I need to add custom rule for transparent proxy today. But when I add rule to /usr/share/nftables.d/table-post/v2ray.nft, I got an error saying "table" is not expected.
When I execute fw4 print, I see my file is included within the table:
table inet fw4 {
... many chains
...
include "/usr/share/nftables.d/table-post/v2ray.nft"
}
My file is under table-post folder, isn't it supposed to be included under the outermost curly brackets?
I'm using OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd
Now my workaround is to just add an additional curly bracket at the begining to close the table, and then omit another curly bracket at the end, like this:
}
table ip v2ray {
chain prerouting {
many rules....
}
My fault. I should read the readme again before posting.
- Files in ./ruleset-pre/ and ./ruleset-post/ are included before and
after the `table inet fw4 { ... }` declaration respectively
- Files in ./table-pre/ and ./table-post/ are included before the first
chain and after the last chain declaration within the fw4 table
respectively
- Files in ./chain-pre/${chain}/ and ./chain-post/${chain}/ are included
before the first and after the last rule within the mentioned chain of
the fw4 table respectively
add nft rules to file: /usr/share/nftables.d/ruleset-post/v2ray.nft
table ip v2ray
flush table ip v2ray
table ip v2ray {
chain prerouting {
type filter hook prerouting priority filter - 1; policy accept;
meta mark 0x000000ff return
ip saddr != { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } return
ip daddr { <openwrt ip here> } udp dport 53 meta mark set 0x00000001 tproxy to 127.0.0.1:12345 accept
ip daddr { 127.0.0.1, 224.0.0.0/4, 255.255.255.255 } return
ip saddr { 127.0.0.1, 224.0.0.0/4, 255.255.255.255 } return
ip daddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } return
meta l4proto { tcp, udp } meta mark set 0x00000001 tproxy to 127.0.0.1:12345 accept
}
}
allow input in firewall for the whole ip range you want to tproxy for.
Which V2ray client app are you using?
Can you explain more about how to setup v2ray for listening on 12345 for tproxy and mark every output packet with 0xff?
I'm trying to make a step by step guide for using v2ray on openwrt 22.03, I would be grateful if you can help me with it.