Problem with NFT module conntrack in 23.05.0

Installing and Using OpenWrt
1

I'm trying to upgrade my router from 21.02.2. I'm not using the OpenWRT firewall but a script generated by fwbuilder that has thrived since I converted from FreeBSD to OpenWRT.Backfire in 2011.

The script uses the conntrack module. I tried to convince several ways to add rules to NFT without writing them in NFT (fwbuilder has been more or less unmaintained for years now, so I can't expect a new version supporting NFT directly any day now :frowning: ).

iptables-nft fails because of a missing /usr/lib/iptables/libxt_conntrack.so:

statx(AT_FDCWD, "/usr/lib/iptables/libipt_conntrack.so", AT_STATX_SYNC_AS_STAT, STATX_BASIC_STATS, 0x7fcd1300) = -1 ENOENT (No such file or directory)
statx(AT_FDCWD, "/usr/lib/iptables/libxt_conntrack.so", AT_STATX_SYNC_AS_STAT, STATX_BASIC_STATS, 0x7fcd1300) = -1 ENOENT (No such file or directory)
writev(2, [{iov_base="iptables v1.8.8 (nf_tables): ", iov_len=29}, {iov_base=NULL, iov_len=0}], 2iptables v1.8.8 (nf_tables): ) = 29
writev(2, [{iov_base="Couldn't load match `conntrack':"..., iov_len=58}, {iov_base=NULL, iov_len=0}], 2Couldn't load match `conntrack':No such file or directory
) = 58

I tried to use iptables-translate but the result does not work, either:

root@splat:~# iptables-translate -w -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
nft add rule ip filter INPUT ct state related,established counter accept
root@splat:~# nft add rule ip filter INPUT ct state related,established counter accept
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ct state related,established counter accept
            ^^^^^^
root@splat:~# nft list ruleset

I haven't used NFT directly yet, and I'd like to avoid that. So a fix to the problem of the missing module would be very welcome. I've searched the packages for 23.05.0 high and low, but I haven't found a conntrack or any other module.

And, yes, I use it in 21.02.2.

2

That doesn't work because the table changed names (among other things), hence the weird nft-ism "No such file or directory" error.

The table type is inet (handles both IPv4 and IPv6) instead of ip (handles only IPv4).

The table is now named fw4 instead of filter.

The input name is lower case input.

$ nft list tables
table inet fw4

# Here's the default input chain, already contains your rule sans 'counter'.
$ nft list chain inet fw4 input
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }
}

So, here's the corrected form of your rule, but this will append it after the jump input_wan rule, so it's sort of useless.

$ nft add rule  inet fw4  input  ct state related,established counter accept

conntrack is the cli tool that is just a standalone package with that name.

$ opkg -A whatprovides conntrack
What provides conntrack
    conntrack

Not sure about the xt or ipt libs, I only see one package with a conntrack lib:

$ opkg -A whatprovides '*lib*conntrack*'
What provides *lib*conntrack*
    libnetfilter-conntrack3     provides libnetfilter-conntrack3
    libnetfilter-conntrack3     provides libnetfilter-conntrack
1 Like
3

It's especially useless because iptables-translate does not generate that code. I may be expecting too much from NFTables, but I am naïvely expecting a translator to generate code that can be fed into that command that is supposed to grok it.

And BTW, since I do not use firewall4, my NFT ruleset is empty.

I wanted to start this off as a simple question on how to get OpenWRT 23.05.0 to accept a perfectly legit iptables command. But since you insist, let me put this in simple words: I have a complete, working firewall written in fwbuilder, which generates a complete, working shell script that uses IPTables. This has been working since November 2011 (Backfire) but ceased to work with OpenWRT 23.05.0 because the iptables-nft packages in that release are incomplete or broken. (Prove me wrong!)

This line works with Debian Bullseye (11) and Ubuntu Lunar Lobster (23.04):

# iptables-nft -w -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables-save | grep conntrack
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Update:
The packages that contains the commands is iptables-nft v1.8.8. I also tried xtables-nft 1.8.8-1, but generates the same bad code.

4

I've create two tickets for this:

5

To make it work, the OP should create the necessary tables and chains before adding the rules, although since he is not using the OpenWrt firewall, there's no need to match the fw4 naming.

3 Likes
6

"How to Make a Mountain Out of a Mole Hill" /s

ceased to work with OpenWRT 23.05.0 because the iptables-nft packages in that release are incomplete or broken. (Prove me wrong!)

Ok, challenge accepted :wink:

You have to remember that iptables support in OpenWrt is by default not installed.

To use it:

  1. Use opkg list-installed | grep "zzz-legacy".
    If any zzz-legacy packages are present, remove them. They might be present if some other package has "iptables" as a dependency. There is a known issue that causes zzz packages to be installed and this causes problems with nftables and even worse can result in both iptables-zzz-legacy and iptables-nft to be installed AT THE SAME TIME.
  2. Install the package iptables-nft
  3. Install the package iptables-mod-conntrack-extra

Now you will have iptables support including conntrack.

Now run your original iptables script.
You can see the result by looking at the output of:
nft list ruleset

1 Like