Lets talk about firewall4 (default nftables firewall)

brada4 · June 3, 2025, 3:43am

I got reordering only of few udp packets?

glassdoor · June 3, 2025, 4:41am

yes just a few. under 20. and most of the time just 2

brada4 · June 3, 2025, 4:46am

I got 2-3 per minute before patch and after patch 2 per hour. iperf3 --bidir, dut is tuf-ax4200
unoffloaded tcp could be improved by making mssfix "global" ie without interfaces, this is only a quick bolt-on.

brada4 · June 7, 2025, 7:36am

@glassdoor please check if this (mandatory per-packet iifname) also applies
-- https://github.com/openwrt/firewall4/pull/27
I had it out long before PR.

glassdoor · July 19, 2025, 4:23am

I have recently resolved udp issues when hw offload is enabled by disabling fraglist gro by default. Patch for kernel 6.6 is attached.
Turns out it has nothing to do with nftables firewall!
Do test and let me know if you see the same

--- a/include/linux/netdev_features.h
+++ b/include/linux/netdev_features.h
@@ -243,10 +243,10 @@ static inline int find_next_netdev_featu
 #define NETIF_F_UPPER_DISABLES	NETIF_F_LRO
 
 /* changeable features with no special hardware requirements */
-#define NETIF_F_SOFT_FEATURES	(NETIF_F_GSO | NETIF_F_GRO | NETIF_F_GRO_FRAGLIST)
+#define NETIF_F_SOFT_FEATURES	(NETIF_F_GSO | NETIF_F_GRO)
 
 /* Changeable features with no special hardware requirements that defaults to off. */
-#define NETIF_F_SOFT_FEATURES_OFF	(NETIF_F_GRO_UDP_FWD)
+#define NETIF_F_SOFT_FEATURES_OFF	(NETIF_F_GRO_UDP_FWD | NETIF_F_GRO_FRAGLIST)
 
 #define NETIF_F_VLAN_FEATURES	(NETIF_F_HW_VLAN_CTAG_FILTER | \
 				 NETIF_F_HW_VLAN_CTAG_RX | \

brada4 · July 19, 2025, 7:06am

Well, you are not alone in this fight

github.com/openwrt/openwrt

WiFi download speed degraded when using VLANs on Asus RT-AX89X and kernel 6.12

opened 08:24AM - 21 Jun 25 UTC

memoryhash

bug invalid

### Describe the bug When using main @ https://github.com/openwrt/openwrt/commi…t/bbd95c0523174dc724a40b4d2483cadf7dc9907c along with this patch (which I do not believe is the cause) https://github.com/openwrt/openwrt/pull/18823/commits/0062a9f97c17d53a1050e1832eec2e95a9fbc8b6 then I observe very cripplingly slow speeds ~10-20mbps when using a dynamic VLAN. If I however do not use a dynamic VLAN, speeds are back up to normal and I observe ~900-1000mbps with no issue. I then observed https://github.com/openwrt/openwrt/issues/19130 which has very similar characteristics, leading me to indicate this may be some form of "common" 6.12 regression. I then reverted 8dbbca029d8ceba0a8c21d1af992bfa6f0da4865 31ba5e59b23dec6156cc97c48e7296d0e5d6bdc9 and ddbb882b7b6bd3395c61308ea7f1c70b840d8a45 and did a build with the 6.6 kernel. No issues, and worked fully as intended. ### OpenWrt version r30135+7-bbd95c0523 ### OpenWrt release SNAPSHOT ### OpenWrt target/subtarget qualcommax/ipq807x ### Device Asus RT-AX89X ### Image kind Self-built image ### Steps to reproduce Configure a WPA3 Enterprise network with a RADIUS server configured for Dynamic VLANs. End user needs to connect to the AP using credentials that place them onto a VLAN. ### Actual behaviour Download speed is 10-20mbps. ### Expected behaviour Download speed is 900-1000mbps. ### Additional info I strongly suspect that this is a regression in the 6.12 kernel rebase, or perhaps even in upstream 6.12. ### Diffconfig ```text CONFIG_TARGET_qualcommax=y CONFIG_TARGET_qualcommax_ipq807x=y CONFIG_TARGET_qualcommax_ipq807x_DEVICE_asus_rt-ax89x=y CONFIG_DEVEL=y CONFIG_TOOLCHAINOPTS=y # CONFIG_ATH11K_THERMAL is not set CONFIG_BUILD_PATENTED=y CONFIG_BUSYBOX_DEFAULT_PIE=y CONFIG_CCACHE=y CONFIG_EXPERIMENTAL=y # CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR is not set CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y CONFIG_KERNEL_STACKPROTECTOR_STRONG=y CONFIG_PACKAGE_cgi-io=y CONFIG_PACKAGE_ethtool=y CONFIG_PACKAGE_htop=y CONFIG_PACKAGE_kmod-lib-crc-itu-t=y # CONFIG_PACKAGE_kmod-ppp is not set CONFIG_PACKAGE_liblucihttp=y CONFIG_PACKAGE_liblucihttp-ucode=y CONFIG_PACKAGE_libncurses=y CONFIG_PACKAGE_luci=y CONFIG_PACKAGE_luci-app-firewall=y CONFIG_PACKAGE_luci-app-package-manager=y CONFIG_PACKAGE_luci-base=y CONFIG_PACKAGE_luci-light=y CONFIG_PACKAGE_luci-mod-admin-full=y CONFIG_PACKAGE_luci-mod-network=y CONFIG_PACKAGE_luci-mod-status=y CONFIG_PACKAGE_luci-mod-system=y CONFIG_PACKAGE_luci-proto-ipv6=y CONFIG_PACKAGE_luci-proto-ppp=y CONFIG_PACKAGE_luci-ssl=y CONFIG_PACKAGE_luci-theme-bootstrap=y CONFIG_PACKAGE_nano=y # CONFIG_PACKAGE_ppp is not set CONFIG_PACKAGE_px5g-mbedtls=y CONFIG_PACKAGE_rpcd=y CONFIG_PACKAGE_rpcd-mod-file=y CONFIG_PACKAGE_rpcd-mod-iwinfo=y CONFIG_PACKAGE_rpcd-mod-luci=y CONFIG_PACKAGE_rpcd-mod-rrdns=y CONFIG_PACKAGE_rpcd-mod-ucode=y CONFIG_PACKAGE_terminfo=y CONFIG_PACKAGE_ucode-mod-html=y CONFIG_PACKAGE_ucode-mod-math=y CONFIG_PACKAGE_uhttpd=y CONFIG_PACKAGE_uhttpd-mod-ubus=y # CONFIG_PACKAGE_wpad-basic-mbedtls is not set CONFIG_PACKAGE_wpad-mbedtls=y CONFIG_PKG_ASLR_PIE_ALL=y # CONFIG_PKG_ASLR_PIE_REGULAR is not set CONFIG_PKG_CC_STACKPROTECTOR_ALL=y # CONFIG_PKG_CC_STACKPROTECTOR_REGULAR is not set # CONFIG_PKG_FORTIFY_SOURCE_1 is not set CONFIG_PKG_FORTIFY_SOURCE_2=y CONFIG_TARGET_OPTIMIZATION="-O2 -pipe -mcpu=cortex-a53+crc+crypto" CONFIG_TARGET_OPTIONS=y CONFIG_USE_GC_SECTIONS=y CONFIG_ZLIB_OPTIMIZE_SPEED=y # CONFIG_HTOP_LMSENSORS is not set ``` ### Terms - [x] I am reporting an issue for OpenWrt, not an unsupported fork.

