Nftables snippets chain option is not taken into account

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi everyone!

After migrating from fw3 to fw4, I need to add custom log filters so they can be parsed by my ELK stack easily.

To do so, I've read this doc and I realized that not all chain are taken into account (or I misread the doc).

For example, I'd like to customize the drop_from_wan to log dropped packets coming from my WAN:

...
config include
	option	type		'nftables'
	option	path		'/etc/test.nft'
	option	position	'chain-post'
	option	chain		'drop_from_wan'

Running fw4 does not show any reference to test.nft:

root@router-1:/etc# fw4 print | grep test
Section @rule[0] (WAN -> DEVICE | Allow SSH) is disabled, ignoring section
Section @rule[2] (WAN -> DEVICE | Allow Ping) is disabled, ignoring section
...
Section @rule[88] (CELL -> SERVICES | Allow dlna 8200) is disabled, ignoring section
root@router-1:/etc#

Whereas if I choose the chain input_wan:

...
config include
	option	type		'nftables'
	option	path		'/etc/test.nft'
	option	position	'chain-post'
	option	chain		'input_wan'

fw4 shows something:

root@router-1:/etc# fw4 print | grep test
Section @rule[0] (WAN -> DEVICE | Allow SSH) is disabled, ignoring section
Section @rule[2] (WAN -> DEVICE | Allow Ping) is disabled, ignoring section
...
Section @rule[88] (CELL -> SERVICES | Allow dlna 8200) is disabled, ignoring section
		include "/etc/test.nft"

The position begins with chain-* so I should be good.

Am I missing something? Or is there any easier solution?

Thanks!

P.S: I don't know if a FR is already opened for that, but it would be great to add a customization for log prefix in the /etc/config/firewall configuration

2

You can only add custom rules to an existing chain.

Unless you change the default INPUT policy for the wan firewall zone from REJECT to DROP, the drop_from_wan chain will not be created.

By default the corresponding chain name is reject_from_wan.

Check which one chain exists:

nft list chain inet fw4 reject_from_wan
nft list chain inet fw4 drop_from_wan

Also change chain-post to chain-pre.

1 Like
3

These particular “verdict_from_zone” chains do not appear to have custom includes implemented.

https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/usr/share/firewall4/templates/ruleset.uc;h=d6eedfd55d599b7982cfab2bd1f93ddfc9dca50e;hb=HEAD#l258

3 Likes
4

Hum, interesting !

I definitely have no skills in that language so IDK how difficult would it be to implement that.

But the documentation should be updated to include this restriction.

Or maybe a PR?

5

Thank you for the clarification!

6

@jow might be interested in this.

Yeah, I've been mulling this issue over for several months. My current thoughts (without any action on a PR or such) are that it would be nice to have something like first adding a -e (everything) switch on fw4:

fw4 -e print
table ...
    all the chains are generated, irrespective of use

And then modifying the /usr/share/firewall4/ uc files to first look for both implicit includes (from /usr/share/nftables.d) and explicit includes (from /etc/config/firewall) that reference any as-yet non-existent chains, and turn on generation of those chains even if there is no UCI-based rule requiring them.

Right now I work around this by, for example, adding a dummy redirect rule in uci to get the dstnat base chain and the actually desired dstnat_lan chain where I add further nat/redirect rules via /usr/share/nftables.d/chain-post/dstnat_lan/90-redirect.nft. Ugly, but it works.