Uidrange option Missing on fw4 (OpenWRT 23.5.05)

According to this doc page I tried to add my rule to /etc/config/firewall to DSCP mark a running process with UID 8118 on router:

config rule
	option name 'mark-test-uid'
	option target 'DSCP'
	option set_dscp '47'
	option dest 'wan'
	option uidrange '8118'
	option enabled '0'

then uci commit firewall and service firewall restart.
But the firewall service gave me this:

Section @rule[10] (mark-test-uid) specifies unknown option 'uidrange'
Section @rule[10] (mark-test-uid) is disabled, ignoring section
.
.
.

Is this no longer supported?
Is there any alternative to set firewall rules based on process name/pid/uid/... on the latest OpenWRT?

Option was not moved from fw3
Do you need help re-creating logic with meta skuid {8118) ip dscp set cs0

btw odd number value is incorrect, choose one from nft describe ip dscp

seems nft add rule inet fw4 mangle_output meta skuid 8118 ip dscp set 47 does the job.

but UID option is missing from LuCi and UCI.

to make the above command permanent, comment out chain user_post_output section in /etc/nftables.d/10-custom-filter-chains.nft and add the rule to it. so it looks like this:

chain user_post_output {
     type filter hook output priority 1; policy accept;
     ct state new log prefix "Firewall4 accepted egress: "
      meta skuid 8118 ip dscp set 47
}

and it will survive reboots and firewall restarts.
you can check the rule is added to that chain by running nft list table inet fw4 and finding user_post_output chain.

i guess those are some predefined standard DSCP values.
I don't wanna use any of them.
From what I tested, any value between 0 to 63 is possible.
and ToS is DSCP*4.

I wanted to find a way to route a process on my router through a VPN interface. PBR was up and running and in its config page, and DSCP 47 was set for my WireGuard VPN interface.
But finding this simple command took me ages to figure out. I am so happy to find the solution finally .

You can duplicate standard mangle.postrouting or raw.output name with hook line and prepenf your rules to default hook.

To unify v4 v6 dscp:

Its wierd. But it stopped working. I don't get it.
As I said, I have PBR on the router.
After a modem reboot, and waiting a bit for PBR to add its policies, I ran nft add rule inet fw4 mangle_output meta skuid 8118 ip dscp set 47.

The rule is added to nft:

root@Abyss-r2:~# nft list ruleset
table inet fw4 {
        set pbr_wg0_4_dst_ip_cfg086ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Torrent Related Domains"
        }
 
        set pbr_wg0_4_dst_ip_cfg0a6ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Telegram Domains"
        }
 
        set pbr_wg0_4_dst_ip_cfg0c6ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Twitter Domains"
        }
 
        set pbr_wg0_4_dst_ip_cfg0e6ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Meta Domains"
                elements = { 157.240.203.2, 157.240.249.35 }
        }
 
        set pbr_wg0_4_dst_ip_cfg0f6ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Media Sites"
        }
 
        set pbr_wg0_4_dst_ip_cfg106ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Other Domains"
        }
 
        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname { "wg0", "tun0", "eth1" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                jump handle_reject
        }
 
        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname { "wg0", "tun0", "eth1" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                jump handle_reject
        }
 
        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname { "wg0", "tun0", "eth1" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
        }
 
        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }
 
        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }
 
        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }
 
        chain input_lan {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_lan
        }
 
        chain output_lan {
                jump accept_to_lan
        }
 
        chain forward_lan {
                tcp dport 853 counter packets 0 bytes 0 jump handle_reject comment "!fw4: ubus:adblock-fast[main] rule 1"
                udp dport 853 counter packets 0 bytes 0 jump handle_reject comment "!fw4: ubus:adblock-fast[main] rule 1"
                tcp dport 853 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Deny-DoT"
                udp dport 853 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Deny-DoT"
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_lan
        }
 
        chain helper_lan {
        }
 
        chain accept_from_lan {
                iifname "br-lan" counter packets 286 bytes 41070 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }
 
        chain accept_to_lan {
                oifname "br-lan" counter packets 9 bytes 616 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }
 
