Hello!
I noticed that some of my clients are using 8.8.8.8 as DNS instead of the AGH running on the router (OpenWRT 23.05.5, AGH: 0.107.46). I added the following rules to nft:
cat /etc/nftables.d/dns-redirect.nft
table inet filter {
chain prerouting {
type nat hook prerouting priority -100;
ip saddr 192.168.5.0/24 ip daddr { 8.8.8.8, 8.8.4.4 } udp dport 53 dnat to 192.168.5.1:53
ip saddr 192.168.5.0/24 ip daddr { 8.8.8.8, 8.8.4.4 } tcp dport 53 dnat to 192.168.5.1:53
ip saddr 10.0.0.0/24 ip daddr { 8.8.8.8, 8.8.4.4 } udp dport 53 dnat to 10.0.0.1:53
ip saddr 10.0.0.0/24 ip daddr { 8.8.8.8, 8.8.4.4 } tcp dport 53 dnat to 10.0.0.1:53
}
}
It works as expected, but when I add dns-redirect.nft to uci with
uci add firewall include
uci set firewall.@include[-1].path='/etc/nftables.d/dns-redirect.nft'
and try to restart firewall, it prints:
/etc/init.d/firewall restart
In file included from /dev/stdin:29:2-33:
/etc/nftables.d/dns-redirect.nft:1:1-5: Error: syntax error, unexpected table
table inet filter {
^^^^^
/dev/stdin:36:14-14: Error: syntax error, unexpected '{', expecting string or last
chain input {
^
/dev/stdin:37:3-6: Error: syntax error, unexpected type
type filter hook input priority filter; policy drop;
^^^^
/dev/stdin:37:43-48: Error: syntax error, unexpected policy
type filter hook input priority filter; policy drop;
^^^^^^
/dev/stdin:39:3-9: Error: syntax error, unexpected iifname
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
^^^^^^^
/dev/stdin:41:6-10: Error: syntax error, unexpected state, expecting timeout or expectation or helper
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
^^^^^
/dev/stdin:42:6-10: Error: syntax error, unexpected state, expecting timeout or expectation or helper
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
^^^^^
/dev/stdin:43:3-5: Error: syntax error, unexpected tcp
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
^^^
/dev/stdin:44:3-9: Error: syntax error, unexpected iifname
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
^^^^^^^
/dev/stdin:45:3-9: Error: syntax error, unexpected iifname
iifname "eth0.2" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
^^^^^^^
The rendered ruleset contains errors, not doing firewall restart.
When I type nft list ruleset, I get this (I'm unable to remove output & forward chains):
table inet filter {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip saddr 192.168.5.0/24 ip daddr { 8.8.4.4, 8.8.8.8 } udp dport 53 dnat ip to 192.168.5.1:53
ip saddr 192.168.5.0/24 ip daddr { 8.8.4.4, 8.8.8.8 } tcp dport 53 dnat ip to 192.168.5.1:53
ip saddr 10.0.0.0/24 ip daddr { 8.8.4.4, 8.8.8.8 } udp dport 53 dnat ip to 10.0.0.1:53
ip saddr 10.0.0.0/24 ip daddr { 8.8.4.4, 8.8.8.8 } tcp dport 53 dnat ip to 10.0.0.1:53
}
chain output {
type nat hook output priority -100; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
}
Is it ok or does it cause any harm other than cosmetic? Btw, shall I use fw4 table instead of input?