[kernel 5.4.x | nft] NAT not working due to missing kmods

{"kernel":"5.4.48","hostname":"OpenWrt","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"OpenWrt","version":"SNAPSHOT","revision":"r13611-3f27a6e640","target":"mvebu/cortexa9","description":"OpenWrt SNAPSHOT r13611-3f27a6e640"}}

opkg files kmod-nft-core
Package kmod-nft-core (5.4.48-1) is installed on root and has the following files:
opkg files kmod-nft-nat
Package kmod-nft-nat (5.4.48-1) is installed on root and has the following files:
opkg files kmod-nft-nat6

Package kmod-nft-nat6 (5.4.48-1) is installed on root and has the following files:

Steps to reproduce

nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add chain inet filter forward { type filter hook forward priority 0 \; }
nft add chain inet filter output    { type filter hook output priority 0 \; }
nft add table inet nat
nft add chain inet nat postrouting { type nat hook postrouting priority 100 \; }

ending up with

Error: Could not process rule: No such file or directory

which is a common indication of a missing kernel function. For NFT NAT to work it requires kmod nft_chain_nat which though is absent

modinfo nft_chain_nat
modinfo: ERROR: Module alias nft_chain_nat not found.


xzgrep NFT_NAT /proc/config.gz

There seems something wrong in the build system missing to build that module.

Another module issue is with kmod-nft-nat6 that provides no *.ko file at all.

Appreciate if developers could take a look at the build system and get this sorted.

Have a look at QoS and nftables ... some findings to share

Not sure what you are trying to say on the subject?

Scroll up a bit through the thread, we made an effort to find out what packages are needed in the master branch to support nft QoS, that includes NAT. In summary, it works, so I am surprised you have problems in your case. There are some modules that are not compiled as you say, for example, CONFIG_NFT_RT is not set causing issues with rules like

nft add rule ip filter forward oifname eth1 tcp flags & (syn|rst) == syn tcp option maxseg size set rt mtu

However, I did find that everything else seems to work.

That thread appears to be snapshots from 19.07 with kernel 4.14 (unless I am mistaken?)

which is not Master. This thread is about kernel 5.4 from the Master branch

Oh, shoot, you are right, apologies.

no worries

Issue also exhibits with upgraded snapshot

{"kernel":"5.4.50","hostname":"OpenWrt","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"OpenWrt","version":"SNAPSHOT","revision":"r13692-556eb9872d","target":"mvebu/cortexa9","description":"OpenWrt SNAPSHOT r13692-556eb9872d"}}

I'm seeing the same issue on r13859 (kernel 5.4.51) as well. The nft_chain_nat_ipv4 module is the one I assumed was the missing one.

I tried to add CONFIG_NFT_CHAIN_NAT_IPV4=y to my .config file to see if it would fix my build, but no dice.

1 Like

Issue persists with upgraded snapshot

OpenWrt SNAPSHOT r13958-bcd7a0c095

1 Like

Looking at https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=db8ab38880e06dedbfc879e75f5b0ddc495f4eb6

The kconfig knobs for ipv4/ipv6 nat chain are removed, the nat chain type will be built unconditionally if NFT_NAT expression is enabled.

Maybe it is a bug in this kernel branch that it (nft_chain_nat.ko) only compiles with NF_NAT=y but not with NF_NAT=m

Did you try to build with NF_NAT=y? Any luck?

I did not but reading through https://bugs.openwrt.org/index.php?do=details&task_id=2815 implies as much.

Just FYI, hit this issue too after a upgrade to a r14449 build (from something with a 4.14 kernel) broke my nftables rules.

Managed to find the nft_chain_nat.ko file from the build -- it did get built, it just wasn't included in the OpenWRT module package. Copying it over from build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/linux-mvebu_cortexa9/linux-5.4.63/net/netfilter/nft_chain_nat.ko to my device and manually insmoding it made everything work again.

I'm slightly suspicious this might have something to do with the include/netfilter.mk rules, which contain some rules for nft_chain_nat_ipv4 and nft_chain_nat_ipv6, but not for the new combined nft_chain_nat that they're apparently merged to after that kernel commit linked earlier. Might try playing around with that to see if it helps. (But this is all just from looking for any matches of nft_chain_nat anywhere; I'm definitely not an OpenWRT developer.)

1 Like

kmod-nft-nat6 doesn't provide ko files, so IPV6 NAt with nftables doesn't work on master.