        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 14 bytes 396 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }
 
        chain output_wan {
                jump accept_to_wan
        }
 
        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }
 
        chain accept_to_wan {
                meta nfproto ipv4 oifname { "wg0", "tun0", "eth1" } ct state invalid counter packets 25 bytes 1296 drop comment "!fw4: Prevent NAT leakage"
                oifname { "wg0", "tun0", "eth1" } counter packets 538 bytes 331513 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }
 
        chain reject_from_wan {
                iifname { "wg0", "tun0", "eth1" } counter packets 249 bytes 245321 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }
 
        chain reject_to_wan {
                oifname { "wg0", "tun0", "eth1" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }
 
        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
                jump pbr_dstnat comment "Jump into pbr dstnat chain"
        }
 
        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname { "wg0", "tun0", "eth1" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        }
 
        chain dstnat_lan {
                tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: ubus:adblock-fast[main] redirect 0"
                udp dport 53 counter packets 97 bytes 6929 redirect to :53 comment "!fw4: ubus:adblock-fast[main] redirect 0"
                tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: intercept-DNS"
                udp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: intercept-DNS"
        }
 
        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }
 
        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }
 
        chain raw_output {
                type filter hook output priority raw; policy accept;
        }
 
        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
                jump pbr_prerouting comment "Jump into pbr prerouting chain"
        }
 
        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
                jump pbr_postrouting comment "Jump into pbr postrouting chain"
        }
 
        chain mangle_input {
                type filter hook input priority mangle; policy accept;
                jump pbr_input comment "Jump into pbr input chain"
        }
 
        chain mangle_output {
                type route hook output priority mangle; policy accept;
                jump pbr_output comment "Jump into pbr output chain"
                meta skuid 8118 ip dscp set 0x2f
        }
 
        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname { "wg0", "tun0", "eth1" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname { "wg0", "tun0", "eth1" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
                jump pbr_forward comment "Jump into pbr forward chain"
        }
 
        chain pbr_dstnat {
        }
 
        chain pbr_forward {
        }
 
        chain pbr_input {
        }
 
        chain pbr_output {
        }
 
        chain pbr_prerouting {
                ip dscp 0x2f goto pbr_mark_0x010000
                ip saddr { 192.168.48.7, 192.168.48.8, 192.168.48.24 } goto pbr_mark_0x010000 comment "LAN"
                ip saddr 192.168.48.6 tcp dport { 80, 443 } goto pbr_mark_0x010000 comment "NAS"
                ip daddr @pbr_wg0_4_dst_ip_cfg086ff5 goto pbr_mark_0x010000 comment "Torrent Related Domains"
                ip daddr { 91.105.192.0/23, 91.108.4.0-91.108.23.255, 91.108.56.0/22, 95.161.64.0/20, 149.154.160.0/20, 185.76.151.0/24 } goto pbr_mark_0x010000 comment "Telegram IPs"
                ip daddr @pbr_wg0_4_dst_ip_cfg0a6ff5 goto pbr_mark_0x010000 comment "Telegram Domains"
                ip daddr { 8.25.194.0-8.25.197.255, 64.63.0.0/18, 69.12.56.0/21, 69.195.160.0/19, 103.252.112.0/22, 104.244.40.0-104.244.42.255, 104.244.44.0/22, 185.45.4.0/22, 188.64.224.0/21, 192.48.236.0/23, 192.133.76.0/22, 199.16.156.0/22, 199.59.148.0/22, 199.96.56.0/23, 202.160.128.0/22, 209.237.192.0/19 } goto pbr_mark_0x010000 comment "Twitter IPs"
                ip daddr @pbr_wg0_4_dst_ip_cfg0c6ff5 goto pbr_mark_0x010000 comment "Twitter Domains"
                ip daddr { 31.13.24.0/21, 31.13.64.0/18, 45.64.40.0/22, 57.141.0.0/24, 57.141.3.0/24, 57.141.5.0/24, 57.141.7.0-57.141.8.255, 57.141.10.0/24, 57.141.13.0/24, 57.144.0.0/14, 66.220.144.0/20, 69.63.176.0/20, 69.171.224.0/19, 74.119.76.0/22, 102.132.96.0-102.132.112.255, 102.132.114.0-102.132.117.255, 102.132.119.0-102.132.123.255, 102.132.125.0-102.132.126.255, 102.221.188.0/22, 103.4.96.0/22, 129.134.0.0/17, 129.134.130.0-129.134.132.255, 129.134.135.0-129.134.140.255, 129.134.143.0-129.134.144.255, 129.134.147.0-129.134.150.255, 129.134.154.0-129.134.165.255, 129.134.168.0/24, 129.134.170.0-129.134.190.255, 157.240.0.0-157.240.129.255, 157.240.131.0/24, 157.240.156.0/22, 157.240.169.0-157.240.170.255, 157.240.175.0-157.240.177.255, 157.240.179.0/24, 157.240.181.0-157.240.189.255, 157.240.192.0/18, 163.70.128.0/17, 163.114.128.0/20, 173.252.64.0/18, 179.60.192.0/22, 185.60.216.0/22, 185.89.216.0/22, 199.201.64.0/22, 204.15.20.0/22 } goto pbr_mark_0x010000 comment "Meta IPs"
                ip daddr @pbr_wg0_4_dst_ip_cfg0e6ff5 goto pbr_mark_0x010000 comment "Meta Domains"
                ip daddr @pbr_wg0_4_dst_ip_cfg0f6ff5 goto pbr_mark_0x010000 comment "Media Sites"
                ip daddr @pbr_wg0_4_dst_ip_cfg106ff5 goto pbr_mark_0x010000 comment "Other Domains"
        }
 
