Is it possible to increase iptables chain name lenght (max default 29)

Hi,

I'm trying to gets dozens of vpn connections to work at the same time

So they have descriptive names like

eu_sophia_beetvpn
eu_stockholm_beetvpn
eu_thessaloniki_beetvpn
eu_warsaw_beetvpn
eu_zurich_azirevpn
eu_zurich_beetvpn
mena_bursa_beetvpn
mena_mumbai_beetvpn
mena_tel_aviv_beetvpn
ru_moscow_beetvpn
ru_st_petersburg_beetvpn
sa_argentina_azirevpn
sa_buenos_aires_azirevpn
sa_sao_paulo_beetvpn
sea_bangkok_beetvpn
sea_hong_kong_beetvpn
sea_manila_beetvpn

For now I have one LAN interface and many devices in the "VPN" zone (similar to the default WAN zone I guess)

root@vpn:~# ifconfig | grep Link
ca_toronto_azir Link encap:UNSPEC
eth0      Link encap:Ethernet  
eth1      Link encap:Ethernet  
eu_berlin_azire Link encap:UNSPEC  
eu_frankfurt_az Link encap:UNSPEC  
eu_zurich_azire Link encap:UNSPEC  
lo        Link encap:Local Loopback
tun_asia_jakart Link encap:UNSPEC  
tun_eu_amsterda Link encap:UNSPEC
tun_eu_helsinki Link encap:UNSPEC

These names are getting trunkated somewhere, here is the output from uci show openvpn

openvpn.ru_st_petersburg_beetvpn.dev='tun_ru_st_petersburg_beetvpn'
openvpn.sa_argentina_azirevpn.dev='tun_sa_argentina_azirevpn'
openvpn.sa_buenos_aires_azirevpn.dev='tun_sa_buenos_aires_azirevpn'
openvpn.sa_sao_paulo_beetvpn.dev='tun_sa_sao_paulo_beetvpn'
openvpn.sea_bangkok_beetvpn.dev='tun_sea_bangkok_beetvpn'
openvpn.sea_hong_kong_beetvpn.dev='tun_sea_hong_kong_beetvpn'
openvpn.sea_manila_beetvpn.dev='tun_sea_manila_beetvpn'

At this point I have many vpn connection up and running and working fine. Tested using traceroute -i interface_name 1.1.1.1

I need to make it easy to select which VPN I want to switch the default route, for that I want to use mwan to auto switch the LAN default route

