coova-chilli: xt_coova module doesn't work on OpenWRT 23.05

[xsokolikx]

Maintainer: @f00b4r0 (?)
Environment: ipq807x, Xiaomi AX36000, OpenWrt 23.05

Description: After nftables being used as default firewall framework for OpenWRT, I can't use the xt_coova module. The module is built without errors, but the related libxt library (libxt_coova.so), doesn't work as expected.

If you try to load any iptables rule containing a coova match, it fails with the following error:

root@OpenWRT:~# iptables -I FORWARD -i br-vlan1 -m coova --name chilli -j ACCEPT
iptables v1.8.8 (nf_tables): Couldn't load match `coova':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

Also, if you try to print the help message, it also fails:

root@OpenWRT:~# iptables -m coova -h
iptables v1.8.8 (nf_tables): Couldn't load match `coova':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

I already checked that xt_coova.ko module is loaded and I can see the coova entry on /proc/net/ip_tables_matches

Any hints?
Thanks!

P.D: related discussion on forum: https://forum.openwrt.org/t/coova-chilli-on-openwrt-22-03-nftables/136941/12

[f00b4r0]

I'm not the maintainer for coova-chilli and in fact I'm developing a replacement: https://github.com/f00b4r0/uspot (which is now packaged in OpenWrt 23.05 and works with firewall4/nftables). HTH

[brada4]

It will work with iptables-legacy only.
you need to replace nft conntrack with ipt conntrack so that nft-based fw4 uses ipt modules via xtables bridge

[brada4]

Could I ask you to attach opkg list-installed to propose sane "migration" to nftables-iptables bridge?

[brada4]

nft-conntrack - ipt-conntrack-extra
nft-nat - ipt-nat-extra ipt-nat6
nft-offload - ipt-offload
nft-compat - stays, it is THE BRIDGE
iptables-nft - iptables-zz-legacy

[xsokolikx]

Hi @brada4 ! I'm currently on a custom build, but these are the related packages installed:

coova-chilli - 1.6-9.1
firewall4 - 2023-09-01-598d9fbb-1
iptables-mod-conntrack-extra - 1.8.8-2
iptables-mod-extra - 1.8.8-2
iptables-mod-hashlimit - 1.8.8-2
iptables-mod-ipaddr - 3.24-1
iptables-mod-ipopt - 1.8.8-2
iptables-mod-iprange - 1.8.8-2
iptables-mod-ipsec - 1.8.8-2
iptables-mod-nat-extra - 1.8.8-2
iptables-nft - 1.8.8-2
kmod-ip6tables - 5.15.137-1
kmod-ipt-compat-xtables - 5.15.137+3.24-1
kmod-ipt-conntrack - 5.15.137-1
kmod-ipt-conntrack-extra - 5.15.137-1
kmod-ipt-coova - 5.15.137+1.6-9.1
kmod-ipt-core - 5.15.137-1
kmod-ipt-extra - 5.15.137-1
kmod-ipt-hashlimit - 5.15.137-1
kmod-ipt-ipaddr - 5.15.137+3.24-1
kmod-ipt-ipopt - 5.15.137-1
kmod-ipt-iprange - 5.15.137-1
kmod-ipt-ipsec - 5.15.137-1
kmod-ipt-nat - 5.15.137-1
kmod-ipt-nat-extra - 5.15.137-1
kmod-nf-conncount - 5.15.137-1
kmod-nf-conntrack - 5.15.137-1
kmod-nf-conntrack6 - 5.15.137-1
kmod-nf-flow - 5.15.137-1
kmod-nf-ipt - 5.15.137-1
kmod-nf-ipt6 - 5.15.137-1
kmod-nf-log - 5.15.137-1
kmod-nf-log6 - 5.15.137-1
kmod-nf-nat - 5.15.137-1
kmod-nf-reject - 5.15.137-1
kmod-nf-reject6 - 5.15.137-1
kmod-nfnetlink - 5.15.137-1
kmod-nft-bridge - 5.15.137-1
kmod-nft-compat - 5.15.137-1
kmod-nft-core - 5.15.137-1
kmod-nft-fib - 5.15.137-1
kmod-nft-nat - 5.15.137-1
kmod-nft-offload - 5.15.137-1
libxtables12 - 1.8.8-2
nftables-json - 1.0.8-1
xtables-nft - 1.8.8-2

[brada4]

Gradually remove nft modules confirming with nft list ruleset after reboot that particular function is offloaded to xt.
Remove iptables-nft and install iptables-zzz-legacy.
You need to offload all nft via xt bridge to have fw4 interact properly with old engine. Then you can program off-tree module without fears to break something.
start with nft-conntrack to build self confidence.

[brada4]

(you might need to block modules in modules.d if dependencies do not permit uninstall)

[Neustradamus]

@f00b4r0: Interesting!

