MsVibe
October 31, 2025, 5:26am
1
After insstalling OpenWrt 24.10.4 and Snort I find that Snort does not drop packets. I had it working under 24.10.1. I am using subscribed rules.
Here is my Snort config:
option enabled '1'
option manual '0'
option oinkcode ""
option home_net 'any'
option external_net 'any'
option config_dir '/etc/snort'
option temp_dir '/var/snort.d'
option log_dir '/var/log'
option logging '1'
option openappid '1'
option mode 'ips'
option method 'nfq'
option action 'drop'
option interface 'Proton:eth0'
option snaplen '65535'
config nfq 'nfq'
option queue_count '4'
option queue_start '4'
option queue_maxlen '1024'
option fanout_type 'hash'
option thread_count '0'
option chain_type 'input'
option chain_priority 'filter'
To test I attempted to reach the router over http instead of Https. The access is reported by snort-mgr report, but it is not blocked as it used to be.
brada4
October 31, 2025, 7:11am
2
Can you show nft list ruleset ?
MsVibe
October 31, 2025, 11:57am
3
Sure. Under the old version Snort reset the connection so the page did not show up when accessed by http.
table inet fw4 {
set pbr_wan_4_dst_ip_cfg096ff5 {
type ipv4_addr
flags interval
auto-merge
comment "DRTV"
elements = { 95.209.205.153, 95.209.205.195 }
}
set pbr_wan_4_dst_ip_cfg0a6ff5 {
type ipv4_addr
flags interval
auto-merge
comment "Norlys"
elements = { 3.248.132.186, 34.120.195.249,
34.248.153.211, 34.250.191.10,
34.254.219.167, 35.186.247.156,
52.51.46.42, 52.51.251.76,
52.209.5.107, 52.209.16.136,
52.211.206.84, 52.213.152.145,
54.73.102.14, 54.216.76.46,
142.250.74.136, 172.217.21.168,
212.10.12.179 }
}
set pbr_wan_4_dst_ip_cfg0b6ff5 {
type ipv4_addr
flags interval
auto-merge
comment "Pluto"
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept comment "!fw4: Accept traffic from loopback"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "Proton" jump input_Proton comment "!fw4: Handle Proton IPv4/IPv6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "Proton" jump forward_Proton comment "!fw4: Handle Proton IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oif "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "Proton" jump output_Proton comment "!fw4: Handle Proton IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_Proton comment "!fw4: Accept lan to Proton forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter packets 209511 bytes 31029459 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 2723 bytes 405341 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 100 bytes 14800 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . 0, mld-listener-report . 0, mld-listener-done . 0, mld2-listener-report . 0 } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 477 bytes 76320 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, nd-neighbor-solicit . 0, nd-neighbor-advert . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 4531 bytes 289984 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname "eth1" ct state invalid counter packets 14 bytes 716 drop comment "!fw4: Prevent NAT leakage"
oifname "eth1" counter packets 120198 bytes 10485968 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "eth1" counter packets 10 bytes 691 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "eth1" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
jump pbr_dstnat comment "Jump into pbr dstnat chain"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "Proton" jump srcnat_Proton comment "!fw4: Handle Proton IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
jump pbr_prerouting comment "Jump into pbr prerouting chain"
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname "eth1" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
jump pbr_postrouting comment "Jump into pbr postrouting chain"
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
jump pbr_input comment "Jump into pbr input chain"
}
chain mangle_output {
type route hook output priority mangle; policy accept;
jump pbr_output comment "Jump into pbr output chain"
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "eth1" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
jump pbr_forward comment "Jump into pbr forward chain"
}
chain pbr_dstnat {
}
chain pbr_forward {
}
chain pbr_input {
}
chain pbr_output {
}
chain pbr_prerouting {
ip daddr 192.168.1.156 goto pbr_mark_0x010000 comment "Ignore Local Requests"
ip daddr @pbr_wan_4_dst_ip_cfg096ff5 goto pbr_mark_0x010000 comment "DRTV"
ip daddr @pbr_wan_4_dst_ip_cfg0a6ff5 goto pbr_mark_0x010000 comment "Norlys"
ip daddr 52.51.117.77 goto pbr_mark_0x010000 comment "Norlys"
ip daddr @pbr_wan_4_dst_ip_cfg0b6ff5 goto pbr_mark_0x010000 comment "Pluto"
ip saddr 192.168.1.0/24 goto pbr_mark_0x020000 comment "VPN"
}
chain pbr_postrouting {
}
chain input_Proton {
jump reject_from_Proton
}
chain output_Proton {
jump accept_to_Proton
}
chain forward_Proton {
jump reject_to_Proton
}
chain accept_to_Proton {
meta nfproto ipv4 oifname "Proton" ct state invalid counter packets 3776 bytes 287007 drop comment "!fw4: Prevent NAT leakage"
oifname "Proton" counter packets 74752 bytes 28543388 accept comment "!fw4: accept Proton IPv4/IPv6 traffic"
}
chain reject_from_Proton {
iifname "Proton" counter packets 1170 bytes 216314 jump handle_reject comment "!fw4: reject Proton IPv4/IPv6 traffic"
}
chain reject_to_Proton {
oifname "Proton" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject Proton IPv4/IPv6 traffic"
}
chain srcnat_Proton {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 Proton traffic"
}
chain pbr_mark_0x010000 {
meta mark set meta mark & 0xff01ffff | 0x00010000
return
}
chain pbr_mark_0x020000 {
meta mark set meta mark & 0xff02ffff | 0x00020000
return
}
}
table inet snort {
chain input_ips {
type filter hook input priority filter; policy accept;
counter packets 2445738 bytes 20625278017 queue flags bypass to 4-7
}
}
brada4
October 31, 2025, 12:06pm
4
table inet snort {
chain input_ips {
type filter hook input priority filter; policy accept;
counter packets 2445738 bytes 20625278017 queue flags bypass to 4-7
}
}
i think you mean fanout in place of bypass here
also add + 1 or - 1 to priority to make it predictable. (whitespace mandatory !!!)