here is my mwan config

root@vpn:~# uci show mwan3
mwan3.globals=globals
mwan3.globals.mmx_mask='0x3F00'
mwan3.toronto_pol=policy
mwan3.toronto_pol.use_member='ca_toronto_azir'
mwan3.toronto_pol.last_resort='unreachable'
mwan3.zurich_pol=policy
mwan3.zurich_pol.use_member='eu_zurich_azire'
mwan3.zurich_pol.last_resort='unreachable'
mwan3.berlin_pol=policy
mwan3.berlin_pol.use_member='eu_berlin_azire'
mwan3.berlin_pol.last_resort='unreachable'
mwan3.frankfurt_pol=policy
mwan3.frankfurt_pol.use_member='eu_frankfurt_az'
mwan3.frankfurt_pol.last_resort='unreachable'
mwan3.default_vpn_rule=rule
mwan3.default_vpn_rule.dest_ip='0.0.0.0/0'
mwan3.default_vpn_rule.use_policy='toronto_pol'
mwan3.ca_toronto_azir=interface
mwan3.ca_toronto_azir.enabled='1'
mwan3.ca_toronto_azir.reliability='1'
mwan3.ca_toronto_azir.family='ipv4'
mwan3.ca_toronto_azir.initial_state='online'
mwan3.ca_toronto_azir.track_ip='1.1.1.1' '8.8.8.8'
mwan3.ca_toronto_azir.track_method='ping'
mwan3.ca_toronto_azir.count='1'
mwan3.ca_toronto_azir.size='56'
mwan3.ca_toronto_azir.max_ttl='60'
mwan3.ca_toronto_azir.timeout='4'
mwan3.ca_toronto_azir.interval='10'
mwan3.ca_toronto_azir.failure_interval='5'
mwan3.ca_toronto_azir.recovery_interval='5'
mwan3.ca_toronto_azir.down='5'
mwan3.ca_toronto_azir.up='5'
mwan3.eu_zurich_azire=interface
mwan3.eu_zurich_azire.enabled='1'
mwan3.eu_zurich_azire.reliability='1'
mwan3.eu_zurich_azire.family='ipv4'
mwan3.eu_zurich_azire.initial_state='online'
mwan3.eu_zurich_azire.track_ip='1.1.1.1' '8.8.8.8'
mwan3.eu_zurich_azire.track_method='ping'
mwan3.eu_zurich_azire.count='1'
mwan3.eu_zurich_azire.size='56'
mwan3.eu_zurich_azire.max_ttl='60'
mwan3.eu_zurich_azire.timeout='4'
mwan3.eu_zurich_azire.interval='10'
mwan3.eu_zurich_azire.failure_interval='5'
mwan3.eu_zurich_azire.recovery_interval='5'
mwan3.eu_zurich_azire.down='5'
mwan3.eu_zurich_azire.up='5'
mwan3.eu_berlin_azire=interface
mwan3.eu_berlin_azire.enabled='1'
mwan3.eu_berlin_azire.reliability='1'
mwan3.eu_berlin_azire.family='ipv4'
mwan3.eu_berlin_azire.initial_state='online'
mwan3.eu_berlin_azire.track_ip='1.1.1.1' '8.8.8.8'
mwan3.eu_berlin_azire.track_method='ping'
mwan3.eu_berlin_azire.count='1'
mwan3.eu_berlin_azire.size='56'
mwan3.eu_berlin_azire.max_ttl='60'
mwan3.eu_berlin_azire.timeout='4'
mwan3.eu_berlin_azire.interval='10'
mwan3.eu_berlin_azire.failure_interval='5'
mwan3.eu_berlin_azire.recovery_interval='5'
mwan3.eu_berlin_azire.down='5'
mwan3.eu_berlin_azire.up='5'
mwan3.eu_frankfurt_az=interface
mwan3.eu_frankfurt_az.enabled='1'
mwan3.eu_frankfurt_az.reliability='1'
mwan3.eu_frankfurt_az.family='ipv4'
mwan3.eu_frankfurt_az.initial_state='online'
mwan3.eu_frankfurt_az.track_ip='1.1.1.1' '8.8.8.8'
mwan3.eu_frankfurt_az.track_method='ping'
mwan3.eu_frankfurt_az.count='1'
mwan3.eu_frankfurt_az.size='56'
mwan3.eu_frankfurt_az.max_ttl='60'
mwan3.eu_frankfurt_az.timeout='4'
mwan3.eu_frankfurt_az.interval='10'
mwan3.eu_frankfurt_az.failure_interval='5'
mwan3.eu_frankfurt_az.recovery_interval='5'
mwan3.eu_frankfurt_az.down='5'
mwan3.eu_frankfurt_az.up='5'

