OpenWrt/LEDE Project

Welcome to the OpenWrt/LEDE Project bug reporting and issue tracking system

Problems to be reported here are for the OpenWrt/LEDE Project targets, sources, toolchain, core packages, build procedures, distribution and infrastructure. Guidelines for submitting a good bug report can be found at the OpenWrt/LEDE Project website. Problems related to LuCI or OpenWrt packages need to be reported in their repositories:

Notifications of all submissions and task changes are sent to lede-bugs@infradead.org.

OpenedIDCategoryTask TypePrioritySeveritySummaryReported InStatus
09.05.20203083KernelBug ReportVery LowHigh[nftables] invalid/obsolete and missing and unset kconf...TrunkUnconfirmed Task Description

upstream source https://github.com/torvalds/linux/blob/v5.4/net/netfilter/Kconfig#L442 is not matching downstream, in particular it seems that:

  • downstream exhibiting obsolete kconf
CONFIG_NF_TABLES_ARP
CONFIG_NF_TABLES_BRIDGE
  • downstream missing kconf (impeding nft functionality)
NFT_NUMGEN
NFT_CT
NFT_COUNTER
NFT_LOG
NFT_LIMIT
NFT_MASQ
NFT_REDIR
NFT_NAT
NFT_QUEUE
NFT_QUOTA
NFT_REJECT
NFT_REJECT_INET
NFT_COMPAT
NFT_HASH
NFT_FIB_INET
NF_DUP_NETDEV
NFT_DUP_NETDEV
NFT_FWD_NETDEV
  • downstream unset kconf (impeding nft functionality)
NFT_FLOW_OFFLOAD
NFT_CONNLIMIT
NFT_TUNNEL
NFT_OBJREF
NFT_XFRM
NFT_SOCKET
NFT_OSF
NFT_TPROXY
05.02.20202815Base systemBug ReportVery LowLownftables in 19.07TrunkUnconfirmed Task Description

Hi,

starting in 19.07 nftables don’t work properly.

This is on a MIPS xrx200 device, TPlink td w8970.

To install nftables:
- opkg update
- opkg install nftables
- opkg install kmod-nft-nat
- rm /etc/modules.d/ipt*
- rm /etc/modules.d/42-ip6tables
- reboot

Create the file /etc/nftables.conf

flush ruleset

table ip nat {
	chain prerouting {
		type nat hook prerouting priority filter; policy accept;
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		meta oiftype ppp masquerade
	}
}
table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state { established, related } accept
		ct state invalid drop
		meta iiftype != ppp accept
		ip protocol icmp accept
		ip6 nexthdr ipv6-icmp accept
		meta iiftype ppp drop
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state { established, related } accept
		ct state invalid drop
		meta iiftype != ppp accept
		ip protocol icmp accept
		ip6 nexthdr ipv6-icmp accept
		meta iiftype ppp drop
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}

Then attempt to install via

nft -f /etc/nftables.conf

Gives the error that

/etc/nftables.conf:4:8-17: Error: Could not process rule: File exists
	chain prerouting {
	      ^^^^^^^^^^
/etc/nftables.conf:8:8-18: Error: Could not process rule: File exists
	chain postrouting {
	      ^^^^^^^^^^^
/etc/nftables.conf:10:3-29: Error: Could not process rule: No such file or directory
		meta oiftype ppp masquerade
		^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is the error you would usually get if iptables nat was in the kernel, but lsmod confirms not installed. Running “nft flush ruleset” in isolatation works; and then the “nft -f /etc/nftables.conf” works as expected.

This provides WAN access for the lan, as expected; so NAT is working, and also router not scanned, so firewall is correct.

However on the router can’t do nslookups without error, eg.

opkg update
Downloading http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/kmods/4.14.167-1-0f59e90218b95a909e229a713d3da157/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/kmods/4.14.167-1-0f59e90218b95a909e229a713d3da157/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/base/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/base/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/luci/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/luci/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/routing/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/routing/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/telephony/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/telephony/Packages.gz

Collected errors:
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/packages/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/targets/lantiq/xrx200/kmods/4.14.167-1-0f59e90218b95a909e229a713d3da157/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/base/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/luci/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/packages/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/routing/Packages.gz, wget returned -1.
 * xsystem: wget: vfork: Out of memory.
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.1/packages/mips_24kc/telephony/Packages.gz, wget returned -1.

But “ping 8.8.8.8” works.

But flushing the ruleset first (so no NAT or firewall) and the router access to the WAN works.

So this as a whole says nftables badly broken on this machine in 19.07, as can’t do an atomic replacement of the rules, and can’t get WAN access from the router.

In 18.06 this worked perfectly.

So it looks like in 19.07, there is some IPtable baggage left in the kernel, stopping nftables working correctly.

I checked the kernel configuation, and built my own openwrt 19.07, with hand crafted 4.14.167 kernel config. This boots with the same messages as 19.07.1 and has the same nftable faults.

I’ll keep digging, but time to report it here.

As long term, openwrt will probably need to move away from iptables, to nftables (as the iptables backend goes to nftables). So ideally we would get this working, so those openwrt users that use nftables, can debug their usage on openwrt, before everyone has to move.

Any ideas?

David.


Showing tasks 1 - 2 of 2 Page 1 of 1

Available keyboard shortcuts

Tasklist

Task Details

Task Editing