Some questions about nftables and OpenWRT

Hi all,

As some of you already know, I'm developing a suite of shell scripts for geoip blocking. At this point it is fully functional and has no more dependencies which do not ship on OpenWRT by default. Except it only works with iptables. So now I want to adapt it to nftables for OpenWRT support. I'm new to nftables, so I have a few questions.

When answering, please keep in mind that the project aims to be used by other people, not just myself. So my most important consideration is reliability in environments which I do not control, a.k.a to avoid creating issues which an end user would have to solve.

  1. Which netfilter hook is best to use? The options are ingress, prerouting, or input and forwarding. My intuition would be to use the prerouting hook because it's the earliest one which is not tied to a specific network interface (so it's simpler to automate). But then maybe there is a reason to use the ingress hook which I'm unaware of? (for example better performance). Or maybe there is a reason to use the input and forwarding hooks?
    For reference:
    Netfilter hooks

  2. Is there a preferred method of restoring nft tables and sets upon reboot? Currently my project does this via a cron job which runs at reboot but that doesn't work on OpenWRT because the @reboot crontab tag is unavailable in this version of busybox. So I suppose I'll have to add a script which runs on init. I'm thinking what sort of script that would be (either a shell script or an nft script) and how to avoid race conditions with pre-existing scripts which might run on the same device and do something with the firewall at reboot.

  3. What would be the best way to trigger updates? Currently my scripts implement this via a cron job - this does work on OpenWRT, provided that the cron service is enabled. Is there a good reason to change this mechanism?

  4. Are there other considerations which I should be aware of in the context of OpenWRT to avoid potential conflicts with the way the firewall is working or with other firewall-related applications which may be running on the same device?

Thanks to everyone who answers.

still relevant :slight_smile:

Re 2.:

I have setup a script, placed in /usr/sbin/ that is excecuted after reboot, by placing the excecution command in /etc/rc.local. That script checks whether a certain set with corresponding routing should be created and does so if correct.

To update the set, you can simply create a cronjob that runs the script at certain points in time. Below is my script as an example:

sed -i "/${setName}/d" /etc/iproute2/rt_tables

echo "9 ${setName}" >> /etc/iproute2/rt_tables

uci set firewall.@defaults[0].forward='ACCEPT'
uci commit

sed -i "/${setName}/d" /etc/dnsmasq.conf

echo "nftset=${domains}${firewall4}" >> /etc/dnsmasq.conf
echo "nftset=${domains}${firewall6}" >> /etc/dnsmasq.conf

/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart

ip rule add prio $priorityvalue fwmark $mark lookup $setName
ip route add table $setName $defaultRoute

nft add set inet fw4 streaminglist4 '{ type ipv4_addr; }'
nft add set inet fw4 streaminglist6 '{ type ipv6_addr; }'

nft insert rule inet fw4 mangle_prerouting ip daddr @streaminglist4 counter meta mark set 0x3
nft insert rule inet fw4 mangle_prerouting ip6 daddr @streaminglist6 counter meta mark set 0x3


  ip route del table $setName $defaultRoute
  ip rule del prio $priorityvalue fwmark $mark lookup $setName

  sed -i "/${setName}/d" /etc/dnsmasq.conf
  sed -i "/${setName}/d" /etc/iproute2/rt_tables

  uci set firewall.@defaults[0].forward='ACCEPT'
  uci commit

  /etc/init.d/firewall restart
  /etc/init.d/dnsmasq restart

1 Like

Thanks for your input. Still hoping that someone will chime in on the other questions.

Short answer: hook prerouting priority raw - 10;
Long answer:
Latest point to not create states is filter/prerouting but but by then kernel will allocate slab-s for CT meta info.
After that packets branch to either input or forward.
You can drop at ingress, but it is more meant to have hardware to pick up flowtable states and transport packet to destination bypassing all filter hooks. Does not make any benefit over raw for other packets.

Alternate answer:
ip ro add blackhole DST/MASK metric 12345


Welcome to the forum @brada4 . This is a 2 months old thread an by now i figured it out but thank you for an actually useful input.

Popped up right away next to other nftables Q, I found no answer4u so I answered way I understand it... Be my guest.