[kernel 5.4.x | nft] NAT not working due to missing kmods

anon27813507 · June 24, 2020, 9:23am

{"kernel":"5.4.48","hostname":"OpenWrt","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"OpenWrt","version":"SNAPSHOT","revision":"r13611-3f27a6e640","target":"mvebu/cortexa9","description":"OpenWrt SNAPSHOT r13611-3f27a6e640"}}

opkg files kmod-nft-core

Package kmod-nft-core (5.4.48-1) is installed on root and has the following files:
/lib/modules/5.4.48/nft_reject.ko
/lib/modules/5.4.48/nft_reject_ipv4.ko
/lib/modules/5.4.48/nf_tables_set.ko
/lib/modules/5.4.48/nft_numgen.ko
/lib/modules/5.4.48/nft_counter.ko
/lib/modules/5.4.48/nft_reject_ipv6.ko
/lib/modules/5.4.48/nft_ct.ko
/lib/modules/5.4.48/nf_tables.ko
/lib/modules/5.4.48/nft_redir.ko
/lib/modules/5.4.48/nft_limit.ko
/lib/modules/5.4.48/nft_hash.ko
/lib/modules/5.4.48/nft_objref.ko
/lib/modules/5.4.48/nft_reject_inet.ko
/lib/modules/5.4.48/nft_quota.ko
/lib/modules/5.4.48/nft_log.ko
/etc/modules.d/nft-core

opkg files kmod-nft-nat

Package kmod-nft-nat (5.4.48-1) is installed on root and has the following files:
/lib/modules/5.4.48/nft_masq.ko
/etc/modules.d/nft-nat
/lib/modules/5.4.48/nft_nat.ko

opkg files kmod-nft-nat6

Package kmod-nft-nat6 (5.4.48-1) is installed on root and has the following files:

Steps to reproduce

nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add chain inet filter forward { type filter hook forward priority 0 \; }
nft add chain inet filter output    { type filter hook output priority 0 \; }
nft add table inet nat
nft add chain inet nat postrouting { type nat hook postrouting priority 100 \; }

ending up with

Error: Could not process rule: No such file or directory

which is a common indication of a missing kernel function. For NFT NAT to work it requires kmod nft_chain_nat which though is absent

modinfo nft_chain_nat
modinfo: ERROR: Module alias nft_chain_nat not found.

despite

xzgrep NFT_NAT /proc/config.gz
CONFIG_NFT_NAT=m

There seems something wrong in the build system missing to build that module.

Another module issue is with kmod-nft-nat6 that provides no *.ko file at all.

Appreciate if developers could take a look at the build system and get this sorted.

amteza · June 24, 2020, 8:11pm

Have a look at QoS and nftables ... some findings to share

anon27813507 · June 24, 2020, 8:18pm

Not sure what you are trying to say on the subject?

amteza · June 24, 2020, 8:23pm

Scroll up a bit through the thread, we made an effort to find out what packages are needed in the master branch to support nft QoS, that includes NAT. In summary, it works, so I am surprised you have problems in your case. There are some modules that are not compiled as you say, for example, CONFIG_NFT_RT is not set causing issues with rules like

nft add rule ip filter forward oifname eth1 tcp flags & (syn|rst) == syn tcp option maxseg size set rt mtu

However, I did find that everything else seems to work.

anon27813507 · June 24, 2020, 8:28pm

That thread appears to be snapshots from 19.07 with kernel 4.14 (unless I am mistaken?)

which is not Master. This thread is about kernel 5.4 from the Master branch

amteza · June 24, 2020, 8:31pm

Oh, shoot, you are right, apologies.

anon27813507 · June 24, 2020, 8:31pm

no worries

anon27813507 · July 5, 2020, 10:21am

Issue also exhibits with upgraded snapshot

{"kernel":"5.4.50","hostname":"OpenWrt","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"OpenWrt","version":"SNAPSHOT","revision":"r13692-556eb9872d","target":"mvebu/cortexa9","description":"OpenWrt SNAPSHOT r13692-556eb9872d"}}

_FailSafe · July 15, 2020, 6:10pm

I'm seeing the same issue on r13859 (kernel 5.4.51) as well. The nft_chain_nat_ipv4 module is the one I assumed was the missing one.

I tried to add CONFIG_NFT_CHAIN_NAT_IPV4=y to my .config file to see if it would fix my build, but no dice.

anon27813507 · July 29, 2020, 1:46pm

Issue persists with upgraded snapshot

OpenWrt SNAPSHOT r13958-bcd7a0c095

anon27813507 · July 30, 2020, 1:47pm

Looking at https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=db8ab38880e06dedbfc879e75f5b0ddc495f4eb6

The kconfig knobs for ipv4/ipv6 nat chain are removed, the nat chain type will be built unconditionally if NFT_NAT expression is enabled.

Maybe it is a bug in this kernel branch that it (nft_chain_nat.ko) only compiles with NF_NAT=y but not with NF_NAT=m

_FailSafe · July 30, 2020, 10:47pm

Did you try to build with NF_NAT=y? Any luck?

anon27813507 · July 31, 2020, 10:54am

I did not but reading through https://bugs.openwrt.org/index.php?do=details&task_id=2815 implies as much.

fis · September 12, 2020, 9:23pm

Just FYI, hit this issue too after a upgrade to a r14449 build (from something with a 4.14 kernel) broke my nftables rules.

Managed to find the nft_chain_nat.ko file from the build -- it did get built, it just wasn't included in the OpenWRT module package. Copying it over from build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/linux-mvebu_cortexa9/linux-5.4.63/net/netfilter/nft_chain_nat.ko to my device and manually insmoding it made everything work again.

I'm slightly suspicious this might have something to do with the include/netfilter.mk rules, which contain some rules for nft_chain_nat_ipv4 and nft_chain_nat_ipv6, but not for the new combined nft_chain_nat that they're apparently merged to after that kernel commit linked earlier. Might try playing around with that to see if it helps. (But this is all just from looking for any matches of nft_chain_nat anywhere; I'm definitely not an OpenWRT developer.)

easyteacher · April 2, 2022, 3:35am

kmod-nft-nat6 doesn't provide ko files, so IPV6 NAt with nftables doesn't work on master.