OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Kernel
  • Assigned To No-one
  • Operating System All
  • Severity Critical
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by n8v8R - 27.12.2019
Last edited by Jo-Philipp Wich - 14.01.2020

FS#2699 - [nftables] sets not working due to kernel configuration

- Master
- any target device (as specified in generic kernel conf [1])


# nft flush ruleset
# nft add table filter
# nft add chain filter input { type filter hook input priority 0\; }
# nft add set filter myset { type ipv4_addr\; }

produces

Error: Could not process rule: Not supported

This has been a frustrating experience and then having to figure out the cause.


[1] https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=target/linux/generic/config-4.19;hb=b2d10977a860f34e003ed158d6d208f431a14579#l3465

# CONFIG_NF_TABLES_SET is not set

[2] https://github.com/torvalds/linux/blob/master/net/netfilter/Kconfig#L459

This option enables the nf_tables set infrastructure that allows to look up for elements in a set and to build one-way mappings between matchings and actions.


Closed by  Jo-Philipp Wich
14.01.2020 16:00
Reason for closing:  Fixed
Admin
Petr Štetiar commented on 04.01.2020 10:32

This is actually a bug (depends on the point of view), as the NFT set modules have been merged into one in https://github.com/torvalds/linux/commit/e240cd0df48185a28c153f83a39ba3940e3e9b86 so the NFT modules should be fixed for 4.19+ kernels.

n8v8R commented on 04.01.2020 10:45
This is actually a bug (depends on the point of view)

It is basically a kernel conf that enables a feature (SETS) for NFT. That it is now perceived as bug is confusing however.

For that purpose (clarifying the point of view) I submitted a RFI to the forum

https://forum.openwrt.org/t/rfi-base-repo-appropriate-place-for-feature-request-and-what-qualifies-as-feature-request/51674

that has yet to receive a response.


Meantime, following early advise, lodged a feature request in the forum

https://forum.openwrt.org/t/base-kernel-conf-feature-request-enable-nftables-sets/51682

fseek commented on 14.01.2020 07:44

Hello,

I join the club of the ones who encountered this bug (and another one, see below).

From the commit linked by Petr, it seems some configuration options and modules went away (CONFIG_NFT_SET_RBTREE and CONFIG_NFT_SET_HASH) and were replaced by CONFIG_NF_TABLES_SET.

So the current rules in include/netfilter.mk do not include the core SET feature needed by nftables to work correctly.

Besided I found that also NFT_OBJREF is not built and it's critical for things like the ones found here:

https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation

Also this feature should be part of the core nftables infrastructure. See here for another user with the sample problems I had and the response from one of the developers.

https://marc.info/?t=152495789400001&r=1&w=2

This is the patch I'm carrying over in my local tree to enable these two features:

diff --git a/include/netfilter.mk b/include/netfilter.mk
index a2af0104eb..79002a8d07 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -340,8 +340,8 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_EXTHDR, $(P_XT)nft_exth
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_META, $(P_XT)nft_meta),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_NUMGEN, $(P_XT)nft_numgen),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_CT, $(P_XT)nft_ct),))
-$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_RBTREE, $(P_XT)nft_set_rbtree),))
-$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_HASH, $(P_XT)nft_set_hash),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_OBJREF, $(P_XT)nft_objref),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NF_TABLES_SET, $(P_XT)nf_tables_set),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_HASH, $(P_XT)nft_hash),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_COUNTER, $(P_XT)nft_counter),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_LOG, $(P_XT)nft_log),))

I hope something similar could be merged soon.

Admin
Petr Štetiar commented on 14.01.2020 07:49
I hope something similar could be merged soon.

I'm willing to merge it soon, if you send the patch via appropriate channel, here you can find a detailed how-to https://openwrt.org/submitting-patches

Admin
Petr Štetiar commented on 14.01.2020 07:53

Please note, that there are some targets still on 4.14 kernel so you shouldn't be removing the old modules, but add lt 4.19 helper, and vice versa, for 4.19+ kernels there should be ge 4.19 helper used, otherwise the builds are going to fail. There are some examples using this helpers in that file already.

Admin
Jo-Philipp Wich commented on 14.01.2020 08:07

I am looking into this right now.

fseek commented on 14.01.2020 13:48

I changed the patch as suggested:

diff --git a/include/netfilter.mk b/include/netfilter.mk
index a2af0104eb..dd3f1763c6 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -340,8 +340,10 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_EXTHDR, $(P_XT)nft_exth
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_META, $(P_XT)nft_meta),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_NUMGEN, $(P_XT)nft_numgen),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_CT, $(P_XT)nft_ct),))
-$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_RBTREE, $(P_XT)nft_set_rbtree),))
-$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_HASH, $(P_XT)nft_set_hash),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_RBTREE, $(P_XT)nft_set_rbtree, lt 4.19),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_HASH, $(P_XT)nft_set_hash, lt 4.19),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NF_TABLES_SET, $(P_XT)nf_tables_set, ge 4.19),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_OBJREF, $(P_XT)nft_objref),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_HASH, $(P_XT)nft_hash),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_COUNTER, $(P_XT)nft_counter),))
 $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_LOG, $(P_XT)nft_log),))

If it's correct and still needed (I see Jo-Philipp Wich is looking at it) I can send it to the mailing list in a few hours.

The images for the ipq806x target (Netgear r7800 and Tplink C2600) build without errors and nftables works as expected. I also built the images for the ath79-target (mainly Archer C7) which also uses a 4.19 kernel.

Admin
Jo-Philipp Wich commented on 14.01.2020 16:00

Fix pushed in https://git.openwrt.org/0e05093b12 - thanks!

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing