NFT DUP module REQUEST

nicdesrochers · December 16, 2022, 2:15pm

Hi,

Is it possible to add DUP (duplicate) module for replacement of the TEE iptables module with FW4

As I workaround I use NFT for firewall and iptables for tee modules, but since FW4 is the new standard I hope I can remove iptables in the futures release.

Thanks

#CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_DUP_IPV6 is not set

Duplicating packets - nftables wiki

openwrt/config-5.15 at master · openwrt/openwrt · GitHub

Here other users issue/request
Firewall4 custom nftables rule with dup statement results in "Unknown Family" - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum

slh · December 16, 2022, 8:35pm

Did you submit a pull request implementing the change?

It's rather unlikely for anyone to pick up feature requests and work on them for stuff they don't need, providing a tested patch tends to be received more easily.

nicdesrochers · December 16, 2022, 8:52pm

Ok I will try then.

Thanks

nicdesrochers · December 17, 2022, 4:19pm

Base on this the kernel configuration should be there, but I found noting in make menuconfig

IPv4 nf_tables packet duplication support - CONFIG_NFT_DUP_IPV4 - nft_dup_ipv4.ko - kernelconfig.io

I work in the openwrt-22.03 branch
The config is only in generic, but I can't enable it on MVEBU

~/openwrt $ grep DUP target/linux/generic/config-5.10
CONFIG_NFT_DUP_IPV4=y
CONFIG_NFT_DUP_IPV6=y

bolemo · December 17, 2022, 5:29pm

I just opened a subject related to this: OpenWrt 22.03 build - kernel modules compiling BUT missing in install image - #2 by bolemo

Seems like even with CONFIG_NFT_DUP_IPV4=y, CONFIG_NFT_DUP_IPV6=y, CONFIG_NF_DUP_IPV4=y, CONFIG_NF_DUP_IPV6=y, the produced image does not include the kernel modules (they get lost between the building directory and he staging directory.

But adding manually the kernel modules works

nicdesrochers · December 17, 2022, 9:38pm

Thanks for the info, I will try the module so probably I can load it on the stable version if I just copy the module manually

bolemo · December 17, 2022, 10:57pm

If the modules are compiled on the same system for the same kernel (version and all), it should work yes.

klipz · December 28, 2022, 7:47pm

I want to tack onto this thread, if that is ok, as I have a very similar request regarding CONFIG_NFT_CONNLIMIT:

In that same thread I posted about the legacy iptables package iptables-mod-conntrack-extra which provides the connlimit kmod (and others) for fw3/iptables.

IMHO it would be wonderful if NFT_CONNLIMIT, NFT_DUP, and others might be built as modules and packaged up in a similar way for fw4 for those of us that want such functionality.

Cheers, and happy holidays!