Re: [OpenWrt-Devel] Why nftables does not work in OpenWrt ?
On 05/22/2018 10:09 AM, Rosysong wrote:
> Hi Hauke,
> Do you mean my nftables commands (limit rate xxx) can work on
> your lantiq (4.14 kernel) target ?
> I also choose kmod-nf-flow and kmod-nft-offload modules, but it
> can not restrict the traffic flow on specific ip address yet.
>
>> On 05/20/2018 12:25 PM, Rosysong wrote:
>
>>> I am using mips(ramips) target.
>>>
>>>
>> I tested this with lantiq and with kernel 4.9 nftables was working like
>> expected and with kernel 4.14 it does not work any more.
>> I do not know if this is caused by the more recent kernel or the flow
>> offloading.
>
>> Hauke
Hi Rosysong,
Please do not top post.
I used this rule:
nft add table inet t1
nft create chain inet t1 k1 { type filter hook input priority 0\; }
nft add rule inet t1 k1 iif lo accept
nft add rule inet t1 k1 ct state established,related accept
nft add rule inet t1 k1 tcp dport 22 ct state new accept
nft add rule inet t1 k1 drop
from this article:
https://www.heise.de/select/ix/2018/1/1514658860742410
This works on lantiq target (MIPS BE) with kernel 4.9 as expected when I
have this patch applied:
https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=target/linux/generic/backport-4.9/092-netfilter-nf_tables-fix-mismatch-in-big-endian-syste.patch;h=024983142c4255bc2b4b4dd5a111632392fcb6e1;hb=HEAD
Without this patch it would block all traffic.
With the lantiq target on kernel 4.14 this rule does not work and does
not block any traffic.
I think there is a regression in kernel 4.14 or something went wrong
when we backported the flow offloading patches.
Hauke
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
http://lists.infradead.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Why nftables does not work in OpenWrt ?
Hi Hauke, Do you mean my nftables commands (limit rate xxx) can work on your lantiq (4.14 kernel) target ? I also choose kmod-nf-flow and kmod-nft-offload modules, but it can not restrict the traffic flow on specific ip address yet. >On 05/20/2018 12:25 PM, Rosysong wrote: >> I am using mips(ramips) target. >> >> >I tested this with lantiq and with kernel 4.9 nftables was working like >expected and with kernel 4.14 it does not work any more. >I do not know if this is caused by the more recent kernel or the flow >offloading. >Hauke ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org http://lists.infradead.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Why nftables does not work in OpenWrt ?
On 05/20/2018 12:25 PM, Rosysong wrote: > I am using mips(ramips) target. > > I tested this with lantiq and with kernel 4.9 nftables was working like expected and with kernel 4.14 it does not work any more. I do not know if this is caused by the more recent kernel or the flow offloading. Hauke ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org http://lists.infradead.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Why nftables does not work in OpenWrt ?
I am using mips(ramips) target. On 05/20/2018 11:42 AM, Rosysong wrote: > Hi all, > Using nftables to control the traffic flow through ip address has > been succeed on my Linux PC, then I ported the same > nft script into OpenWrt trunk. Unfortunately, it failed (has no effect on > restricting the speed of client). Is there any conflict between iptables and > nftables ? Or > it needs some other kernel module for nftables ? > > Below is the information about my system and configuration on network. > > root@OpenWrt:~# ifconfig > br-lanLink encap:Ethernet HWaddr F2:B4:29:EC:D6:69 > inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 > inet6 addr: fd04:bbd9:3e95::1/60 Scope:Global > inet6 addr: fe80::f0b4:29ff:feec:d669/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:35191 errors:0 dropped:0 overruns:0 frame:0 > TX packets:32796 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:14724584 (14.0 MiB) TX bytes:2621401 (2.4 MiB) > > eth0 Link encap:Ethernet HWaddr F0:B4:29:EC:D6:69 > inet6 addr: fe80::f2b4:29ff:feec:d669/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:35219 errors:0 dropped:0 overruns:0 frame:0 > TX packets:61209 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:15360136 (14.6 MiB) TX bytes:12673750 (12.0 MiB) > Interrupt:5 > > eth0.1Link encap:Ethernet HWaddr F2:B4:29:EC:D6:69 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:35191 errors:0 dropped:0 overruns:0 frame:0 > TX packets:32786 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:14724584 (14.0 MiB) TX bytes:2620173 (2.4 MiB) > > eth0.2Link encap:Ethernet HWaddr F0:B4:29:EC:D6:69 > inet6 addr: fe80::f2b4:29ff:feec:d669/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:28280 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:9539976 (9.0 MiB) > > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:65536 Metric:1 > RX packets:9824 errors:0 dropped:0 overruns:0 frame:0 > TX packets:9824 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:668032 (652.3 KiB) TX bytes:668032 (652.3 KiB) > > > > > root@OpenWrt:/tmp# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere /* !fw3 */ > input_rule all -- anywhere anywhere /* !fw3: > Custom input rule chain */ > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED /* !fw3 */ > syn_flood tcp -- anywhere anywhere tcp > flags:FIN,SYN,RST,ACK/SYN /* !fw3 */ > zone_lan_input all -- anywhere anywhere /* !fw3 */ > zone_wan_input all -- anywhere anywhere /* !fw3 */ > > Chain FORWARD (policy DROP) > target prot opt source destination > forwarding_rule all -- anywhere anywhere /* !fw3: > Custom forwarding rule chain */ > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED /* !fw3 */ > zone_lan_forward all -- anywhere anywhere /* !fw3 > */ > zone_wan_forward all -- anywhere anywhere /* !fw3 > */ > reject all -- anywhere anywhere /* !fw3 */ > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere /* !fw3 */ > output_rule all -- anywhere anywhere /* !fw3: > Custom output rule chain */ > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED /* !fw3 */ > zone_lan_output all -- anywhere anywhere /* !fw3 */ > zone_wan_output all -- anywhere anywhere /* !fw3 */ > > Chain forwarding_lan_rule (1 references) > target prot opt source destination > > Chain forwarding_rule (1 references) > target prot opt source destination > > Chain forwarding_wan_rule (1 references) > target prot opt source destination > > Chain input_lan_rule (1 references) > target prot opt sour
Re: [OpenWrt-Devel] Why nftables does not work in OpenWrt ?
On 05/20/2018 11:42 AM, Rosysong wrote: > Hi all, > Using nftables to control the traffic flow through ip address has > been succeed on my Linux PC, then I ported the same > nft script into OpenWrt trunk. Unfortunately, it failed (has no effect on > restricting the speed of client). Is there any conflict between iptables and > nftables ? Or > it needs some other kernel module for nftables ? > > Below is the information about my system and configuration on network. > > root@OpenWrt:~# ifconfig > br-lanLink encap:Ethernet HWaddr F2:B4:29:EC:D6:69 > inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 > inet6 addr: fd04:bbd9:3e95::1/60 Scope:Global > inet6 addr: fe80::f0b4:29ff:feec:d669/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:35191 errors:0 dropped:0 overruns:0 frame:0 > TX packets:32796 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:14724584 (14.0 MiB) TX bytes:2621401 (2.4 MiB) > > eth0 Link encap:Ethernet HWaddr F0:B4:29:EC:D6:69 > inet6 addr: fe80::f2b4:29ff:feec:d669/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:35219 errors:0 dropped:0 overruns:0 frame:0 > TX packets:61209 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:15360136 (14.6 MiB) TX bytes:12673750 (12.0 MiB) > Interrupt:5 > > eth0.1Link encap:Ethernet HWaddr F2:B4:29:EC:D6:69 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:35191 errors:0 dropped:0 overruns:0 frame:0 > TX packets:32786 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:14724584 (14.0 MiB) TX bytes:2620173 (2.4 MiB) > > eth0.2Link encap:Ethernet HWaddr F0:B4:29:EC:D6:69 > inet6 addr: fe80::f2b4:29ff:feec:d669/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:28280 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:9539976 (9.0 MiB) > > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:65536 Metric:1 > RX packets:9824 errors:0 dropped:0 overruns:0 frame:0 > TX packets:9824 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:668032 (652.3 KiB) TX bytes:668032 (652.3 KiB) > > > > > root@OpenWrt:/tmp# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere /* !fw3 */ > input_rule all -- anywhere anywhere /* !fw3: > Custom input rule chain */ > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED /* !fw3 */ > syn_flood tcp -- anywhere anywhere tcp > flags:FIN,SYN,RST,ACK/SYN /* !fw3 */ > zone_lan_input all -- anywhere anywhere /* !fw3 */ > zone_wan_input all -- anywhere anywhere /* !fw3 */ > > Chain FORWARD (policy DROP) > target prot opt source destination > forwarding_rule all -- anywhere anywhere /* !fw3: > Custom forwarding rule chain */ > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED /* !fw3 */ > zone_lan_forward all -- anywhere anywhere /* !fw3 > */ > zone_wan_forward all -- anywhere anywhere /* !fw3 > */ > reject all -- anywhere anywhere /* !fw3 */ > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere /* !fw3 */ > output_rule all -- anywhere anywhere /* !fw3: > Custom output rule chain */ > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED /* !fw3 */ > zone_lan_output all -- anywhere anywhere /* !fw3 */ > zone_wan_output all -- anywhere anywhere /* !fw3 */ > > Chain forwarding_lan_rule (1 references) > target prot opt source destination > > Chain forwarding_rule (1 references) > target prot opt source destination > > Chain forwarding_wan_rule (1 references) > target prot opt source destination > > Chain input_lan_rule (1 references) > target prot opt source destination
[OpenWrt-Devel] Why nftables does not work in OpenWrt ?