        chain pbr_postrouting {
        }
 
        chain pbr_mark_0x010000 {
                meta mark set meta mark & 0xff01ffff | 0x00010000
                return
        }
 
        chain pbr_mark_0x020000 {
                meta mark set meta mark & 0xff02ffff | 0x00020000
                return
        }
 
        chain pbr_mark_0x030000 {
                meta mark set meta mark & 0xff03ffff | 0x00030000
                return
        }
}
table inet nft-qos-monitor {
        chain upload {
                type filter hook postrouting priority filter; policy accept;
        }
 
        chain download {
                type filter hook prerouting priority filter; policy accept;
        }
}
table inet nft-qos-static {
        chain upload {
                type filter hook postrouting priority filter; policy accept;
        }
 
        chain download {
                type filter hook prerouting priority filter; policy accept;
        }
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                ip saddr 107.175.136.203 tcp sport 18603 xt match "comment" counter packets 0 bytes 0 drop
        }
 
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }
 
        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}
 

But the traffic is not getting routed to wg0 and goes to default wan.

I tested PBR DSCP routing by sending packets from another LAN system and it works.

I cant figure out whats wrong

Paste text, not links to 3rd party sites.
You need to set packet mark from skuid, then priority (not dscp) based on packet mark, and it has to match pbr mark range.
Nobody cares about your dscp mark outside your system. They will be a/ dropped with rest of packet b/ zeroed c/set to cs1

ok. The text was long. i thought that's a better idea.
I edited my post.

meta skuid 12345 jump pbr_meta_mark12334567 (whichever pertains forcing traffic to wg0)

Thanks. Using your suggestioon I used nft add rule inet fw4 mangle_output meta skuid 8118 jump pbr_mark_0x010000.

But I had to run it after each pbr service run or it wouldn't work.
since pbr has a setting to run custom scripts I made a simple script like this and added it there. seems it works after restarts for now.

#!/bin/sh
# shellcheck disable=SC2015,SC3003,SC3060

nft add rule inet fw4 mangle_output meta skuid 8118 jump pbr_mark_0x010000
return 0

You can put chain section from inside table inet fw4{...} in whatevet.nft in /etc/nftables.d repeating hook header for base chains.

I did that and it failed.
if i understand correctly pbr starts after base chains and any .nft file in /etc/nftables.d parsed.
my rule needs a chain that pbr makes (pbr_mark_0x010000) and at the moment my custom rule Is trying to be added, it doesn't exist yet.
PBR failed to start.

that was why I made this script to be run by pbr itself

Add other chain empty if it is really missing at any point.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.