Save firewall rule permanently

sharbich · March 6, 2024, 10:25pm

Hello, my dears,
i need your support. I would like to permanently save the following firewall rule under my OpenWrt system with version 23.05.2.

iptables -t mangle -A PREROUTING -i br-wlan -d 239.255.255.250  -j TTL --ttl-inc 1

What should the entry in the "/etc/config/firewall" file look like?
Thank you in advance for your support.
Greetings from Stefan Harbich

sharbich · March 7, 2024, 7:56am

If I enter the rule via the console and look at the rule set, I get the following message:

root@rome01:~# nft list ruleset | grep 239
# Warning: table ip mangle is managed by iptables-nft, do not touch!
		iifname "br-wlan" ip daddr 239.255.255.250 counter packets 294 bytes 98706 xt target "TTL"

Why is there a warning?

pavelgl · March 7, 2024, 9:04am

Do not mix nftables and iptables.
Translate your rule into nftables syntax.

uci add firewall include
uci set firewall.@include[-1].type='nftables'
uci set firewall.@include[-1].path='/etc/multicast_ttl_rule.nft'
uci set firewall.@include[-1].position='chain-pre'
uci set firewall.@include[-1].chain='mangle_prerouting'

cat << "EOF" > /etc/multicast_ttl_rule.nft
iifname "br-wlan" ip daddr 239.255.255.250 ip ttl set 2 counter
EOF
uci commit firewall
fw4 restart

For reference:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#config_include_section_with_nftables_snippets

sharbich · March 7, 2024, 9:35am

I get the following error message with the last command:

root@rome01:~# fw4 restart
Reference error: left-hand side expression is not an array or object
In [anonymous function](), file /usr/share/ucode/fw4.uc, line 3191, byte 12:
  called from function [arrow function] (/usr/share/ucode/fw4.uc:787:71)
  called from function foreach ([C])
  called from function [anonymous function] (/usr/share/ucode/fw4.uc:787:72)
  called from function render_ruleset (/usr/share/firewall4/main.uc:56:24)
  called from anonymous function (/usr/share/firewall4/main.uc:143:29)
 `        if (!inc.enabled) {`
  Near here -------^
The rendered ruleset contains errors, not doing firewall restart.

pavelgl · March 7, 2024, 10:05am

It works as expected on 23.05.0 and I don't have 23.05.2 to test it.
Revert the changes and insert the rule manually to see if it does what you need.

uci del firewall.@include[-1]
uci commit firewall
fw4 restart

nft insert rule inet fw4 mangle_prerouting iifname "br-wlan" ip daddr 239.255.255.250 ip ttl set 2 counter

EDIT:

If it works, try option B:

rm /etc/multicast_ttl_rule.nft
mkdir -p /usr/share/nftables.d/chain-pre/mangle_prerouting
echo "iifname br-wlan ip daddr 239.255.255.250 ip ttl set 2 counter" > /usr/share/nftables.d/chain-pre/mangle_prerouting/10-multicast_ttl_rule.nft
fw4 restart

sharbich · March 7, 2024, 11:00am

Thank you very much for your support. Very nice of you.

system · March 17, 2024, 11:04am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.