Hi all, Using nftables to control the traffic flow through ip address has been succeed on my Linux PC, then I ported the same nft script into OpenWrt trunk. Unfortunately, it failed (has no effect on restricting the speed of client). Is there any conflict between iptables and nftables ? Or it needs some other kernel module for nftables ? Below is the information about my system and configuration on network. root@OpenWrt:~# ifconfig br-lanLink encap:Ethernet HWaddr F2:B4:29:EC:D6:69 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fd04:bbd9:3e95::1/60 Scope:Global inet6 addr: fe80::f0b4:29ff:feec:d669/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:35191 errors:0 dropped:0 overruns:0 frame:0 TX packets:32796 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:14724584 (14.0 MiB) TX bytes:2621401 (2.4 MiB) eth0 Link encap:Ethernet HWaddr F0:B4:29:EC:D6:69 inet6 addr: fe80::f2b4:29ff:feec:d669/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:35219 errors:0 dropped:0 overruns:0 frame:0 TX packets:61209 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:15360136 (14.6 MiB) TX bytes:12673750 (12.0 MiB) Interrupt:5 eth0.1Link encap:Ethernet HWaddr F2:B4:29:EC:D6:69 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:35191 errors:0 dropped:0 overruns:0 frame:0 TX packets:32786 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:14724584 (14.0 MiB) TX bytes:2620173 (2.4 MiB) eth0.2Link encap:Ethernet HWaddr F0:B4:29:EC:D6:69 inet6 addr: fe80::f2b4:29ff:feec:d669/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:28280 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:9539976 (9.0 MiB) loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:9824 errors:0 dropped:0 overruns:0 frame:0 TX packets:9824 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:668032 (652.3 KiB) TX bytes:668032 (652.3 KiB) root@OpenWrt:/tmp# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere /* !fw3 */ input_rule all -- anywhere anywhere /* !fw3: Custom input rule chain */ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */ syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */ zone_lan_input all -- anywhere anywhere /* !fw3 */ zone_wan_input all -- anywhere anywhere /* !fw3 */ Chain FORWARD (policy DROP) target prot opt source destination forwarding_rule all -- anywhere anywhere /* !fw3: Custom forwarding rule chain */ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */ zone_lan_forward all -- anywhere anywhere /* !fw3 */ zone_wan_forward all -- anywhere anywhere /* !fw3 */ reject all -- anywhere anywhere /* !fw3 */ Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere /* !fw3 */ output_rule all -- anywhere anywhere /* !fw3: Custom output rule chain */ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */ zone_lan_output all -- anywhere anywhere /* !fw3 */ zone_wan_output all -- anywhere anywhere /* !fw3 */ Chain forwarding_lan_rule (1 references) target prot opt source destination Chain forwarding_rule (1 references) target prot opt source destination Chain forwarding_wan_rule (1 references) target prot opt source destination Chain input_lan_rule (1 references) target prot opt source destination Chain input_rule (1 references) target prot opt source destination Chain input_wan_rule (1 references) target prot opt source destination Chain output_lan_rule (1 references) target p
