[OpenWrt-Devel] Why nftables does not work in OpenWrt ?
Hauke Mehrtens
hauke at hauke-m.de
Thu May 24 12:49:12 EDT 2018
On 05/22/2018 10:09 AM, Rosysong wrote:
> Hi Hauke,
> Do you mean my nftables commands (limit rate xxx) can work on your lantiq (4.14 kernel) target ?
> I also choose kmod-nf-flow and kmod-nft-offload modules, but it can not restrict the traffic flow on specific ip address yet.
>
>> On 05/20/2018 12:25 PM, Rosysong wrote:
>
>>> I am using mips(ramips) target.
>>>
>>>
>> I tested this with lantiq and with kernel 4.9 nftables was working like
>> expected and with kernel 4.14 it does not work any more.
>> I do not know if this is caused by the more recent kernel or the flow
>> offloading.
>
>> Hauke
Hi Rosysong,
Please do not top post.
I used this rule:
nft add table inet t1
nft create chain inet t1 k1 { type filter hook input priority 0\; }
nft add rule inet t1 k1 iif lo accept
nft add rule inet t1 k1 ct state established,related accept
nft add rule inet t1 k1 tcp dport 22 ct state new accept
nft add rule inet t1 k1 drop
from this article:
https://www.heise.de/select/ix/2018/1/1514658860742410
This works on lantiq target (MIPS BE) with kernel 4.9 as expected when I
have this patch applied:
https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=target/linux/generic/backport-4.9/092-netfilter-nf_tables-fix-mismatch-in-big-endian-syste.patch;h=024983142c4255bc2b4b4dd5a111632392fcb6e1;hb=HEAD
Without this patch it would block all traffic.
With the lantiq target on kernel 4.14 this rule does not work and does
not block any traffic.
I think there is a regression in kernel 4.14 or something went wrong
when we backported the flow offloading patches.
Hauke
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
http://lists.infradead.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list