Temat: Problem przy przeniesieniu polityki sieciowej z iptables na nftables
Cześć,
Potrzebuję przenieść politykę sieciową dotyczącą VPN z OpenWrt 19.07 na 23.05. Jest tam przejście z iptables na nftables. Na 19.07 moje reguły w pliku firewall.user wyglądały następująco:
iptables -A INPUT -t mangle -i pptp-VPN -d 10.100.202.0/22 -p tcp --dport 22 -j MARK --set-mark 1
iptables -A INPUT -t mangle -i pptp-VPN -d 10.100.202.0/22 -p tcp --dport 8080 -j MARK --set-mark 1
iptables -A INPUT -t mangle -i pptp-VPN -d 10.100.202.0/22 -p tcp --dport 8443 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -o 3g-GSM -s 10.100.202.0/22 -p tcp --sport 22 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -o 3g-GSM -s 10.100.202.0/22 -p tcp --sport 8080 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -o 3g-GSM -s 10.100.202.0/22 -p tcp --sport 8443 -j MARK --set-mark 1
iptables -A FORWARD -t mangle -i pptp-VPN -d 192.168.1.100/32 -p tcp --dport 22 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -p tcp -s 192.168.1.100/32 --sport 22 -j MARK --set-mark 1
iptables -A FORWARD -t mangle -i pptp-VPN -d 192.168.1.101/32 -p tcp --dport 22 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -p tcp -s 192.168.1.101/32 --sport 22 -j MARK --set-mark 1Aby je odwzorować w nftables utworzyłem plik /etc/nftables.d/custom.nft:
table inet custom {
chain prerouting {
type filter hook prerouting priority mangle;
ip saddr 192.168.1.100/32 tcp sport 22 mark set 1
ip saddr 192.168.1.101/32 tcp sport 22 mark set 1
}
chain input {
type filter hook input priority mangle;
iifname "pptp-VPN" ip daddr 10.100.202.0/22 tcp dport 22 mark set 1
iifname "pptp-VPN" ip daddr 10.100.202.0/22 tcp dport 8080 mark set 1
iifname "pptp-VPN" ip daddr 10.100.202.0/22 tcp dport 8443 mark set 1
}
chain output {
type filter hook output priority mangle;
oifname "3g-GSM" ip saddr 10.100.202.0/22 tcp sport 22 mark set 1
oifname "3g-GSM" ip saddr 10.100.202.0/22 tcp sport 8080 mark set 1
oifname "3g-GSM" ip saddr 10.100.202.0/22 tcp sport 8443 mark set 1
}
chain forward {
type filter hook forward priority mangle;
iifname "pptp-VPN" ip daddr 192.168.1.100/32 tcp dport 22 mark set 1
iifname "pptp-VPN" ip daddr 192.168.1.101/32 tcp dport 22 mark set 1
}
}Kiedy próbuję wykonać restart firewalla dostaję errory odnośnie syntaxa:
root@OpenWrt:/# /etc/init.d/firewall restart
In file included from /dev/stdin:23:2-33:
/etc/nftables.d/custom.nft:1:1-5: Error: syntax error, unexpected table
table inet custom {
^^^^^
/dev/stdin:30:14-14: Error: syntax error, unexpected '{', expecting string or last
chain input {
^
/dev/stdin:31:3-6: Error: syntax error, unexpected type
type filter hook input priority filter; policy accept;
^^^^
/dev/stdin:31:43-48: Error: syntax error, unexpected policy
type filter hook input priority filter; policy accept;
^^^^^^
/dev/stdin:33:3-9: Error: syntax error, unexpected iifname
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
^^^^^^^
/dev/stdin:35:6-10: Error: syntax error, unexpected state, expecting timeout or expectation or helper
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
^^^^^
/dev/stdin:36:3-5: Error: syntax error, unexpected tcp
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
^^^
/dev/stdin:37:3-9: Error: syntax error, unexpected iifname
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
^^^^^^^
/dev/stdin:38:3-9: Error: syntax error, unexpected iifname
iifname "l2tp-VPN" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
^^^^^^^
/dev/stdin:39:2-2: Error: syntax error, unexpected '}'
}
^
