I installed iptables-mod-ipopt on OpenWrt 22.03.2. Since nftables replaced iptables, are there implications or cause for concern? Should I take corrective action?
I wish to mod the TTL to 65 for all traffic leaving on the WAN.
Can this be accomplished with nftables. It seem the 'custom' rules tab has been removed from the Firewall screen during this transition.
Thanks in advance.
Yes
nft insert rule inet fw4 mangle_postrouting ip ttl set 65 comment “Fw4: setting ttl on all packets”
There was also a recent thread about TTL.
The replies were helpful understanding OpenWrt move to nftables in OpenWrt 22.03.2.
I did the following:
chain user_mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname { "wan", "wlan1" } ip ttl set 65 comment "!fw4: Zone wan IPv4 egress TTL 65”
oifname { "wan", "wlan1" } ip6 hoplimit 65 comment "!fw4: Zone wan IPv6 egress TTL 65”
}
To save and exit vi text editor use command: press 'esc' key followed by :wq
This rule changes both ipv4 and ipv6 ttl value to 65. This at postrouting before leaving on the wan\wlan1
Runnning 22.03.05 here.
I have...
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
include "/usr/share/nftables.d/chain-pre/mangle_postrouting/01-set-ttl.nft"
}
That nft file contains...
root@OpenWrt:~# cat /usr/share/nftables.d/chain-pre/mangle_postrouting/01-set-ttl.nft
ip ttl set 65
But I also modified the sysctl
root@OpenWrt:~# sysctl -a | grep ttl
[...]
net.ipv4.ip_default_ttl = 65
I reloaded fw4 and I understand, unless I am totally wrong, that sysctl changes apply right away as soon as they are changed (I never saw other behavour)
However If I run tcpdump on my wan interfaces I still see packets going out with TTL bigger than 65
root@OpenWrt:~# tcpdump -i eth3 'ip[8] > 65 and outbound' -v
tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 262144 bytes
12:13:41.031086 IP (tos 0x0, **ttl 127**, id 55244, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.100.51672 > 13.107.246.52.80: Flags [.], cksum 0x3ab9 (correct), ack 1666988122, win 1029, length 0
12:13:41.041193 IP (tos 0x0, **ttl 127**, id 55245, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.100.51672 > 13.107.246.52.80: Flags [.], cksum 0x301d (correct), ack 2717, win 1029, length 0
12:13:41.049776 IP (tos 0x0, **ttl 127**, id 55246, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.100.51672 > 13.107.246.52.80: Flags [.], cksum 0x2581 (correct), ack 5433, win 1029, length 0
12:13:41.057080 IP (tos 0x0, **ttl 127**, id 55247, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.100.51672 > 13.107.246.52.80: Flags [.], cksum 0x1ae5 (correct), ack 8149, win 1029, length 0
12:13:41.066929 IP (tos 0x0, **ttl 127**, id 55248, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.100.51672 > 13.107.246.52.80: Flags [.], cksum 0x1049 (correct), ack 10865, win 1029, length 0
12:13:41.074284 IP (tos 0x0, **ttl 127**, id 55249, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.100.51672 > 13.107.246.52.80: Flags [.], cksum 0x05ad (correct), ack 13581, win 1029, length 0
And the same on eth2...
root@OpenWrt:~# tcpdump -i eth2 'ip[8] > 65 and outbound' -v
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
12:13:13.626314 IP (tos 0x0, **ttl 254**, id 15074, offset 0, flags [none], proto TCP (6), length 40)
192.168.8.245.40440 > ec2-3-65-95-68.eu-central-1.compute.amazonaws.com.8886: Flags [.], cksum 0xd028 (correct), ack 964991046, win 3759, length 0
12:13:24.822308 IP (tos 0x0, **ttl 254**, id 28555, offset 0, flags [none], proto TCP (6), length 40)
192.168.8.245.40827 > ec2-18-158-238-166.eu-central-1.compute.amazonaws.com.8883: Flags [.], cksum 0x14d4 (correct), ack 3436330652, win 3207, length 0
12:13:36.547891 IP (tos 0x0, **ttl 254**, id 15080, offset 0, flags [none], proto TCP (6), length 109)
192.168.8.245.40440 > ec2-3-65-95-68.eu-central-1.compute.amazonaws.com.8886: Flags [P.], cksum 0x4dfc (correct), seq 0:69, ack 1, win 3759, length 69
Any ideas? I am missing something here but I don't know where
By they way, eth2 and eth3 are part of the load balancing done with MWAN3. It might be relevant, not sure.