But here is what happens in the logs

root@vpn:~# logread | grep mwan3
Mon Oct 28 13:31:09 2024 user.warn mwan3-init[627]: Rule default_vpn_rule exceeds max of 15 chars. Not setting rule
Mon Oct 28 13:31:09 2024 user.warn mwan3-init[627]: invalid ipv6 address 0.0.0.0/0 specified for rule default_vpn_rule
Mon Oct 28 13:31:09 2024 user.notice mwan3-hotplug[1250]: mwan3 hotplug on loopback not called because interface disabled
Mon Oct 28 13:31:16 2024 user.notice mwan3-hotplug[2116]: mwan3 hotplug on wan not called because interface disabled
Mon Oct 28 13:31:16 2024 user.notice mwan3-hotplug[2322]: mwan3 hotplug on lan not called because interface disabled
Mon Oct 28 13:31:18 2024 user.notice mwan3-hotplug[2499]: Execute ifup event on interface ca_toronto_azir (ca_toronto_azir)
Mon Oct 28 13:31:18 2024 user.err mwan3-hotplug[2499]: create_iface_iptables (ca_toronto_azir): iptables-restore v1.8.8 (legacy): chain name `mwan3_iface_in_ca_toronto_azir' too long (must be under 29 chars) Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Mon Oct 28 13:31:18 2024 user.info mwan3track[848]: Detect ifup event on interface ca_toronto_azir ()
Mon Oct 28 13:31:18 2024 user.notice mwan3track[848]: Interface ca_toronto_azir (ca_toronto_azir) is online
Mon Oct 28 13:31:18 2024 user.notice mwan3-hotplug[3020]: Execute ifup event on interface eu_berlin_azire (eu_berlin_azire)
Mon Oct 28 13:31:18 2024 user.err mwan3-hotplug[3020]: create_iface_iptables (eu_berlin_azire): iptables-restore v1.8.8 (legacy): chain name `mwan3_iface_in_eu_berlin_azire' too long (must be under 29 chars) Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Mon Oct 28 13:31:18 2024 user.info mwan3track[850]: Detect ifup event on interface eu_berlin_azire ()
Mon Oct 28 13:31:18 2024 user.notice mwan3track[850]: Interface eu_berlin_azire (eu_berlin_azire) is online
Mon Oct 28 13:31:18 2024 user.notice mwan3-hotplug[3316]: Execute ifup event on interface eu_frankfurt_az (eu_frankfurt_az)
Mon Oct 28 13:31:18 2024 user.err mwan3-hotplug[3316]: create_iface_iptables (eu_frankfurt_az): iptables-restore v1.8.8 (legacy): chain name `mwan3_iface_in_eu_frankfurt_az' too long (must be under 29 chars) Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Mon Oct 28 13:31:18 2024 user.info mwan3track[851]: Detect ifup event on interface eu_frankfurt_az ()
Mon Oct 28 13:31:18 2024 user.notice mwan3track[851]: Interface eu_frankfurt_az (eu_frankfurt_az) is online
Mon Oct 28 13:31:18 2024 user.notice mwan3-hotplug[3615]: Execute ifup event on interface eu_zurich_azire (eu_zurich_azire)
Mon Oct 28 13:31:18 2024 user.err mwan3-hotplug[3615]: create_iface_iptables (eu_zurich_azire): iptables-restore v1.8.8 (legacy): chain name `mwan3_iface_in_eu_zurich_azire' too long (must be under 29 chars) Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Mon Oct 28 13:31:19 2024 user.info mwan3track[849]: Detect ifup event on interface eu_zurich_azire ()
Mon Oct 28 13:31:19 2024 user.notice mwan3track[849]: Interface eu_zurich_azire (eu_zurich_azire) is online
Mon Oct 28 13:31:21 2024 user.notice mwan3-hotplug[3956]: mwan3 hotplug on wan6 not called because interface disabled
Mon Oct 28 13:31:53 2024 user.info mwan3track[851]: Check (ping) failed for target "1.1.1.1" on interface eu_frankfurt_az (eu_frankfurt_az). Current score: 10

So I would like to allow longer chain policy names and if possible, longer network device names ? I really would prefer all VPN connections to have names like tun_region_city_vpnprovider_X

If not I'll have to have names like zu_pol eu_zu etc..

Not possible. Actually in general circumstances, Linux interface names have a maximum of 15 characters.

Yes, they are, as you observe.

Is this related to your name length question?

Yes.

You need to patch kernel, or add 255 char comment to rules.
Why dont you use 23.05.5 and (iptables-)nft ?

Hi,

I am using OpenWrt 23.05.5

It seems my issue is that mwan3 is appending "mwan3_iface_in_" in front of the device name, and that is two characters too many to allow for the full 15 characters that a device name currently have with still beind within the 29 character max that a chain policy name can have.

I don't know what is going to be easier, switch to nft(would it fix it?) patch the kernel , patch mwan3 ....

(also I'm in an LXC on proxmox)

Openwrt will use same netfilter header as proxmox with 30 character chain names.
LXC is not among supported "hardware" in OpenWRT. Use KVM or ask commercial proxmox support to help your LXC illusions.

That part is still the OP's limitation, hence I didn't mention the 255 interface possibility.

How mwan should name the rules, like normal systemd can have 3 chars + 12 chars MAC maximum interface name.

No such limitation in nftables...

root@OpenWrt:~# nft -c -f - << AAA
> table inet t {
> chain c01234567890123456789012345678901234567890x {
> counter
> }
> }
> AAA