set 0:6 ip dscp set cs6 counter
        }
}

gilaro@OpenWrt:~$ sudo nft list chain inet fw4 mangle_postrouting
table inet fw4 {
        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
                oifname "eth1.832" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
                oifname "eth1.832" icmpv6 type { nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } meta priority set 0:6 ip6 dscp set cs6 counter packets 0 bytes 0
        }
}

gilaro@OpenWrt:~$ sudo nft list table arp filter
table arp filter {
        chain output {
                type filter hook output priority filter; policy accept;
                oifname "eth1.832" meta priority set 0:6 counter packets 0 bytes 0
        }
}

I'm going to test my IPv6 connectivity without the rules in the file /etc/custom-netdev-table.nft. I will set the PCP with the skpriority option (IPv6) in /etc/config/network. Thus, maybe I will know if my SFP and network configuration work.