Nftables logging

rwalli · March 30, 2022, 5:46pm

Hello!

I am doing my first steps with nftables and having troubles with logging on "OpenWrt SNAPSHOT r19181-1bf94b6797" compiled with the default options.

nft add rule inet fw4 input log
Error: Could not process rule: No such file or directory
add rule inet fw4 input log
                        ^^^

Am I missing something obvious?

pavelgl · March 30, 2022, 7:16pm

To make the logging work with ip6 or inet tables, you need to install the ip6tables-nft package.

rwalli · March 30, 2022, 10:29pm

Perfect, thank you!

dave14305 · March 30, 2022, 10:57pm

Can you elaborate on the dependency? It is probably very important since firewall4 is based on an inet table.

pavelgl · March 31, 2022, 7:54am

After some research I have to make the following adjustment:

The ipv4 logging also doesn't work on fresh installation (my apologies, but it's easy to get confused after installing some additional packages).

Тhe following kernel modules must be additionally installed:

## ip table
root@OpenWrt:~# opkg install kmod-ipt-core
Installing kmod-ipt-core (5.10.109-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.109-1-974809f18940ab659f16306b93f28d72/kmod-ipt-core_5.10.109-1_x86_64.ipk
Installing kmod-nf-ipt (5.10.109-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.109-1-974809f18940ab659f16306b93f28d72/kmod-nf-ipt_5.10.109-1_x86_64.ipk
Configuring kmod-nf-ipt.
Configuring kmod-ipt-core.

## ip6/inet table
root@OpenWrt:~# opkg install kmod-ip6tables
Installing kmod-ip6tables (5.10.109-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.109-1-974809f18940ab659f16306b93f28d72/kmod-ip6tables_5.10.109-1_x86_64.ipk
Installing kmod-nf-ipt6 (5.10.109-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.109-1-974809f18940ab659f16306b93f28d72/kmod-nf-ipt6_5.10.109-1_x86_64.ipk
Configuring kmod-nf-ipt6.
Configuring kmod-ip6tables.

dave14305 · March 31, 2022, 11:29am

So firewall4 needs this package in order to get the nf_log_ipv6 module installed for proper inet logging.

Pinging @jow since fw4 zone logging fails.

rwalli · March 31, 2022, 11:46am

Tried to log with "ip table" and can confirm that it does not work for ipv4 with default installation.

Guess it is intended because the additional packages are quite large.
Maybe this should be mentioned in the 22.03.0 release notes because logging seems to be a widely used feature.

system · April 10, 2022, 11:47am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.