N2 nft rule process issue

Post Reply
karog
Posts: 25
Joined: Fri Oct 09, 2015 3:28 am
languages_spoken: english
ODROIDs: XU4,N2
Has thanked: 0
Been thanked: 1 time
Contact:

N2 nft rule process issue

Post by karog » Sun Jun 28, 2020 6:08 am

@tobetter I am referencing you as I have followed you on the Petitboot thread where I have seen you do amazing work

I will first directly present the issue and then present the context and more info.

The following rules are created in a file nft.cmd

Code: Select all

add table ip wg-quick-wg0
add chain ip wg-quick-wg0 preraw { type filter hook prerouting priority -300; }
add chain ip wg-quick-wg0 premangle { type filter hook prerouting priority -150; }
add chain ip wg-quick-wg0 postmangle { type filter hook postrouting priority -150; }
add rule ip wg-quick-wg0 preraw iifname != "wg0" ip daddr 10.200.155.134 fib saddr type != local drop
add rule ip wg-quick-wg0 postmangle meta l4proto udp mark 51820 ct mark set mark 
add rule ip wg-quick-wg0 premangle meta l4proto udp meta mark set ct mark 
and then executed via

Code: Select all

nft -f nft.cmd
This works on my XU4 but on the N2 chokes on the first add rule command

Code: Select all

add rule ip wg-quick-pia0 preraw iifname != "wg0" ip daddr 10.200.155.134 fib saddr type != local drop
with the error

Code: Select all

/etc/wireguard/wg/nft.cmd:5:1-104: Error: Could not process rule: No such file or directory
It seems not to like the fib saddr type != local part. Maybe there is some feature not compiled into the kernel or maybe the 4.9 kernel is too old? I have virtually no experience with nftables.

Googling suggests that this error message is at least sometimes generated when the table or chain does not exist but that clearly is not the case here.

The succeeding two rules for postmangle and premangle from above work if you execute them manually.

Now the context.

I have an N2 running under arch linux

Code: Select all

# uname -a
Linux n2 4.9.219-1-ARCH #1 SMP PREEMPT Tue Apr 21 00:14:49 UTC 2020 aarch64 GNU/Linux
and an XU4 also running under arch linux

Code: Select all

# uname -a
Linux xu4 4.14.180-1-ARCH #1 SMP PREEMPT Tue May 26 02:05:58 UTC 2020 armv7l GNU/Linux
Both are running the same version of nftables 1:0.9.6-1. All rules work under the XU4 but the one rule fails under the N2.

These rules are generated by the WireGuard VPN tool wg-quick when a default route eg 0.0.0.0/0 is configured.

This forum seems like the right place to report this issue. If not, please point me to a better place.

User avatar
tobetter
Posts: 5206
Joined: Mon Feb 25, 2013 10:55 am
languages_spoken: Korean, English
ODROIDs: X, X2, U2, U3, XU3, C1
Location: Paju, South Korea
Has thanked: 175 times
Been thanked: 543 times
Contact:

Re: N2 nft rule process issue

Post by tobetter » Mon Jun 29, 2020 6:36 pm

Sorry, I am not very familiar with the setup. I am guessing that you may not have such an issue if you run the mainline kernel rather than 4.9?

Post Reply

Return to “Issues”

Who is online

Users browsing this forum: No registered users and 1 guest