[pparent76]

Any solution for this? I'm having the same problem on snapshot, including remove firewall4 and installing firewall and iptables-legacy instead.

[brada4]

The dependency on x-tables kmod is a compile time option. Simpler to install but slower in day to day operation would be to build coova-chili without kmod and make kmod package an empty boilerplate. Then it will work with either of 2 iptables. It adds individual NAT rules per client MAC.

[pparent76]

"The dependency on x-tables kmod is a compile time option"

Compilation of what package are we talking about here? Cos I'm recompiling coova-chilli and kmod-ipt-coova from sdk, and it does not seem to work.

The problem is that without xt_coova module it can create bandwith bottleneck because, the CPU of some devices are not powerfull enough to do the paquet analysis from userland.

[brada4]

You need to deselect kmod thewn coova will not catch option and built in clean iptables mode.
It can completely operate without kmod.
Or maybe even comment out whole kmod from makefile.

[pparent76]

Yes, sure it can operate without kmod. If you remove "kname chilli" from the config file it will not use the module, and will work perfectly without the module anyway (without having to recompile).

But if the module is not used it is way more CPU consuming right? And on embedded hardware with low-spec CPU, the CPU charge can be a bottleneck no? ( At least it was the case on previous versions, I don't know if things changed on newer coova-chilli versions ).

[brada4]

It uses iptables command to insert rules that can be offloaded to flowtables (or xt offload), it may not be that slow in the end.

[pparent76]

Well I will do some testing on the last version to check that out. But I'm sure that on older version on a MT7620 CPU you would not get a throughput higher that 20Mbits/s through coova if you did not use the kmod-ipt-coova (and this using 100% cpu).

[brada4]

Watch out - there is config option - if module is built even empty it adds module requirement to main executable. You need to rip out that line

[pparent76]

But where did you see that "It uses iptables command to insert rules that can be offloaded to flowtables (or xt offload)"? I've never seen chilli process automatically inserting iptables rules when a client get authenticated.... And I just tested a version compiled without xt-coova, and I don't see iptables rules being changed while the program is runing, and client gets authenticated.

But it makes me think that maybe it could be done quite easily to add a per client firewall allowance within the conup.sh and condown.sh scripts.

[pparent76]

I've done some tests and I can get something somewhat working and not consuming much CPU by inserting per customer iptables from conup.sh script ( in order to replace the missing rules from kmod ):

iptables -I FORWARD -s $FRAMED_IP_ADDRESS -i br-lan -j ACCEPT
iptables -I FORWARD -d $FRAMED_IP_ADDRESS -o br-lan -j ACCEPT

And deleting it from condown. But it's really a hack and I'm not sure about the reliability of this.

[brada4]

Good idea. You could edit set (ipset or nftables set) instead. Reverse forward is not needed, conntrack takes care of it.

[pparent76]

Thing is I'm trying to investigate why the libxt_coova.so refuses to load, because from what I understand now, there is no actual reason for this to happen. Because other match modules succeed in loading without problem with last version of iptables-legacy.

I guess there might be something to adapt in here: https://github.com/coova/coova-chilli/blob/master/src/linux/libxt_coova.c

[brada4]

iptables v1.8.8 (nf_tables) -> this emulates most common -legacy modules and emits native nft rules. You need real legacy iptables to interact with other modules.
xt_coova module just maintains simple list of IP4 and IP6 addresses to forward, and is programmed via procfs. nftables or ipsets does same by large.

[pparent76]

Yes but I do have real legacy itpables and it does not work

iptables v1.8.8 (legacy): Couldn't load match `coova':No such file or directory

If the only thing to do was to install iptables-zz-legacy, it would be fine. Thing is that I guess there are plenty of existing captive portals based on coova, that you just would like to see working, without needing to go into a thousand of tedious worries and complications, of changing underlying technology.

[brada4]

You can load it from these tables https://github.com/coova/coova-chilli/blob/7d18bd6b24fd20a4d8cde2a2f9b34a214327f07c/src/linux/xt_coova.c#L598

[pparent76]

root@xxxxxx$ iptables -I FORWARD -m coova  --help
iptables v1.8.8 (legacy): Couldn't load match `coova':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
root@xxxxxx$ iptables -I PREROUTING -t nat -m coova  --help
iptables v1.8.8 (legacy): Couldn't load match `coova':No such file or directory

[brada4]

Is it published in /proc/net/ip_tables_matches?

[brada4]

The userspace libxt_coova library is not even packaged or installed.

