Nftables logging issues with bridge family

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I am running OpenWrt 22.03.5, r20134-5f15225c1e on Netgear WNDR3700v2 with kernel modules currently loaded:

Installed Kernel Modules

root:~> lsmod | grep '^nf'
nf_conntrack 69872 8 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table,nf_conntrack_bridge
nf_conntrack_bridge 3264 0
nf_defrag_ipv4 1216 1 nf_conntrack
nf_defrag_ipv6 5584 2 nf_conntrack_bridge,nf_conntrack
nf_flow_table 22352 4 nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_flow_offload
nf_flow_table_inet 576 0
nf_flow_table_ipv4 448 0
nf_flow_table_ipv6 448 0
nf_log_common 2912 2 nf_log_ipv6,nf_log_ipv4
nf_log_ipv4 3584 0
nf_log_ipv6 3904 0
nf_nat 22032 4 nft_redir,nft_nat,nft_masq,nft_chain_nat
nf_reject_ipv4 2560 3 nft_reject_ipv4,nft_reject_inet,nft_reject_bridge
nf_reject_ipv6 2880 3 nft_reject_ipv6,nft_reject_inet,nft_reject_bridge
nf_tables 149744144 nft_fib_inet,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_meta_bridge,nft_masq,nft_log,nft_limit,nft_hash,nft_flow_offload,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_ct,nft_counter,nft_chain_nat
nfnetlink 5152 1 nf_tables
nft_chain_nat 864 2
nft_counter 1728 9
nft_ct 7616 3
nft_fib 1376 3 nft_fib_inet,nft_fib_ipv6,nft_fib_ipv4
nft_fib_inet 672 0
nft_fib_ipv4 2144 1 nft_fib_inet
nft_fib_ipv6 2848 1 nft_fib_inet
nft_flow_offload 3520 0
nft_hash 2336 0
nft_limit 3456 1
nft_log 1664 0
nft_masq 1792 1
nft_meta_bridge 1280 0
nft_nat 2592 0
nft_numgen 1440 0
nft_objref 1664 0
nft_quota 1952 0
nft_redir 1760 0
nft_reject 1120 4 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge
nft_reject_bridge 3840 0
nft_reject_inet 1152 2
nft_reject_ipv4 672 0
nft_reject_ipv6 672 0

I want to log certain communication and while on inet family everything works as expected:

root:~> nft add table inet filter
root:~> nft add chain inet filter prerouting
root:~> nft add rule inet filter prerouting log
root:~>

when I try to do the same action on bridge family (which is what I am aiming for), I get the following:

root:~> nft add table bridge filter
root:~> nft add chain bridge filter prerouting
root:~> nft add rule bridge filter prerouting log
Error: Could not process rule: No such file or directory
add rule bridge filter prerouting log
                                  ^^^
root:~>

Am I missing any package / kernel module ?

Thanks for your help

2

It looks like the kmod-nft-bridge package disables the LOG module, if I read it correctly.

3

ok, wow, so except starting building by myself there is not much I can do about, or ?

4

Maybe load it manually before you add the rule?

$ modprobe -v nft_log
5

thx for the hint, but...

root:~> modprobe -v nft_log
nft_log is already loaded

If I understand the comment from dave14305 correctly, this is about kmod-nft-bridge.ko been excluded during image build

6

Bah, I was hoping it just didn't create the dependency properly, but it appears that the config ifdefs out the calls altogether...

7

It used to be forcefully excluded because it didn’t exist before kernel 5.13, but now it’s just inactive and could be included if you build your own image in 23.05 or main branches.

8

@dave14305,

now it’s just inactive

I guess, logging should be one of the core needs, or ? So, might be you want to include one of the future OpenWrt releases ? :smiley:

Anyhow.. I found a workaround that works for me on the current OpenWrt release, which is logging certain packets via setting nftrace meta flag to 1 and subsequently logging these offending connections via nft monitor :+1:

1 Like
9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.