rwalli
March 30, 2022, 5:46pm
1
Hello!
I am doing my first steps with nftables and having troubles with logging on "OpenWrt SNAPSHOT r19181-1bf94b6797" compiled with the default options.
nft add rule inet fw4 input log
Error: Could not process rule: No such file or directory
add rule inet fw4 input log
^^^
Am I missing something obvious?
To make the logging work with ip6 or inet tables, you need to install the ip6tables-nft
package.
Can you elaborate on the dependency? It is probably very important since firewall4 is based on an inet
table.
After some research I have to make the following adjustment:
The ipv4 logging also doesn't work on fresh installation (my apologies, but it's easy to get confused after installing some additional packages).
Тhe following kernel modules must be additionally installed:
## ip table
root@OpenWrt:~# opkg install kmod-ipt-core
Installing kmod-ipt-core (5.10.109-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.109-1-974809f18940ab659f16306b93f28d72/kmod-ipt-core_5.10.109-1_x86_64.ipk
Installing kmod-nf-ipt (5.10.109-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.109-1-974809f18940ab659f16306b93f28d72/kmod-nf-ipt_5.10.109-1_x86_64.ipk
Configuring kmod-nf-ipt.
Configuring kmod-ipt-core.
## ip6/inet table
root@OpenWrt:~# opkg install kmod-ip6tables
Installing kmod-ip6tables (5.10.109-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.109-1-974809f18940ab659f16306b93f28d72/kmod-ip6tables_5.10.109-1_x86_64.ipk
Installing kmod-nf-ipt6 (5.10.109-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.109-1-974809f18940ab659f16306b93f28d72/kmod-nf-ipt6_5.10.109-1_x86_64.ipk
Configuring kmod-nf-ipt6.
Configuring kmod-ip6tables.
1 Like
So firewall4 needs this package in order to get the nf_log_ipv6
module installed for proper inet logging.
Pinging @jow since fw4 zone logging fails.
rwalli
March 31, 2022, 11:46am
7
Tried to log with "ip table" and can confirm that it does not work for ipv4 with default installation.
Guess it is intended because the additional packages are quite large.
Maybe this should be mentioned in the 22.03.0 release notes because logging seems to be a widely used feature.
system
Closed
April 10, 2022, 11:47am
8
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.