The rendered ruleset contains errors, not doing firewall restart.Próbuję w takim razie wykonać to samo ręcznie z terminala i dostaję błędy dotyczące nieznanego symbolu "3g-GSM":
root@OpenWrt:/# nft add table inet custom
root@OpenWrt:/#
root@OpenWrt:/# nft add chain inet custom prerouting { type filter hook prerouti
ng priority mangle \; }
root@OpenWrt:/# nft add chain inet custom input { type filter hook input priorit
y mangle \; }
root@OpenWrt:/# nft add chain inet custom output { type filter hook output prior
ity mangle \; }
root@OpenWrt:/# nft add chain inet custom forward { type filter hook forward pri
ority mangle \; }
root@OpenWrt:/# nft add rule inet custom prerouting ip saddr 192.168.1.100/32 tc
p sport 22 mark set 1
net custom prerouting ip saddr 192.168.1.101/32 tcp sport 22 mark set 1
root@OpenWrt:/# nft add rule inet custom prerouting ip saddr 192.168.1.101/32 tc
p sport 22 mark set 1
root@OpenWrt:/# nft add rule inet custom input iifname "pptp-VPN" ip daddr 10.10
0.202.0/22 tcp dport 22 mark set 1
ft add rule inet custom input iifname "pptp-VPN" ip daddr 10.100.202.0/22 tcp dport 8080 mark set 1
nft add ruroot@OpenWrt:/# nft add rule inet custom input iifname "pptp-VPN" ip daddr 10.10
0.202.0/22 tcp dport 8080 mark set 1
p-VPN" ip daddr 10.100.202.0/22 tcp dport 8443 mark set 1
root@OpenWrt:/# nft add rule inet custom input iifname "pptp-VPN" ip daddr 10.10
0.202.0/22 tcp dport 8443 mark set 1
root@OpenWrt:/# nft add rule inet custom output oifname "3g-GSM" ip saddr 10.100
.202.0/22 tcp sport 22 mark set 1
add rule inet custom output oifname "3g-GSM" ip saddr 10.100.202.0/22 tcp sport 8080 mark set 1
nft adError: No symbol type information
add rule inet custom output oifname 3g-GSM ip saddr 10.100.202.0/22 tcp sport 22 mark set 1
^^^^^
root@OpenWrt:/# nft add rule inet custom output oifname "3g-GSM" ip saddr 10.100
.202.0/22 tcp sport 8080 mark set 1
"3g-GSM" ip saddr 10.100.202.0/22 tcp sport 8443 mark set 1
Error: No symbol type information
add rule inet custom output oifname 3g-GSM ip saddr 10.100.202.0/22 tcp sport 8080 mark set 1
^^^^^
root@OpenWrt:/# nft add rule inet custom output oifname "3g-GSM" ip saddr 10.100
.202.0/22 tcp sport 8443 mark set 1
Error: No symbol type information
add rule inet custom output oifname 3g-GSM ip saddr 10.100.202.0/22 tcp sport 8443 mark set 1A taki interfejs jest w systemie:
root@OpenWrt:/# ifconfig
3g-GSM Link encap:Point-to-Point Protocol
XXX
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:630 errors:0 dropped:0 overruns:0 frame:0
TX packets:910 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:76906 (75.1 KiB) TX bytes:85502 (83.4 KiB)
br-lan Link encap:Ethernet HWaddr 8A:4D:AE:14:61:82
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fd29:49c2:4265::1/60 Scope:Global
inet6 addr: fe80::884d:aeff:fe14:6182/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1045 errors:0 dropped:0 overruns:0 frame:0
TX packets:734 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:107925 (105.3 KiB) TX bytes:127243 (124.2 KiB)
eth0 Link encap:Ethernet HWaddr 8A:4D:AE:14:61:82
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1047 errors:0 dropped:0 overruns:0 frame:0
TX packets:736 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:122687 (119.8 KiB) TX bytes:127375 (124.3 KiB)
Interrupt:42
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1329 errors:0 dropped:0 overruns:0 frame:0
TX packets:1329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:98895 (96.5 KiB) TX bytes:98895 (96.5 KiB)config interface 'GSM'
option proto '3g'
option device '/dev/ttyUSB5'
option service 'umts'
option ipv6 'auto'Co jeszcze mogę zrobić żeby wychwycić co jest nie tak?