OpenWrt nftables firewall4 src_ip support for defined IP arrays

Catfriend1 · March 13, 2023, 4:09pm

Hi,

I'm currently trying to do as much LuCI configuration as possible. My firewall rule already works if defined like this in /etc/nftables.d/xxx

define IPSET_SRCIP = {
IP1,
IP2,
Ip3,
}

chain dstnat_WAN {
    ip saddr $IPSET_SRCIP tcp dport 443 counter packets 0 bytes 0 dnat ip to INTERNAL_IP:443 comment "!fw4: TCP-443"
}

I'd like to just use nftables.d to define IPSET_SRCIP and then reference this from LUCI firewall UI. Manually putting this into /etc/config/firewall does NOT work, but is my feature request at the moment.

config redirect
	option dest 'LAN'
	option target 'DNAT'
	option name 'TCP-443'
	list proto 'tcp'
	option src 'WAN'
	option src_dport '443'
	option dest_ip 'INTERNAL_IP'
	option dest_port '443'
	option src_ip '$IPSET_SRCIP'

Issuing "fw4 reload" via SSH leads to this error:

Section @redirect[0] (TCP-443) option 'src_ip' specifies invalid value '$IPSET_SRCIP'
Section @redirect[0] (TCP-443) skipped due to invalid options

May this be supported in the future? I'm currently on latest snapshot, device is Xiaomi AX3600.

Kind regards
Catfriend1

pavelgl · March 14, 2023, 7:08am

FWIW, you can define everything in /etc/config/firewall and it will work.

config ipset
        option name 'ipset_srcip'
        option match 'src_net'
        option enabled '1'
        list entry '1.2.3.4/32'
        list entry '5.6.7.8/32'

config redirect
	    option dest 'LAN'
	    option target 'DNAT'
	    option name 'TCP-443'
	    list proto 'tcp'
	    option src 'WAN'
	    option src_dport '443'
	    option dest_ip 'INTERNAL_IP'
	    option ipset 'ipset_srcip'

However, I don't see an option to specify the set name when using LuCI ...

Catfriend1 · March 15, 2023, 12:19pm

Thank you very much. That works fine. Can I also define the IPSET in /etc/nftables.d/xxx and then reference it from /etc/config/firewall ?
I'm asking because my IP whitelist is generated by a cron bash script and its much easier for the script to write to /etc/nftables.d/xxx.

UPDATE: I think it's this syntax. But is it also sourceIP filtered or src or dst?

        set ipset_srcip {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 1.0.0.0/16, 2.0.0.0/16,
                             3.0.0.0/16, 4.0.0.0/16 }
        }

But one PROBLEM. After "fw4 reload", it says:

Section @redirect[0] (TCP-443) references unknown set 'ipset_srcip

pavelgl · March 15, 2023, 12:56pm

I'm not sure.

EDIT:

It won't work. You need option match to specify the direction to be used by the rule.

You could save the whitelist in a text file (one IP per line) and then create/update the set using the loadfile option.

# cat /etc/ipset_srcip.txt
1.0.0.0/16
2.0.0.0/16
3.0.0.0/16
4.0.0.0/16

# /etc/config/firewall
config ipset
        option name 'ipset_srcip'
        option match 'src_net'
        option enabled '1'
        option loadfile '/etc/ipset_srcip.txt'

system · March 25, 2023, 12:56pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.