Nft rule for TTL mangling

I'm trying to get smcroute working on recent OpenWrt (so I can use DLNA over wireguard). To do this I need to mangle the time-to-live for multicast packets. I can't for the life of me sort out a way to do this with nft.

I tried iptables-translate and got this:

# iptables-translate -A PREROUTING -d -i br-lan -j TTL --ttl-inc 2
nft # -A PREROUTING -d -i br-lan -j TTL --ttl-inc 2

Which just seems to be iptables-translate throwing up it's hands and saying dunno.
When I tried to use iptables-nft to do it, I got this rule:

# iptables-nft -A PREROUTING -d -i br-lan -j TTL --ttl-inc 2
# nft list ruleset
table ip mangle {
		type filter hook prerouting priority mangle; policy accept;
		iifname "br-lan" ip daddr counter packets 173 bytes 65813 # xt_TTL

That rule does not look like anything like something that will mangle TTL, and doesn't seem to actually work.

Any suggestions?


1 Like

Yea, I saw that topic. In my case, I'm trying to increment the TTL, not set it to a fixed number. I'm playing with that to see if I can make it work. No luck so far.

If anyone knows the syntax to increment TTL in nftables, it'd be very helpful.

Not supported today in nftables.

Thank-you for the link. "Not supported today in nftables" seems to be a common thread with the iptables->nftables conversion. Though in this case, I see that it's not really necessary. It does make me wonder why iptables-nft creates what appears to be a nonsense nft rule when presented with:
iptables-nft -A PREROUTING -d -i br-lan -j TTL --ttl-inc 2

I still can't for the life of me get dlna-over-wireguard to work. I settled on this nft rule for adjusting the ttl:
nft add rule inet fw4 mangle_forward iifname "br-lan" ip daddr ip ttl set 3

And this is my /etc/smcroute.conf on the devices on both sides of the vpn:

phyint vpn enable
phyint br-lan enable

mgroup from br-lan group
mroute from br-lan group to vpn

mgroup from vpn group
mroute from vpn group to br-lan

I don't know if the problem is smcroute, or the ttl rule. For the time being, I've resorted to creating a local minidlna instance on the remote side of the vpn and having it use the remote media server's files mounted by cifs.