[Solved] /usr/share/nftables.d/table-post not in the right place?

I need to add custom rule for transparent proxy today. But when I add rule to /usr/share/nftables.d/table-post/v2ray.nft, I got an error saying "table" is not expected.

When I execute fw4 print, I see my file is included within the table:

table inet fw4 {
        ... many chains
        ...
        include "/usr/share/nftables.d/table-post/v2ray.nft"
}

My file is under table-post folder, isn't it supposed to be included under the outermost curly brackets?

I'm using OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd

Now my workaround is to just add an additional curly bracket at the begining to close the table, and then omit another curly bracket at the end, like this:

}
table ip v2ray {
        chain prerouting {
                many rules....
        }

Put a custom table under ruleset-post instead of table-post.

My fault. I should read the readme again before posting.

 - Files in ./ruleset-pre/ and ./ruleset-post/ are included before and
   after the `table inet fw4 { ... }` declaration respectively

 - Files in ./table-pre/ and ./table-post/ are included before the first
   chain and after the last chain declaration within the fw4 table
   respectively

 - Files in ./chain-pre/${chain}/ and ./chain-post/${chain}/ are included
   before the first and after the last rule within the mentioned chain of
   the fw4 table respectively

I was mislead by first glance at Help me update my HFSC shaper scripts for fw4/nftables - #11 by jow

I want to use v2ray on 22.03 would you please guide me how to do that whith nftables?

  1. first setup v2ray listening on port 12345 for tproxy, and mark every output packet with 0xff.
"streamSettings": {
        "sockopt": {
          "mark": 255
        }
}
  1. add policy based routing for packet with mark 1
ip rule add fwmark 1 table 100 
ip route add local 0.0.0.0/0 dev lo table 100

to persist these rules across reboots, add config to /etc/config/network

config rule
        option lookup '100'
        option mark '0x1'

config route
        option interface 'loopback'
        option type 'local'
        option target '0.0.0.0/0'
        option table '100'
  1. add nft rules to file: /usr/share/nftables.d/ruleset-post/v2ray.nft
table ip v2ray
flush table ip v2ray
table ip v2ray {
        chain prerouting {
                type filter hook prerouting priority filter - 1; policy accept;
                meta mark 0x000000ff return
                ip saddr != { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } return
                ip daddr { <openwrt ip here> } udp dport 53 meta mark set 0x00000001 tproxy to 127.0.0.1:12345 accept
                ip daddr { 127.0.0.1, 224.0.0.0/4, 255.255.255.255 } return
                ip saddr { 127.0.0.1, 224.0.0.0/4, 255.255.255.255 } return
                ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } return
                meta l4proto { tcp, udp } meta mark set 0x00000001 tproxy to 127.0.0.1:12345 accept
        }
}
  1. allow input in firewall for the whole ip range you want to tproxy for.
2 Likes

Which V2ray client app are you using?
Can you explain more about how to setup v2ray for listening on 12345 for tproxy and mark every output packet with 0xff?
I'm trying to make a step by step guide for using v2ray on openwrt 22.03, I would be grateful if you can help me with it.

this setup is for tproxy, so no client app is needed.

as for the config, that would be too complex to explain, and there are already plenty great tutorials. I recommend this page: v2ray-step-by-step/transparent_proxy.md at transifex · v2fly/v2ray-step-by-step (github.com)

client app I meant which software package did you install on OpenWRT?

could you please share "config.json" and "/etc/config/firewall" here?