Is it possible to add DUP (duplicate) module for replacement of the TEE iptables module with FW4
As I workaround I use NFT for firewall and iptables for tee modules, but since FW4 is the new standard I hope I can remove iptables in the futures release.
#CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_DUP_IPV6 is not set
Duplicating packets - nftables wiki
openwrt/config-5.15 at master · openwrt/openwrt · GitHub
Here other users issue/request
Firewall4 custom nftables rule with dup statement results in "Unknown Family" - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum
Did you submit a pull request implementing the change?
It's rather unlikely for anyone to pick up feature requests and work on them for stuff they don't need, providing a tested patch tends to be received more easily.
Base on this the kernel configuration should be there, but I found noting in make menuconfig
IPv4 nf_tables packet duplication support - CONFIG_NFT_DUP_IPV4 - nft_dup_ipv4.ko - kernelconfig.io
I work in the openwrt-22.03 branch
The config is only in generic, but I can't enable it on MVEBU
~/openwrt $ grep DUP target/linux/generic/config-5.10
I just opened a subject related to this:
OpenWrt 22.03 build - kernel modules compiling BUT missing in install image - #2 by bolemo
Seems like even with
CONFIG_NF_DUP_IPV6=y, the produced image does not include the kernel modules (they get lost between the building directory and he staging directory.
But adding manually the kernel modules works
Thanks for the info, I will try the module so probably I can load it on the stable version if I just copy the module manually
If the modules are compiled on the same system for the same kernel (version and all), it should work yes.
I want to tack onto this thread, if that is ok, as I have a very similar request regarding CONFIG_NFT_CONNLIMIT:
As outlined here:
I cannot create any rule using "ct count".
Executing this on cli:
nft add rule inet fw4 forward tcp dport 22 ct count 10 accept
Results in this:
Error: Could not process rule: No such file or directory
add rule inet fw4 forward tcp dport 22 ct count 10 accept
Can anyone else confirm that this works? The nftables wiki article also reads:
Note: connlimits requi…
In that same thread I posted about the legacy iptables package
iptables-mod-conntrack-extra which provides the connlimit kmod (and others) for fw3/iptables.
IMHO it would be wonderful if NFT_CONNLIMIT, NFT_DUP, and others might be built as modules and packaged up in a similar way for fw4 for those of us that want such functionality.
Cheers, and happy holidays!