(format your ```diff please)

glassdoor · July 19, 2025, 7:40am

interesting...
why the resistance to disable it by default especially for hwoffload??!! since it's not helping with performance as it is already hw offloaded.

simple way to test. iperf3 udp is no longer complaining about out of order packets. And my local voip system has been working flawlessly since.

brada4 · July 19, 2025, 7:45am

rx-gro-list is disabled in snapshots, hope it comes to 24.10 soon.

glassdoor · July 19, 2025, 7:49am

i didn't see a PR for 24.10 yet. you want to volunteer?

brada4 · July 19, 2025, 7:52am

Well, original author is at it. Given my UX wit contributing year is optimistic assessment of anything landing on end-user device.

glassdoor · July 19, 2025, 7:56am

sorry.. i just check mainline.. the rx-gro-list enabling patch is still there in both 6.6 and 6.12 generic hacks.

brada4 · July 19, 2025, 8:00am

This, no pr yet

nemesis · August 13, 2025, 11:23pm

It may be easier to just migrate to uspot, see:

brada4 · August 14, 2025, 5:07am

Well, it is a complement to eachother. But if anything gets fixed down the road it is welcome.

nemesis · August 14, 2025, 5:35pm

I have some experience with coova-chilli and I have noticed a few problems which are resolved with uspot:

firewall integration with openwrt is super tricky
Radsec is not supported in openwrt unless you edit the makefile and recompile
debug output pollutes syslog output
SSL redirection crashes the process
performance is pretty bad, disabling segmentation offloading with ethtool kinda improves it, but still sucks compared to uspot
CPU usage is pretty high on busy APs
I was not able to get DHCP relay to work
unplugging the WAN and replugging it causes the captive portal redirection to stop working

So the migration to nftables is just one of the many issues, at this point IMHO fixing coova-chilli it’s not worth it. But of course if anyone is able and willing to do it and has a reason to do so it’s good provide some extra lifetime to coova-chilli deployments.

brada4 · August 14, 2025, 6:36pm

coovachili uses iptables netlink to program old iptables, there is no possible good integration or migration to nftables possible. It is like 50 such packages that stand no chance for future.

List: https://github.com/openwrt/packages/issues/16818

brada4 · August 15, 2025, 7:28am

Zero impact from ranting in that thread unless you really are to rewrite coova kmod for nftables.

lantis1008 · September 30, 2025, 1:35pm

Many weeks later… I have backported the changes from kernel 6.13 to 6.6.
You can apply the individual patches on their own without any impacts (that I have noticed).

One caveat going back to 6.6 was the nft_parse_register_load function definition changed, but we can undo this as well trivially rather than carry additional patches.

Having this functionality working is so much more flexible.

024-backport_nftables_bitwise_mask_xor.patch

brada4 · October 1, 2025, 8:03am

Impressive, some ago i tried bit ops and just left it alone wondering that they go between noop and unpredictable

dave14305 · October 1, 2025, 2:18pm

Does anyone have any thoughts on how a nftables vmap statement should be displayed visually in LuCI?

You end up with multiple "Rule matches" and "Rule actions" per vmap statement. Do you just stack them up in their appropriate columns, or split them out as if they were separate rules altogether?

Thoughts? @systemcrash?