OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by David Summers - 05.02.2020

FS#2815 - nftables in 19.07

Hi,

starting in 19.07 nftables don’t work properly.

This is on a MIPS xrx200 device, TPlink td w8970.

To install nftables:
- opkg update
- opkg install nftables
- opkg install kmod-nft-nat
- rm /etc/modules.d/ipt*
- rm /etc/modules.d/42-ip6tables
- reboot

Create the file /etc/nftables.conf

flush ruleset

table ip nat {
	chain prerouting {
		type nat hook prerouting priority filter; policy accept;
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		meta oiftype ppp masquerade
	}
}
table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state { established, related } accept
		ct state invalid drop
		meta iiftype != ppp accept
		ip protocol icmp accept
		ip6 nexthdr ipv6-icmp accept
		meta iiftype ppp drop
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state { established, related } accept
		ct state invalid drop
		meta iiftype != ppp accept
		ip protocol icmp accept
		ip6 nexthdr ipv6-icmp accept
		meta iiftype ppp drop
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}

Then attempt to install via

nft -f /etc/nftables.conf

Gives the error that

/etc/nftables.conf:4:8-17: Error: Could not process rule: File exists
	chain prerouting {
	      ^^^^^^^^^^
/etc/nftables.conf:8:8-18: Error: Could not process rule: File exists
	chain postrouting {
	      ^^^^^^^^^^^
/etc/nftables.conf:10:3-29: Error: Could not process rule: No such file or directory
		meta oiftype ppp masquerade
		^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is the error you would usually get if iptables nat was in the kernel, but lsmod confirms not installed. Running “nft flush ruleset” in isolatation works; and then the “nft -f /etc/nftables.conf” works as expected.

This provides WAN access for the lan, as expected; so NAT is working, and also router not scanned, so firewall is correct.

However on the router can’t do nslookups without error, eg.

opkg update
Downloading http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/kmods/4.14.167-1-0f59e90218b95a909e229a713d3da157/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/kmods/4.14.167-1-0f59e90218b95a909e229a713d3da157/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/base/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/base/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/luci/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/luci/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/routing/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/routing/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/telephony/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/telephony/Packages.gz

Collected errors:
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/packages/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/kmods/4.14.167-1-0f59e90218b95a909e229a713d3da157/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/base/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/luci/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/packages/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/routing/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/telephony/Packages.gz, wget returned -1.

But “ping 8.8.8.8” works.

But flushing the ruleset first (so no NAT or firewall) and the router access to the WAN works.

So this as a whole says nftables badly broken on this machine in 19.07, as can’t do an atomic replacement of the rules, and can’t get WAN access from the router.

In 18.06 this worked perfectly.

So it looks like in 19.07, there is some IPtable baggage left in the kernel, stopping nftables working correctly.

I checked the kernel configuation, and built my own openwrt 19.07, with hand crafted 4.14.167 kernel config. This boots with the same messages as 19.07.1 and has the same nftable faults.

I’ll keep digging, but time to report it here.

As long term, openwrt will probably need to move away from iptables, to nftables (as the iptables backend goes to nftables). So ideally we would get this working, so those openwrt users that use nftables, can debug their usage on openwrt, before everyone has to move.

Any ideas?

David.


Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing