Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#4239 - flow_offloading_hw doesn't work with nftables (mt7621) #9241

Closed
openwrt-bot opened this issue Jan 25, 2022 · 18 comments
Closed

FS#4239 - flow_offloading_hw doesn't work with nftables (mt7621) #9241

openwrt-bot opened this issue Jan 25, 2022 · 18 comments
Labels

Comments

@openwrt-bot
Copy link

amaumene:

When enabling flow_offloading_hw on mt7621 device (Xiaomi Redmi Router AC2100 and Mikrotik RB760iGS) like this:
root@route2:~# grep flow_offload /etc/config/firewall
option flow_offloading '1'
option flow_offloading_hw '1'

firewall4 fails to start:
root@route2:~# /etc/init.d/firewall start
/proc/self/fd/0:9:12-13: Error: Could not process rule: Not supported

/proc/self/fd/0:51:29-44: Error: Could not process rule: No such file or directory

nftables rules generated looks good:
root@route2:# fw4 print > /tmp/fw4
root@route2:
# cat /tmp/fw4
table inet fw4
flush table inet fw4

table inet fw4 {
#
# Flowtable
#

flowtable ft {
	hook ingress priority 0;
	devices = { "br-lan" };
	flags offload;
}

#
# Set definitions
#


#
# Defines
#

define lan_devices = { "br-lan" }
define lan_subnets = { 192.168.1.0/24, 302:f543:22c1:2921::/64 }

#
# User includes
#

include "/etc/nftables.d/*.nft"


#
# Filter rules
#

chain input {
	type filter hook input priority filter; policy accept;

	iifname "lo" accept comment "!fw4: Accept traffic from loopback"

	ct state established,related accept comment "!fw4: Allow inbound established and related flows"
	tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
	iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
}

chain forward {
	type filter hook forward priority filter; policy drop;

	meta l4proto { tcp, udp } flow offload @ft;
	ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
	iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
	jump handle_reject
}

chain output {
	type filter hook output priority filter; policy accept;

	oifname "lo" accept comment "!fw4: Accept traffic towards loopback"

	ct state established,related accept comment "!fw4: Allow outbound established and related flows"
	oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
}

chain handle_reject {
	meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
	reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
}

chain syn_flood {
	tcp flags & (fin | syn | rst | ack) == syn limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
	drop comment "!fw4: Drop excess packets"
}

chain input_lan {
	jump accept_from_lan
}

chain output_lan {
	jump accept_to_lan
}

chain forward_lan {
	jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
	jump accept_to_lan
}

chain accept_from_lan {
	iifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}

chain accept_to_lan {
	oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}

chain input_wan {
	meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: Allow-DHCP-Renew"
	meta nfproto ipv4 icmp type 8 counter accept comment "!fw4: Allow-Ping"
	meta nfproto ipv4 meta l4proto igmp counter accept comment "!fw4: Allow-IGMP"
	ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter accept comment "!fw4: Allow-DHCPv6"
	ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { 130 . 0, 131 . 0, 132 . 0, 143 . 0 } counter accept comment "!fw4: Allow-MLD"
	meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3, 133, 134 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
	meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1, 135 . 0, 136 . 0 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
	jump reject_from_wan
}

chain output_wan {
	jump accept_to_wan
}

chain forward_wan {
	meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
	meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
	meta l4proto esp counter jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
	udp dport 500 counter jump accept_to_lan comment "!fw4: Allow-ISAKMP"
	jump reject_to_wan
}

chain accept_to_wan {
}

chain reject_from_wan {
}

chain reject_to_wan {
}


#
# NAT rules
#

chain dstnat {
	type nat hook prerouting priority dstnat; policy accept;
}

chain srcnat {
	type nat hook postrouting priority srcnat; policy accept;
}

chain srcnat_wan {
	meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}


#
# Raw rules (notrack & helper)
#

chain raw_prerouting {
	type filter hook prerouting priority raw; policy accept;
	iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
}

chain raw_output {
	type filter hook output priority raw; policy accept;
}

chain helper_lan {
}


#
# Mangle rules
#

chain mangle_prerouting {
	type filter hook prerouting priority mangle; policy accept;
}

chain mangle_output {
	type filter hook output priority mangle; policy accept;
}

chain mangle_forward {
	type filter hook forward priority mangle; policy accept;
}

}

But for some reason nftables cannot process the rules:
root@route2:~# nft -f /tmp/fw4 -c
/tmp/fw4:9:12-13: Error: Could not process rule: Not supported
flowtable ft {
^^
/tmp/fw4:51:29-44: Error: Could not process rule: No such file or directory
meta l4proto { tcp, udp } flow offload @ft;
^^^^^^^^^^^^^^^^

This has been tested on latest trunk version:
root@route2:~# cat /etc/openwrt_version
r18638-ebc36ebb23

When only software flow offloading is enabled (option flow_offloading '1') everything works fine (verified in /proc/net/nf_conntrack)

@openwrt-bot
Copy link
Author

szluki:

I have exactly the same symptoms on the version
r18639-f5865452ac
for xiaomi 4a giga mt7621 after enabling the option flow_offloading_hw.
The option flow_offloading works fine,

@openwrt-bot
Copy link
Author

amaumene:

Hi,

I found the root cause. It seems flowtable doesn't take bridges in the devices list, but takes actual devices:
flowtable ft {
hook ingress priority filter
devices = { wan, sfp, lan2, lan3, lan4, lan5 }
flags offload;
}

This makes it work fine:
ipv4 2 udp 17 src=192.168.1.214 dst=142.250.4.95 sport=57466 dport=443 packets=8 bytes=1751 src=142.250.4.95 dst=my_public_IP sport=443 dport=57466 packets=9 bytes=1484 [HW_OFFLOAD] mark=0 zone=0 use=3

I guess firewall4 needs to be updated to reflect this change.

@openwrt-bot
Copy link
Author

amaumene:

In terms of performances I did a quick and simple test. This has been done with a RB760iGS as router and one Raspberry Pi 4 on each side:
Hardware offload:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-30.00 sec 2.74 GBytes 785 Mbits/sec 378 sender
[ 5] 0.00-30.00 sec 2.74 GBytes 784 Mbits/sec receiver

Software offload:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-30.00 sec 2.54 GBytes 727 Mbits/sec 474 sender
[ 5] 0.00-30.00 sec 2.54 GBytes 726 Mbits/sec receiver

No offload:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-30.01 sec 2.59 GBytes 742 Mbits/sec 447 sender
[ 5] 0.00-30.00 sec 2.59 GBytes 742 Mbits/sec receiver

Software offload would be slower? I've ran iperf with these options: "-R -Z -t 30 -O 3" on the client side (behind NAT).

@openwrt-bot
Copy link
Author

tkit1994:

I can confirm that mir3g has the same issue.

root@OpenWrt:~# cat /etc/openwrt_version
r18639-f5865452ac

@openwrt-bot
Copy link
Author

amaumene:

I've redone my performance test and I can confirm that while the CPU usage is lower with soft offloading, speed is lower as well.
My results are (download only):

  • no offload: 785 Mbits/sec
    Average: CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle
    Average: all 0.00 0.00 0.07 0.00 0.00 30.46 0.00 0.00 0.00 69.47
  • soft offload: 730 Mbits/sec
    Average: CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle
    Average: all 0.01 0.00 0.18 0.00 0.00 34.13 0.00 0.00 0.00 65.69
  • hw offload: 797 Mbits/sec
    Average: CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle
    Average: all 0.00 0.00 0.01 0.00 0.00 0.12 0.00 0.00 0.00 99.87

To enabled hw offload manually:

  • enable soft offload in /etc/config/firewall (option flow_offloading '1')
  • restart firewall (/etc/init.d/firewall restart)
  • start our new rules with a flush (echo "flush ruleset" > /tmp/nftables)
  • dump all the current rules (nft -s list ruleset >> /tmp/nftables)
  • edit /tmp/nftables, replacing bridges with actual phy and adding "flags offload;" to flowtable:
    table inet fw4 {
    flowtable ft {
    hook ingress priority filter
  •   devices = { br-lan, br-wan }
    
  •   devices = { wan, sfp, lan2, lan3, lan4, lan5 }
    
  •   flags offload;
    
    }
    • apply modified rules (nft -f /tmp/nftables)
    • verify (cat /proc/net/nf_conntrack | grep HW_OFF)

Documentation [[https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html|here]] says:
"Since Linux kernel 5.13, you can add bridge ports to the flowtable. The flowtable infrastructure discovers the topology behind the bridge device. This allows the flowtable to define a fastpath bypass between the bridge ports (represented as eth1 and eth2 in the example figure below) and the gateway device (represented as eth0) in your switch/router."

My understanding is we are missing a patch from upstream to support this, which means currently we need to give the physical devices and not the bridge.

@openwrt-bot
Copy link
Author

tkit1994:

the default kernel is 5.10.92 on my device which is less than 5.13.

@openwrt-bot
Copy link
Author

tkit1994:

How can I add wlan0 and wlan1 to flowtable devices?
I can successfully add lan1 and lan2. But if I add wlan0 or wlan1 to it, the following error appears:

/tmp/nftables.nft:4:12-13: Error: Could not process rule: Not supported flowtable ft { ^^ /tmp/nftables.nft:22:29-40: Error: Could not process rule: No such file or directory meta l4proto { tcp, udp } flow add @ft

Here is part of my nftables rule.

root@OpenWrt:~# cat /tmp/nftables.nft
flush ruleset

table inet fw4 {
flowtable ft {
hook ingress priority filter;
devices = { wan, lan1, lan2, wlan0};
flags offload;
}

chain input {
	type filter hook input priority filter; policy accept;
	iifname "lo" accept comment "!fw4: Accept traffic from loopback"
	ct state established,related accept comment "!fw4: Allow inbound established and related flows"
	ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
	tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
	iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
	iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}

chain forward {
	type filter hook forward priority filter; policy drop;
	meta l4proto { tcp, udp } flow add @ft
	ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
	ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
	iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
	iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
	jump handle_reject
}
root@OpenWrt:~# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1504 qdisc fq_codel state UP group default qlen 1000 link/ether 40:31:3c:00:ad:28 brd ff:ff:ff:ff:ff:ff inet6 fe80::4231:3cff:fe00:ad28/64 scope link valid_lft forever preferred_lft forever 3: wan@eth0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 40:31:3c:00:ad:27 brd ff:ff:ff:ff:ff:ff inet 192.168.1.45/24 brd 192.168.1.255 scope global wan valid_lft forever preferred_lft forever inet6 2409:8a20:32ad:2cc0:4231:3cff:fe00:ad27/64 scope global dynamic noprefixroute valid_lft 258974sec preferred_lft 172574sec inet6 fe80::4231:3cff:fe00:ad27/64 scope link valid_lft forever preferred_lft forever 4: lan2@eth0: mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000 link/ether 40:31:3c:00:ad:28 brd ff:ff:ff:ff:ff:ff 5: lan1@eth0: mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000 link/ether 40:31:3c:00:ad:28 brd ff:ff:ff:ff:ff:ff 8: br-lan: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 40:31:3c:00:ad:28 brd ff:ff:ff:ff:ff:ff inet 192.168.123.1/24 brd 192.168.123.255 scope global br-lan valid_lft forever preferred_lft forever inet6 fda4:f665:d60c::1/60 scope global noprefixroute valid_lft forever preferred_lft forever inet6 fe80::4231:3cff:fe00:ad28/64 scope link valid_lft forever preferred_lft forever 9: wlan0: mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000 link/ether 40:31:3c:00:ad:29 brd ff:ff:ff:ff:ff:ff inet6 fe80::4231:3cff:fe00:ad29/64 scope link valid_lft forever preferred_lft forever 10: wlan1: mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000 link/ether 40:31:3c:00:ad:2a brd ff:ff:ff:ff:ff:ff inet6 fe80::4231:3cff:fe00:ad2a/64 scope link valid_lft forever preferred_lft forever My device is mir3g with mt7621.

@openwrt-bot
Copy link
Author

tiagogaspar8:

The title should be changed since this isn't SoC specific, it happened on my AX3600, on my WRT3200ACM and on my Archer C7 v4.
The kernel is the latest, and on the latest version of openwrt.

@openwrt-bot
Copy link
Author

amaumene:

Agreed, except I cannot edit it :(

@openwrt-bot
Copy link
Author

tiagogaspar8:

Yeah, really looking forward to the day we move away from flyspray...

@openwrt-bot
Copy link
Author

jow-:

Nftables/firewall4 issues fixed with

  • [[https://github.com/openwrt/openwrt/commit/2dd6777f15defc6fe343e8485d3e22325570fb2b|2dd6777f firewall4: update to latest Git HEAD]]
  • [[https://github.com/openwrt/openwrt/commit/3b1692c463fae107177fcee51874696f6323d0d2|3b1692c4 netifd: update to latest Git HEAD]]
  • [[https://git.openwrt.org/?p=project/firewall4.git;a=commitdiff;h=52831a00bec8e3676e2747029c0349f6be9c2593;hp=7cb10c809314261c20ddca069eacd469adf44be3|52831a00 fw4: improve flowtable handling]]
  • [[https://git.openwrt.org/?p=project/netifd.git;a=commitdiff;h=fd4c9e17c8f22b866c1bf386c580074e3e678910|fd4c9e17 system-linux: expose hw-tc-offload ethtool feature in device status dump]]

On my ER-X hw flow offloading is properly utilized:

root@er-x:~# grep HW_OFFLOAD /proc/net/nf_conntrack | sed -e 's#dst=[^[:space:]]*#dst=...#g' ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=48642 dport=993 packets=3 bytes=207 src=212.204.60.9 dst=... sport=993 dport=48642 packets=87 bytes=8526 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=48634 dport=993 packets=14 bytes=1191 src=212.204.60.9 dst=... sport=993 dport=48634 packets=97 bytes=9701 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.211 dst=... sport=56921 dport=80 packets=2 bytes=144 src=18.159.56.174 dst=... sport=80 dport=56921 packets=1 bytes=60 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=45320 dport=443 packets=1 bytes=60 src=162.125.19.131 dst=... sport=443 dport=45320 packets=6 bytes=973 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.246 dst=... sport=57477 dport=5223 packets=1 bytes=64 src=17.57.146.173 dst=... sport=5223 dport=57477 packets=1 bytes=60 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=49386 dport=443 packets=1 bytes=60 src=139.59.210.197 dst=... sport=443 dport=49386 packets=1 bytes=60 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.153 dst=... sport=50663 dport=5223 packets=1 bytes=64 src=17.57.146.68 dst=... sport=5223 dport=50663 packets=1 bytes=60 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=33622 dport=443 packets=1 bytes=60 src=130.211.10.112 dst=... sport=443 dport=33622 packets=1 bytes=60 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=52920 dport=993 packets=15 bytes=1278 src=85.13.138.36 dst=... sport=993 dport=52920 packets=101 bytes=9814 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 udp 17 src=10.11.12.246 dst=... sport=123 dport=123 packets=1 bytes=76 src=17.253.54.253 dst=... sport=123 dport=123 packets=1 bytes=76 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=35796 dport=443 packets=1 bytes=60 src=104.16.181.15 dst=... sport=443 dport=35796 packets=16 bytes=2037 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=47338 dport=443 packets=131 bytes=19204 src=52.149.21.60 dst=... sport=443 dport=47338 packets=53 bytes=23989 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=48644 dport=993 packets=8 bytes=634 src=212.204.60.9 dst=... sport=993 dport=48644 packets=61 bytes=5935 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=48636 dport=993 packets=34 bytes=3006 src=212.204.60.9 dst=... sport=993 dport=48636 packets=96 bytes=9593 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=48638 dport=993 packets=5 bytes=408 src=212.204.60.9 dst=... sport=993 dport=48638 packets=96 bytes=9358 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=34664 dport=443 packets=1 bytes=60 src=140.82.113.25 dst=... sport=443 dport=34664 packets=5 bytes=598 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=47352 dport=443 packets=65 bytes=8140 src=52.149.21.60 dst=... sport=443 dport=47352 packets=48 bytes=19987 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=52922 dport=993 packets=1 bytes=60 src=85.13.138.36 dst=... sport=993 dport=52922 packets=9 bytes=844 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=35746 dport=443 packets=1 bytes=60 src=104.16.181.15 dst=... sport=443 dport=35746 packets=185 bytes=23581 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=43772 dport=443 packets=3 bytes=242 src=34.98.75.36 dst=... sport=443 dport=43772 packets=1 bytes=60 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=41642 dport=443 packets=2 bytes=152 src=157.240.240.60 dst=... sport=443 dport=41642 packets=1 bytes=60 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 tcp 6 src=10.11.12.7 dst=... sport=46492 dport=443 packets=4 bytes=651 src=162.125.19.130 dst=... sport=443 dport=46492 packets=1 bytes=60 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 udp 17 src=10.11.12.246 dst=... sport=123 dport=123 packets=1 bytes=76 src=17.253.54.125 dst=... sport=123 dport=123 packets=1 bytes=76 [HW_OFFLOAD] mark=0 zone=0 use=3 ipv4 2 udp 17 src=10.11.12.246 dst=... sport=123 dport=123 packets=1 bytes=76 src=17.253.52.125 dst=... sport=123 dport=123 packets=1 bytes=76 [HW_OFFLOAD] mark=0 zone=0 use=3 root@er-x:~#

@openwrt-bot
Copy link
Author

tiagogaspar8:

This issue isn't fixed. When I enable HW_OFFLOAD in WRT3200ACM, firewall4 doesn't start.
I know this is a device that doesn't support it, but many users might not and lead them to break the firewall without even having a clue.

@openwrt-bot
Copy link
Author

jow-:

@tiagogaspar8 - Please provide the exact output of:

opkg list-installed firewall4
opkg list-installed netifd
uci show firewall
fw4 flush
fw4 start
fw4 print

@openwrt-bot
Copy link
Author

tiagogaspar8:

Here it is (with hw offloading enabled):
root@router1:# opkg list-installed firewall4
firewall4 - 2022-02-07-b54f4622-1
root@router1:
# opkg list-installed netifd
netifd - 2022-02-04-fd4c9e17-1
root@router1:# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
root@router1:
# fw4 flush
root@router1:~# fw4 start
Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
/proc/self/fd/0:9:12-13: Error: Could not process rule: Not supported

/proc/self/fd/0:54:29-44: Error: Could not process rule: No such file or directory

root@router1:~# fw4 print
Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
table inet fw4
flush table inet fw4

table inet fw4 {
#
# Flowtable
#

    flowtable ft {
            hook ingress priority 0;
            devices = { "lan4", "lan2", "lan3", "lan1", "wan" };
            flags offload;
    }

    #
    # Set definitions
    #


    #
    # Defines
    #

    define lan_devices = { "br-lan" }
    define lan_subnets = { 192.168.1.0/24, 2001:8a0:6ecf:f700::/60, fd16:bed2:31b3::/60 }
    define wan_devices = { "wan" }
    define wan_subnets = { 176.78.6.0/24 }

    #
    # User includes
    #

    include "/etc/nftables.d/*.nft"


    #
    # Filter rules
    #

    chain input {
            type filter hook input priority filter; policy accept;

            iifname "lo" accept comment "!fw4: Accept traffic from loopback"

            ct state established,related accept comment "!fw4: Allow inbound established and related flows"
            tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
            iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
            iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
    }

    chain forward {
            type filter hook forward priority filter; policy drop;

            meta l4proto { tcp, udp } flow offload @ft;
            ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
            iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
            iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
            jump handle_reject
    }

    chain output {
            type filter hook output priority filter; policy accept;

            oifname "lo" accept comment "!fw4: Accept traffic towards loopback"

            ct state established,related accept comment "!fw4: Allow outbound established and related flows"
            oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
            oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
    }

    chain handle_reject {
            meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
            reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
    }

    chain syn_flood {
            limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
            drop comment "!fw4: Drop excess packets"
    }

    chain input_lan {
            jump accept_from_lan
    }

    chain output_lan {
            jump accept_to_lan
    }

    chain forward_lan {
            jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
            jump accept_to_lan
    }

    chain accept_from_lan {
            iifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
    }

    chain accept_to_lan {
            oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
    }

    chain input_wan {
            meta nfproto ipv4 meta l4proto igmp counter accept comment "!fw4: ubus:omcproxy[instance1] rule 0"
            ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { 130 . 0, 131 . 0, 132 . 0, 143 . 0 } counter accept comment "!fw4: ubus:omcproxy[instance1] rule 1"
            meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: Allow-DHCP-Renew"
            meta nfproto ipv4 icmp type 8 counter accept comment "!fw4: Allow-Ping"
            meta nfproto ipv4 meta l4proto igmp counter accept comment "!fw4: Allow-IGMP"
            ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter accept comment "!fw4: Allow-DHCPv6"
            ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { 130 . 0, 131 . 0, 132 . 0, 143 . 0 } counter accept comment "!fw4: Allow-MLD"
            meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3, 133, 134 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
            meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1, 135 . 0, 136 . 0 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
            jump reject_from_wan
    }

    chain output_wan {
            jump accept_to_wan
    }

    chain forward_wan {
            meta l4proto udp ip daddr 224.0.0.0/4 counter jump accept_to_lan comment "!fw4: ubus:omcproxy[instance1] rule 2"
            meta l4proto udp ip6 daddr ff00::/8 counter jump accept_to_lan comment "!fw4: ubus:omcproxy[instance1] rule 3"
            meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
            meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
            meta l4proto esp counter jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
            udp dport 500 counter jump accept_to_lan comment "!fw4: Allow-ISAKMP"
            jump reject_to_wan
    }

    chain accept_to_wan {
            oifname "wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
    }

    chain reject_from_wan {
            iifname "wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
    }

    chain reject_to_wan {
            oifname "wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
    }


    #
    # NAT rules
    #

    chain dstnat {
            type nat hook prerouting priority dstnat; policy accept;
    }

    chain srcnat {
            type nat hook postrouting priority srcnat; policy accept;
            oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
    }

    chain srcnat_wan {
            meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
    }


    #
    # Raw rules (notrack & helper)
    #

    chain raw_prerouting {
            type filter hook prerouting priority raw; policy accept;
            iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
    }

    chain raw_output {
            type filter hook output priority raw; policy accept;
    }

    chain helper_lan {
    }


    #
    # Mangle rules
    #

    chain mangle_prerouting {
            type filter hook prerouting priority mangle; policy accept;
    }

    chain mangle_postrouting {
            type filter hook postrouting priority mangle; policy accept;
    }

    chain mangle_input {
            type filter hook input priority mangle; policy accept;
    }

    chain mangle_output {
            type filter hook output priority mangle; policy accept;
    }

    chain mangle_forward {
            type filter hook forward priority mangle; policy accept;
            iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
            oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
    }

}
root@router1:~#

@openwrt-bot
Copy link
Author

jow-:

Thanks, that is a different failure mode than which was addressed by the commits. What is reported by lsmod | grep flow ?

Please also include the output of ubus call network.device status

@openwrt-bot
Copy link
Author

tiagogaspar8:

Here you go:

root@router1:~# lsmod | grep flow
cls_flow 20480 0
nf_conntrack 81920 8 nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_conntrack_netlink,nf_nat,nf_flow_table
nf_flow_table 32768 4 nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_flow_offload
nf_flow_table_inet 16384 1
nf_flow_table_ipv4 16384 0
nf_flow_table_ipv6 16384 0
nf_tables 155648232 nft_fib_inet,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_masq,nft_log,nft_limit,nft_hash,nft_flow_offload,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_ct,nft_counter,nft_chain_nat
nft_flow_offload 16384 1

root@router1:~# ubus call network.device status
{
"br-lan": {
"external": false,
"present": true,
"type": "bridge",
"up": true,
"carrier": true,
"auth_status": false,
"link-advertising": [

            ],
            "link-partner-advertising": [

            ],
            "link-supported": [

            ],
            "speed": "1000F",
            "autoneg": false,
            "hw-tc-offload": false,
            "devtype": "bridge",
            "bridge-members": [
                    "lan1",
                    "lan2",
                    "lan3",
                    "lan4",
                    "wlan1"
            ],
            "mtu": 1500,
            "mtu6": 1500,
            "macaddr": "24:f5:a2:2d:e6:08",
            "txqueuelen": 1000,
            "ipv6": true,
            "ip6segmentrouting": false,
            "promisc": false,
            "rpfilter": 0,
            "acceptlocal": false,
            "igmpversion": 0,
            "mldversion": 0,
            "neigh4reachabletime": 30000,
            "neigh6reachabletime": 30000,
            "neigh4gcstaletime": 60,
            "neigh6gcstaletime": 60,
            "neigh4locktime": 100,
            "dadtransmits": 1,
            "multicast": true,
            "sendredirects": true,
            "drop_v4_unicast_in_l2_multicast": false,
            "drop_v6_unicast_in_l2_multicast": false,
            "drop_gratuitous_arp": false,
            "drop_unsolicited_na": false,
            "arp_accept": false,
            "statistics": {
                    "collisions": 0,
                    "rx_frame_errors": 0,
                    "tx_compressed": 0,
                    "multicast": 55135,
                    "rx_length_errors": 0,
                    "tx_dropped": 0,
                    "rx_bytes": 131989142,
                    "rx_missed_errors": 0,
                    "tx_errors": 0,
                    "rx_compressed": 0,
                    "rx_over_errors": 0,
                    "tx_fifo_errors": 0,
                    "rx_crc_errors": 0,
                    "rx_packets": 243693,
                    "tx_heartbeat_errors": 0,
                    "rx_dropped": 0,
                    "tx_aborted_errors": 0,
                    "tx_packets": 120329,
                    "rx_errors": 0,
                    "tx_bytes": 70163385,
                    "tx_window_errors": 0,
                    "rx_fifo_errors": 0,
                    "tx_carrier_errors": 0
            }
    },
    "eth0": {
            "external": false,
            "present": true,
            "type": "Network device",
            "up": true,
            "carrier": true,
            "auth_status": false,
            "link-advertising": [
                    "1000baseT-F"
            ],
            "link-partner-advertising": [
                    "1000baseT-F"
            ],
            "link-supported": [
                    "1000baseT-F"
            ],
            "speed": "1000F",
            "autoneg": true,
            "hw-tc-offload": false,
            "devtype": "ethernet",
            "mtu": 1508,
            "mtu6": 1508,
            "macaddr": "24:f5:a2:2d:e6:08",
            "txqueuelen": 1024,
            "ipv6": true,
            "ip6segmentrouting": false,
            "promisc": false,
            "rpfilter": 0,
            "acceptlocal": false,
            "igmpversion": 0,
            "mldversion": 0,
            "neigh4reachabletime": 30000,
            "neigh6reachabletime": 30000,
            "neigh4gcstaletime": 60,
            "neigh6gcstaletime": 60,
            "neigh4locktime": 100,
            "dadtransmits": 1,
            "multicast": true,
            "sendredirects": true,
            "drop_v4_unicast_in_l2_multicast": false,
            "drop_v6_unicast_in_l2_multicast": false,
            "drop_gratuitous_arp": false,
            "drop_unsolicited_na": false,
            "arp_accept": false,
            "statistics": {
                    "collisions": 0,
                    "rx_frame_errors": 0,
                    "tx_compressed": 0,
                    "multicast": 0,
                    "rx_length_errors": 0,
                    "tx_dropped": 0,
                    "rx_bytes": 210802462,
                    "rx_missed_errors": 0,
                    "tx_errors": 0,
                    "rx_compressed": 0,
                    "rx_over_errors": 0,
                    "tx_fifo_errors": 0,
                    "rx_crc_errors": 0,
                    "rx_packets": 390420,
                    "tx_heartbeat_errors": 0,
                    "rx_dropped": 0,
                    "tx_aborted_errors": 0,
                    "tx_packets": 332558,
                    "rx_errors": 0,
                    "tx_bytes": 154397558,
                    "tx_window_errors": 0,
                    "rx_fifo_errors": 0,
                    "tx_carrier_errors": 0
            }
    },
    "lan1": {
            "external": false,
            "present": true,
            "type": "Network device",
            "up": true,
            "carrier": false,
            "auth_status": false,
            "link-advertising": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "link-partner-advertising": [

            ],
            "link-supported": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "speed": "-1F",
            "autoneg": true,
            "hw-tc-offload": true,
            "devtype": "dsa",
            "mtu": 1500,
            "mtu6": 1500,
            "macaddr": "24:f5:a2:2d:e6:08",
            "txqueuelen": 1000,
            "ipv6": false,
            "ip6segmentrouting": false,
            "promisc": false,
            "rpfilter": 0,
            "acceptlocal": false,
            "igmpversion": 0,
            "mldversion": 0,
            "neigh4reachabletime": 30000,
            "neigh6reachabletime": 30000,
            "neigh4gcstaletime": 60,
            "neigh6gcstaletime": 60,
            "neigh4locktime": 100,
            "dadtransmits": 1,
            "multicast": true,
            "sendredirects": true,
            "drop_v4_unicast_in_l2_multicast": false,
            "drop_v6_unicast_in_l2_multicast": false,
            "drop_gratuitous_arp": false,
            "drop_unsolicited_na": false,
            "arp_accept": false,
            "statistics": {
                    "collisions": 0,
                    "rx_frame_errors": 0,
                    "tx_compressed": 0,
                    "multicast": 0,
                    "rx_length_errors": 0,
                    "tx_dropped": 0,
                    "rx_bytes": 0,
                    "rx_missed_errors": 0,
                    "tx_errors": 0,
                    "rx_compressed": 0,
                    "rx_over_errors": 0,
                    "tx_fifo_errors": 0,
                    "rx_crc_errors": 0,
                    "rx_packets": 0,
                    "tx_heartbeat_errors": 0,
                    "rx_dropped": 0,
                    "tx_aborted_errors": 0,
                    "tx_packets": 0,
                    "rx_errors": 0,
                    "tx_bytes": 0,
                    "tx_window_errors": 0,
                    "rx_fifo_errors": 0,
                    "tx_carrier_errors": 0
            }
    },
    "lan2": {
            "external": false,
            "present": true,
            "type": "Network device",
            "up": true,
            "carrier": true,
            "auth_status": false,
            "link-advertising": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "link-partner-advertising": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "link-supported": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "speed": "1000F",
            "autoneg": true,
            "hw-tc-offload": true,
            "devtype": "dsa",
            "mtu": 1500,
            "mtu6": 1500,
            "macaddr": "24:f5:a2:2d:e6:08",
            "txqueuelen": 1000,
            "ipv6": false,
            "ip6segmentrouting": false,
            "promisc": false,
            "rpfilter": 0,
            "acceptlocal": false,
            "igmpversion": 0,
            "mldversion": 0,
            "neigh4reachabletime": 30000,
            "neigh6reachabletime": 30000,
            "neigh4gcstaletime": 60,
            "neigh6gcstaletime": 60,
            "neigh4locktime": 100,
            "dadtransmits": 1,
            "multicast": true,
            "sendredirects": true,
            "drop_v4_unicast_in_l2_multicast": false,
            "drop_v6_unicast_in_l2_multicast": false,
            "drop_gratuitous_arp": false,
            "drop_unsolicited_na": false,
            "arp_accept": false,
            "statistics": {
                    "collisions": 0,
                    "rx_frame_errors": 0,
                    "tx_compressed": 0,
                    "multicast": 0,
                    "rx_length_errors": 0,
                    "tx_dropped": 0,
                    "rx_bytes": 132160234,
                    "rx_missed_errors": 0,
                    "tx_errors": 0,
                    "rx_compressed": 0,
                    "rx_over_errors": 0,
                    "tx_fifo_errors": 0,
                    "rx_crc_errors": 0,
                    "rx_packets": 246460,
                    "tx_heartbeat_errors": 0,
                    "rx_dropped": 1,
                    "tx_aborted_errors": 0,
                    "tx_packets": 122528,
                    "rx_errors": 0,
                    "tx_bytes": 70325728,
                    "tx_window_errors": 0,
                    "rx_fifo_errors": 0,
                    "tx_carrier_errors": 0
            }
    },
    "lan3": {
            "external": false,
            "present": true,
            "type": "Network device",
            "up": true,
            "carrier": false,
            "auth_status": false,
            "link-advertising": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "link-partner-advertising": [

            ],
            "link-supported": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "speed": "-1F",
            "autoneg": true,
            "hw-tc-offload": true,
            "devtype": "dsa",
            "mtu": 1500,
            "mtu6": 1500,
            "macaddr": "24:f5:a2:2d:e6:08",
            "txqueuelen": 1000,
            "ipv6": false,
            "ip6segmentrouting": false,
            "promisc": false,
            "rpfilter": 0,
            "acceptlocal": false,
            "igmpversion": 0,
            "mldversion": 0,
            "neigh4reachabletime": 30000,
            "neigh6reachabletime": 30000,
            "neigh4gcstaletime": 60,
            "neigh6gcstaletime": 60,
            "neigh4locktime": 100,
            "dadtransmits": 1,
            "multicast": true,
            "sendredirects": true,
            "drop_v4_unicast_in_l2_multicast": false,
            "drop_v6_unicast_in_l2_multicast": false,
            "drop_gratuitous_arp": false,
            "drop_unsolicited_na": false,
            "arp_accept": false,
            "statistics": {
                    "collisions": 0,
                    "rx_frame_errors": 0,
                    "tx_compressed": 0,
                    "multicast": 0,
                    "rx_length_errors": 0,
                    "tx_dropped": 0,
                    "rx_bytes": 0,
                    "rx_missed_errors": 0,
                    "tx_errors": 0,
                    "rx_compressed": 0,
                    "rx_over_errors": 0,
                    "tx_fifo_errors": 0,
                    "rx_crc_errors": 0,
                    "rx_packets": 0,
                    "tx_heartbeat_errors": 0,
                    "rx_dropped": 0,
                    "tx_aborted_errors": 0,
                    "tx_packets": 0,
                    "rx_errors": 0,
                    "tx_bytes": 0,
                    "tx_window_errors": 0,
                    "rx_fifo_errors": 0,
                    "tx_carrier_errors": 0
            }
    },
    "lan4": {
            "external": false,
            "present": true,
            "type": "Network device",
            "up": true,
            "carrier": false,
            "auth_status": false,
            "link-advertising": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "link-partner-advertising": [

            ],
            "link-supported": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "speed": "-1F",
            "autoneg": true,
            "hw-tc-offload": true,
            "devtype": "dsa",
            "mtu": 1500,
            "mtu6": 1500,
            "macaddr": "24:f5:a2:2d:e6:08",
            "txqueuelen": 1000,
            "ipv6": false,
            "ip6segmentrouting": false,
            "promisc": false,
            "rpfilter": 0,
            "acceptlocal": false,
            "igmpversion": 0,
            "mldversion": 0,
            "neigh4reachabletime": 30000,
            "neigh6reachabletime": 30000,
            "neigh4gcstaletime": 60,
            "neigh6gcstaletime": 60,
            "neigh4locktime": 100,
            "dadtransmits": 1,
            "multicast": true,
            "sendredirects": true,
            "drop_v4_unicast_in_l2_multicast": false,
            "drop_v6_unicast_in_l2_multicast": false,
            "drop_gratuitous_arp": false,
            "drop_unsolicited_na": false,
            "arp_accept": false,
            "statistics": {
                    "collisions": 0,
                    "rx_frame_errors": 0,
                    "tx_compressed": 0,
                    "multicast": 0,
                    "rx_length_errors": 0,
                    "tx_dropped": 0,
                    "rx_bytes": 0,
                    "rx_missed_errors": 0,
                    "tx_errors": 0,
                    "rx_compressed": 0,
                    "rx_over_errors": 0,
                    "tx_fifo_errors": 0,
                    "rx_crc_errors": 0,
                    "rx_packets": 0,
                    "tx_heartbeat_errors": 0,
                    "rx_dropped": 0,
                    "tx_aborted_errors": 0,
                    "tx_packets": 0,
                    "rx_errors": 0,
                    "tx_bytes": 0,
                    "tx_window_errors": 0,
                    "rx_fifo_errors": 0,
                    "tx_carrier_errors": 0
            }
    },
    "lo": {
            "external": false,
            "present": true,
            "type": "Network device",
            "up": true,
            "carrier": true,
            "auth_status": false,
            "hw-tc-offload": false,
            "devtype": "loopback",
            "mtu": 65536,
            "mtu6": 65536,
            "macaddr": "00:00:00:00:00:00",
            "txqueuelen": 1000,
            "ipv6": true,
            "ip6segmentrouting": false,
            "promisc": false,
            "rpfilter": 0,
            "acceptlocal": false,
            "igmpversion": 0,
            "mldversion": 0,
            "neigh4reachabletime": 30000,
            "neigh6reachabletime": 30000,
            "neigh4gcstaletime": 60,
            "neigh6gcstaletime": 60,
            "neigh4locktime": 100,
            "dadtransmits": 1,
            "multicast": false,
            "sendredirects": true,
            "drop_v4_unicast_in_l2_multicast": false,
            "drop_v6_unicast_in_l2_multicast": false,
            "drop_gratuitous_arp": false,
            "drop_unsolicited_na": false,
            "arp_accept": false,
            "statistics": {
                    "collisions": 0,
                    "rx_frame_errors": 0,
                    "tx_compressed": 0,
                    "multicast": 0,
                    "rx_length_errors": 0,
                    "tx_dropped": 0,
                    "rx_bytes": 22820,
                    "rx_missed_errors": 0,
                    "tx_errors": 0,
                    "rx_compressed": 0,
                    "rx_over_errors": 0,
                    "tx_fifo_errors": 0,
                    "rx_crc_errors": 0,
                    "rx_packets": 234,
                    "tx_heartbeat_errors": 0,
                    "rx_dropped": 0,
                    "tx_aborted_errors": 0,
                    "tx_packets": 234,
                    "rx_errors": 0,
                    "tx_bytes": 22820,
                    "tx_window_errors": 0,
                    "rx_fifo_errors": 0,
                    "tx_carrier_errors": 0
            }
    },
    "wan": {
            "external": false,
            "present": true,
            "type": "Network device",
            "up": true,
            "carrier": true,
            "auth_status": false,
            "link-advertising": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "link-partner-advertising": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-H",
                    "1000baseT-F"
            ],
            "link-supported": [
                    "10baseT-H",
                    "10baseT-F",
                    "100baseT-H",
                    "100baseT-F",
                    "1000baseT-F"
            ],
            "speed": "1000F",
            "autoneg": true,
            "hw-tc-offload": true,
            "devtype": "dsa",
            "mtu": 1500,
            "mtu6": 1500,
            "macaddr": "26:f5:a2:2d:e6:08",
            "txqueuelen": 1000,
            "ipv6": true,
            "ip6segmentrouting": false,
            "promisc": false,
            "rpfilter": 0,
            "acceptlocal": false,
            "igmpversion": 0,
            "mldversion": 0,
            "neigh4reachabletime": 30000,
            "neigh6reachabletime": 30000,
            "neigh4gcstaletime": 60,
            "neigh6gcstaletime": 60,
            "neigh4locktime": 100,
            "dadtransmits": 1,
            "multicast": true,
            "sendredirects": true,
            "drop_v4_unicast_in_l2_multicast": false,
            "drop_v6_unicast_in_l2_multicast": false,
            "drop_gratuitous_arp": false,
            "drop_unsolicited_na": false,
            "arp_accept": false,
            "statistics": {
                    "collisions": 0,
                    "rx_frame_errors": 0,
                    "tx_compressed": 0,
                    "multicast": 0,
                    "rx_length_errors": 0,
                    "tx_dropped": 0,
                    "rx_bytes": 70052988,
                    "rx_missed_errors": 0,
                    "tx_errors": 0,
                    "rx_compressed": 0,
                    "rx_over_errors": 0,
                    "tx_fifo_errors": 0,
                    "rx_crc_errors": 0,
                    "rx_packets": 143960,
                    "tx_heartbeat_errors": 0,
                    "rx_dropped": 834,
                    "tx_aborted_errors": 0,
                    "tx_packets": 210020,
                    "rx_errors": 0,
                    "tx_bytes": 81410362,
                    "tx_window_errors": 0,
                    "rx_fifo_errors": 0,
                    "tx_carrier_errors": 0
            }
    },
    "wlan1": {
            "external": true,
            "present": true,
            "type": "Network device",
            "up": true,
            "carrier": true,
            "auth_status": false,
            "hw-tc-offload": false,
            "devtype": "wlan",
            "mtu": 1500,
            "mtu6": 1500,
            "macaddr": "24:f5:a2:2d:e6:0a",
            "txqueuelen": 1000,
            "ipv6": false,
            "ip6segmentrouting": false,
            "promisc": false,
            "rpfilter": 0,
            "acceptlocal": false,
            "igmpversion": 0,
            "mldversion": 0,
            "neigh4reachabletime": 30000,
            "neigh6reachabletime": 30000,
            "neigh4gcstaletime": 60,
            "neigh6gcstaletime": 60,
            "neigh4locktime": 100,
            "dadtransmits": 1,
            "multicast": true,
            "sendredirects": true,
            "drop_v4_unicast_in_l2_multicast": false,
            "drop_v6_unicast_in_l2_multicast": false,
            "drop_gratuitous_arp": false,
            "drop_unsolicited_na": false,
            "arp_accept": false,
            "statistics": {
                    "collisions": 0,
                    "rx_frame_errors": 0,
                    "tx_compressed": 0,
                    "multicast": 0,
                    "rx_length_errors": 0,
                    "tx_dropped": 0,
                    "rx_bytes": 0,
                    "rx_missed_errors": 0,
                    "tx_errors": 0,
                    "rx_compressed": 0,
                    "rx_over_errors": 0,
                    "tx_fifo_errors": 0,
                    "rx_crc_errors": 0,
                    "rx_packets": 0,
                    "tx_heartbeat_errors": 0,
                    "rx_dropped": 0,
                    "tx_aborted_errors": 0,
                    "tx_packets": 52574,
                    "rx_errors": 0,
                    "tx_bytes": 57121012,
                    "tx_window_errors": 0,
                    "rx_fifo_errors": 0,
                    "tx_carrier_errors": 0
            }
    }

}
root@router1:~#

@openwrt-bot
Copy link
Author

@openwrt-bot
Copy link
Author

tiagogaspar8:

I have just tested it, now the firewall starts and shows a warning that hardware offload is not available.

Thanks for this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant