Nftables NFLOG rule

20hd3 · August 16, 2023, 4:55pm

Hi all, trying to implement a nftables NFLOG rule to allow nhrpd to intercept multicast packets as detailed here under Multicast Functionality https://docs.frrouting.org/en/latest/nhrpd.html on OpenWrt 22.03

The original ip tables command is as follows:
iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 2

I have tried using the following commands to create the command for nftables but with no success:


root@OpenWrt:/# nft add chain ip filter OUTPUT { type filter hook input priority

root@OpenWrt:/# nft add rule filter OUTPUT oif gre1 log ip daddr 224.0.0.0/24 ct
 state new logging prefix \"NHRP Multicast: \" group 2 accept
Error: syntax error, unexpected prefix
add rule filter OUTPUT oif gre1 log ip daddr 224.0.0.0/24 ct state new logging prefix "NHRP Multicast: " group 2 accept
                                                                               ^^^^^^
root@OpenWrt:/# ```

It doesn't appear to like the prefix syntax, I have also tried this without to no avail:

```root@OpenWrt:/# nft add rule filter OUTPUT oif gre1 log ip daddr 224.0.0.0/24 ct
 state new logging group 2 accept
Error: syntax error, unexpected group
add rule filter OUTPUT oif gre1 log ip daddr 224.0.0.0/24 ct state new logging group 2 accept ```
                                                                               ^^^^^

I've installed the following packages as recommended previously too:

opkg install ip6tables-nft
opkg install kmod-ipt-core
opkg install kmod-ip6tables

Any help would be greatly received, thanks in advance!

pavelgl · August 16, 2023, 6:51pm

opkg update; opkg install ulogd-mod-nflog
nft add rule inet fw4 output oifname "gre1" ip daddr 224.0.0.0/24 ct state new log prefix \"NHRP Multicast: \" group 2 accept

20hd3 · August 16, 2023, 9:04pm

Thank you @pavelgl for your help & quick response, this has resolved my issue and I've now got a working ospf adjacency over dmvpn

efahl · August 16, 2023, 11:29pm

I'm anticipating your next question, how to make this persistent...

If you put your rule in /etc/firewall.user,

$ cat /etc/firewall.user
#!/bin/sh
nft add rule inet fw4 output oifname "gre1" ip daddr 224.0.0.0/24 ct state new log prefix \"NHRP Multicast: \" group 2 accept

Then edit /etc/config/firewall, adding this:

 config include
        option enabled '1'
        option type 'script'
        option path '/etc/firewall.user'
        option fw4_compatible '1'

Then when you reload the firewall using fw4 reload, it will be automatically included and you don't have to worry about it on the next reboot.

Confirm that it looks good with

$ fw4 reload
$ nft list chain inet fw4 output
table inet fw4 {
        chain output {
                type filter hook output priority filter; policy accept;
 ... other rules ...
                < your rule here >
}

20hd3 · August 18, 2023, 10:00am

Thank you @efahl, you read my mind

efahl · August 18, 2023, 3:15pm

Oops, I forgot something!

Also do this, so sysupgrade "with backup" (and also Attended Sysupgrade and auc) will keep the file:

$ echo '/etc/firewall.user' >> /etc/sysupgrade.conf
$ sysupgrade -l | grep firewall.user
... should echo the path ...