drop may nit work, you have to goto to reject chain if conntrack connection is established/assured (conntrack -E # your friend here)
probably hook prerouting+-1 ? to get forwarded bits too?
MsVibe
October 31, 2025, 1:47pm
5
Sorry I do not understand.
Please explain step by step how I can make these changes?
Thank you
1 Like
brada4
October 31, 2025, 2:38pm
6
Those are parameters from launching program
# Do not edit, automatically generated. See /usr/share/snort/templates.
{%
// Copyright (c) 2023-2024 Eric Fahlgren <eric.fahlgren@gmail.com>
// SPDX-License-Identifier: GPL-2.0
let queues = `${nfq.queue_start}-${int(nfq.queue_start)+int(nfq.queue_count)-1}`;
let chain_type = nfq.chain_type;
-%}
table inet snort {
chain {{ chain_type }}_{{ snort.mode }} {
type filter hook {{ chain_type }} priority {{ nfq.chain_priority }}
policy accept
{% if (nfq.include) {
// We use the ucode include here, so that the included file is also
// part of the template and can use values passed in from the config.
printf("\n\t\t" + rpad(`#-- Include from '${nfq.include}'`, ">", 64) + "\n");
include(nfq.include, { snort, nfq });
printf("\t\t" + rpad("#-- End of included file.", "<", 64) + "\n\n");
} %}
show original
Has not changed since.
MsVibe
November 2, 2025, 8:30pm
7
Do you mean I shall edit /usr/share/snort/templates/nftables.uc ?
Is /etc/init.d/snort restart
Still the right command to restart snort?
brada4
November 2, 2025, 9:22pm
8
Yes, more framework-ish approach is service snort restart thoigh does not matter, same script runs.
Whatever is chain priority which is filter or 0 should become filter - 1 or -1 (or +1 for that sake)
I am just guessing that due to subtle timing changes with upgrade now ruleset hooks apply in other sequence...
Docs here: https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
1 Like
efahl
November 2, 2025, 10:07pm
9
The bypass flag is set specifically to avoid blocking if snort dies and cannot service the queues. See https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace
brada4
November 3, 2025, 5:34am
10
Got it, , fanout would be nice with ncpu queueues.... The problem is they somehow landed in other priority.
MsVibe
November 3, 2025, 7:15pm
11
Efahl for me the sole purpose of having a separate box running snort is for it to drop malicious packets. Having to occasionally reboot the box is of less concern.
Please tell me how to make snort do that. Thanks
brada4
November 3, 2025, 7:19pm
12
Hidden deep in RTFM
in nfq section add parameter
option chain_priority '-1'
MsVibe
November 3, 2025, 7:41pm
13
Setting chain_priority ‘-1’ results in an error.
300 is accepted, but packets are still not dropped.
Maybe I should try fanout,bypass in the template?
brada4
November 3, 2025, 8:13pm
15
You can write
priority filter - 5 directly in uc file in place of variable
MsVibe
November 3, 2025, 8:14pm
16
/etc/init.d/snort restart
snort-mgr check
brada4
November 3, 2025, 8:16pm
17
OK, author of package insists on non-deterministic behaviour, edit the nftables uc with desired priority and report a bug. it is int16 of priorities in each hook.
brada4
November 3, 2025, 8:21pm
18
-type filter hook {{ chain_type }} priority {{ nfq.chain_priority }}
+type filter hook {{ chain_type }} priority filter - 1
obviously add priority handled by the scripts which will be ignored
MsVibe
November 3, 2025, 9:52pm
19
I edited the template per your original suggestion to obtain the following rule
table inet snort {
chain input_ips {
type filter hook input priority filter - 1; policy accept;
counter packets 421 bytes 598683 queue flags fanout to 4-7
}
}
Unfortunately http access is still allowed contrary to pre upgrade.
brada4
November 4, 2025, 5:30am
20
Change it to fanout,bypass to have both.drop back to kernel.
