Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2699 - [nftables] sets not working due to kernel configuration #7540

Closed
openwrt-bot opened this issue Dec 27, 2019 · 8 comments
Closed

FS#2699 - [nftables] sets not working due to kernel configuration #7540

openwrt-bot opened this issue Dec 27, 2019 · 8 comments
Labels

Comments

@openwrt-bot
Copy link

n8v8R:

  • Master
  • any target device (as specified in generic kernel conf [1])

nft flush ruleset

nft add table filter

nft add chain filter input { type filter hook input priority 0; }

nft add set filter myset { type ipv4_addr; }

produces

Error: Could not process rule: Not supported

This has been a frustrating experience and then having to figure out the cause.


[1] https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=target/linux/generic/config-4.19;hb=b2d10977a860f34e003ed158d6d208f431a14579#l3465

CONFIG_NF_TABLES_SET is not set

[2] https://github.com/torvalds/linux/blob/master/net/netfilter/Kconfig#L459

This option enables the nf_tables set infrastructure that allows to look up for elements in a set and to build one-way mappings between matchings and actions.

@openwrt-bot
Copy link
Author

ynezz:

This is actually a bug (depends on the point of view), as the NFT set modules have been merged into one in torvalds/linux@e240cd0 so the NFT modules should be fixed for 4.19+ kernels.

@openwrt-bot
Copy link
Author

n8v8R:

This is actually a bug (depends on the point of view)

It is basically a kernel conf that enables a feature (SETS) for NFT. That it is now perceived as bug is confusing however.

For that purpose (clarifying the point of view) I submitted a RFI to the forum

https://forum.openwrt.org/t/rfi-base-repo-appropriate-place-for-feature-request-and-what-qualifies-as-feature-request/51674

that has yet to receive a response.

Meantime, following early advise, lodged a feature request in the forum

https://forum.openwrt.org/t/base-kernel-conf-feature-request-enable-nftables-sets/51682

@openwrt-bot
Copy link
Author

fseek:

Hello,

I join the club of the ones who encountered this bug (and another one, see below).

From the commit linked by Petr, it seems some configuration options and modules went away (CONFIG_NFT_SET_RBTREE and CONFIG_NFT_SET_HASH) and were replaced by CONFIG_NF_TABLES_SET.

So the current rules in include/netfilter.mk do not include the core SET feature needed by nftables to work correctly.

Besided I found that also NFT_OBJREF is not built and it's critical for things like the ones found here:

https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation

Also this feature should be part of the core nftables infrastructure. See here for another user with the sample problems I had and the response from one of the developers.

https://marc.info/?t=152495789400001&r=1&w=2

This is the patch I'm carrying over in my local tree to enable these two features:

diff --git a/include/netfilter.mk b/include/netfilter.mk
index a2af0104eb..79002a8d07 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -340,8 +340,8 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_EXTHDR, $(P_XT)nft_exth
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_META, $(P_XT)nft_meta),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_NUMGEN, $(P_XT)nft_numgen),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_CT, $(P_XT)nft_ct),))
-$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_RBTREE, $(P_XT)nft_set_rbtree),))
-$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_HASH, $(P_XT)nft_set_hash),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_OBJREF, $(P_XT)nft_objref),))
+$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NF_TABLES_SET, $(P_XT)nf_tables_set),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_HASH, $(P_XT)nft_hash),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_COUNTER, $(P_XT)nft_counter),))
$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_LOG, $(P_XT)nft_log),))

I hope something similar could be merged soon.

@openwrt-bot
Copy link
Author

ynezz:

I hope something similar could be merged soon.

I'm willing to merge it soon, if you send the patch via appropriate channel, here you can find a detailed how-to https://openwrt.org/submitting-patches

@openwrt-bot
Copy link
Author

ynezz:

Please note, that there are some targets still on 4.14 kernel so you shouldn't be removing the old modules, but add //lt 4.19// helper, and vice versa, for 4.19+ kernels there should be //ge 4.19// helper used, otherwise the builds are going to fail. There are some examples using this helpers in that file already.

@openwrt-bot
Copy link
Author

jow-:

I am looking into this right now.

@openwrt-bot
Copy link
Author

fseek:

I changed the patch as suggested:

diff --git a/include/netfilter.mk b/include/netfilter.mk index a2af0104eb..dd3f1763c6 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -340,8 +340,10 @@ $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_EXTHDR, $(P_XT)nft_exth $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_META, $(P_XT)nft_meta),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_NUMGEN, $(P_XT)nft_numgen),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_CT, $(P_XT)nft_ct),)) -$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_RBTREE, $(P_XT)nft_set_rbtree),)) -$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_HASH, $(P_XT)nft_set_hash),)) +$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_RBTREE, $(P_XT)nft_set_rbtree, lt 4.19),)) +$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_SET_HASH, $(P_XT)nft_set_hash, lt 4.19),)) +$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NF_TABLES_SET, $(P_XT)nf_tables_set, ge 4.19),)) +$(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_OBJREF, $(P_XT)nft_objref),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_HASH, $(P_XT)nft_hash),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_COUNTER, $(P_XT)nft_counter),)) $(eval $(if $(NF_KMOD),$(call nf_add,NFT_CORE,CONFIG_NFT_LOG, $(P_XT)nft_log),))

If it's correct and still needed (I see Jo-Philipp Wich is looking at it) I can send it to the mailing list in a few hours.

The images for the ipq806x target (Netgear r7800 and Tplink C2600) build without errors and nftables works as expected. I also built the images for the ath79-target (mainly Archer C7) which also uses a 4.19 kernel.

@openwrt-bot
Copy link
Author

jow-:

Fix pushed in https://git.openwrt.org/0e05093b12 - thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant