Working Nftables Rule for TTL in 22.03

After searching for updated nftable rules for TTL, I came across these links:

1.) put this in /etc/config/firewall
config include
    option path '/etc/firewall.user'
    option fw4_compatible '1'

2.) create the file '/etc/firewall.user'

3.) put this line in it:
nft add rule inet fw4 mangle_forward oifname usb0 ip ttl set 65

4.) restart the firewall
/etc/init.d/firewall restart

Not much info is available yet on fw4 and I am still waiting for updates on the gl.inet x750 and opal to be upgraded to 22.03, but have an rpi testing some of changes until then.

Tried several nftables.d configs for TTL, but the above code seems to be a lot easier using a firewall.user file to add quick rules.

See Firewall4 / NFtables Tips and Tricks - #108 by jow

1 Like

Thanks!

Search engines don't have any info or quick answers for TTL questions for firewall4 and TTL as of Dec 2022.

Plenty of info on iptables -t mangle -I POSTROUTING -o usb0 -j TTL --ttl-set 65 though.

I have this fw4 rule when tethering from my phone

chain mangle_postrouting_ttl65 {
  type filter hook postrouting priority 300; policy accept;
  counter ip ttl set 65
}

chain mangle_prerouting_ttl65 {
  type filter hook prerouting priority 300; policy accept;
  counter ip ttl set 65
}

in
/etc/nftables.d/12-mangle-ttl-65.nft

1 Like

Perfect!

Do you know what adjustments are needed to specify using usb0, wwan0 or eth1 interfaces in the 12-mangle-ttl-65.nft config?

I‘d guess something along these lines:

chain mangle_postrouting_ttl65 {
  type filter hook postrouting priority 300; policy accept;
  oifname { "usb0", "wwan0", "eth1" } counter ip ttl set 65
}

chain mangle_prerouting_ttl65 {
  type filter hook prerouting priority 300; policy accept;
  iifname { "usb0", "wwan0", "eth1" } counter ip ttl set 65
}
2 Likes

Great!

Using basic keywords, search engines are now showing two working configs for setting TTL using fw4 in the 1st few results.

Hopefully openwrt will implement custom firewall rules again using the firewall.user file from inside of luci, making it easier to enable/disable nft add rule lines as needed.

Thanks again for the mangle_postrouting_ttl65 rules as well!

This works for me, but I cannot make it work when I try to restrict it to 'eth2' (my tethering interface - I don't tether all of the time). I tried:

oifname eth2 counter ip ttl set 65
oifname "eth2" counter ip ttl set 65
oifname { "eth2" } counter ip ttl set 65

The rule gets ignored with I use any of the above. I also tried leaving the word 'counter' out.
What am I missing?

Try iifname "eth2" for the prerouting chain.

Thanks for the suggestion, but sadly, I was already doing that - I should have been more clear in my post. Here's a complete example of one of the variations I tried:

chain mangle_postrouting_ttl65 {
  type filter hook postrouting priority 300; policy accept;
  oifname "eth2" counter ip ttl set 65
}

chain mangle_prerouting_ttl65 {
  type filter hook prerouting priority 300; policy accept;
  iifname "eth2" counter ip ttl set 65
}

I test it by logging into the router and pinging the router address. Without the interface restriction to 'eth2', the pings return 'ttl=65". When I try to restrict it, I get 'ttl=64".

I’m not 100% certain, but if you’re logged into the router, you would only hit the mangle postrouting chain, or the mangle output chain.

Are you 100% certain that eth2 is correct?

Yeah, eth2 is definitely my tethering interface. Changing the eth2 TTL worked fine with iptables on prior OpenWRT versions.

Let’s examine your test results in more detail. Do you have a more realistic test than pinging the router address from the router itself? Ping something external from a LAN client?

You can setup some debugging if necessary.

https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing

Yeah, I definitely need an alternative way to test the TTL change. When I used iptables, I could check with the following:

iptables -t mangle -vnL POSTROUTING

I need to figure out the nftables equivalent of the above.

tcpdump -i eth2 -v
1 Like

Perfect, that's what I needed to know. When I log into the router and run the above command, I show a TTL of 65 for traffic moving from my router address to the gateway address, which is what I wanted to confirm.

Thanks! Here's the rule that seems to be working for me:

chain mangle_postrouting_ttl65 {
  type filter hook postrouting priority 300; policy accept;
  oifname "eth2" counter ip ttl set 65
}

chain mangle_prerouting_ttl65 {
  type filter hook prerouting priority 300; policy accept;
  iifname "eth2" counter ip ttl set 65
}
1 Like

Don't you only need the top one? Is this to try to make ISP think there's no tethering? I imagine that trick relates more to superstition than reality but I could be wrong.

Yeah, I really only need the top one for tethering, which I only use as backup in case my ISP goes down. And you're right, it's probably part of networking folklore and doesn't even make a difference. :grinning:

I use it myself just in case for my 4G connection as part of my utility for applying cake and handling DSCPs: cake-qos-simple.