[xsokolikx]

I'm facing the same issue as @pparent76 . The xt_coova module doesn't work even if you use iptables-zz-legacy. The module loads (apparently) ok, you can see the matches published at /proc/net/ip_tables_matches , but I get this error when trying to use the -m coova match from iptables.

root@xxxxxx$ iptables -I FORWARD -m coova  --help
iptables v1.8.8 (legacy): Couldn't load match `coova':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
root@xxxxxx$ iptables -I PREROUTING -t nat -m coova  --help
iptables v1.8.8 (legacy): Couldn't load match `coova':No such file or directory

I have already tried removing the nft* suggested packages, unsuccessfully.

[brada4]

It is certainly a packaging bug that /usr/lib/iptables/libxt_coova.so is not installed. Anyone may recall when?

[pparent76]

But why do you say that /usr/lib/iptables/libxt_coova.so is not installed? For me it certainly is, the file is there that's why I find it strange that it does not work!

( Well I recompile coova with sdk to change some build time option, but I'm not sure if has influence )

[brada4]

libxt_DSCP.so:libxt_DSCP_init
libxt_TOS.so:libxt_TOS_init
libxt_coova.so:xtables_init <---------------- 
libxt_dscp.so:libxt_dscp_init
libxt_ecn.so:libxt_ecn_init

[brada4]

Maybe rename _init to libxt_coova_init ?

[pparent76]

Yes that's what I'm currently trying.

[pparent76]

It works!!

[brada4]

fork repo
clone yours with ssh
branch
change
add
commit
make pull request

[pparent76]

Yes, I was going to do that!

Thank you so much for the help by the way!

[brada4]

yw, thanks for brilliant research.

[brada4]

Fixes: 55297e4

[pparent76]

yw, thanks for brilliant research.

Thank's a lot!

Here is the pull request: #23386

( Hope that I've respected approximately the guidelines of the project to make the PR )

[xsokolikx]

Thanks for you work, @pparent76 and @brada4 !

I think we can close this issue now.

[brada4]

@neheb patch should be backported to stable branches as in OP?

[raheelhirani35]

@brada4 Hi,

I am trying to run coovachilli with and without xt_coova on openwrt 23.05 i tried your procedure to unload nft modules but still its not redirecting to splash page. Though iptables rules looks fine. Please suggest what am i missing.
this is my list of package installed:
base-files - 1545-r23497-6637af95aa
busybox - 1.36.1-1
ca-bundle - 20230311-1
cgi-io - 2022-08-10-901b0f04-21
coova-chilli - 1.6-10
dnsmasq - 2.89-4
dropbear - 2022.82-5
firewall4 - 2023-03-23-04a06bd7-1
fstools - 2023-02-28-bfe882d5-1
fwtool - 2019-11-12-8f7fe925-1
getrandom - 2022-08-13-4c7b720b-2
haserl - 0.9.36-1
hostapd-common - 2023-09-08-e5ccbfc6-4
iptables-zz-legacy - 1.8.8-1
iw - 5.19-1
iwinfo - 2023-07-01-ca79f641-1
jansson4 - 2.14-3
jshn - 2023-05-23-75a3b870-1
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 5.15.134-1-d9fd917b385e2572dbbf5ec32e92c76d
kmod-cfg80211 - 5.15.134+6.1.24-3
kmod-crypto-acompress - 5.15.134-1
kmod-crypto-aead - 5.15.134-1
kmod-crypto-ccm - 5.15.134-1
kmod-crypto-cmac - 5.15.134-1
kmod-crypto-crc32c - 5.15.134-1
kmod-crypto-ctr - 5.15.134-1
kmod-crypto-gcm - 5.15.134-1
kmod-crypto-gf128 - 5.15.134-1
kmod-crypto-ghash - 5.15.134-1
kmod-crypto-hash - 5.15.134-1
kmod-crypto-hmac - 5.15.134-1
kmod-crypto-manager - 5.15.134-1
kmod-crypto-null - 5.15.134-1
kmod-crypto-rng - 5.15.134-1
kmod-crypto-seqiv - 5.15.134-1
kmod-crypto-sha512 - 5.15.134-1
kmod-gpio-button-hotplug - 5.15.134-3
kmod-ip6tables - 5.15.134-1
kmod-ipt-conntrack - 5.15.134-1
kmod-ipt-conntrack-extra - 5.15.134-1
kmod-ipt-coova - 5.15.134+1.6-10
kmod-ipt-core - 5.15.134-1
kmod-ipt-nat - 5.15.134-1
kmod-ipt-nat-extra - 5.15.134-1
kmod-ipt-nat6 - 5.15.134-1
kmod-ipt-offload - 5.15.134-1
kmod-leds-gpio - 5.15.134-1
kmod-lib-crc-ccitt - 5.15.134-1
kmod-lib-crc32c - 5.15.134-1
kmod-lib-lzo - 5.15.134-1
kmod-mac80211 - 5.15.134+6.1.24-3
kmod-mmc - 5.15.134-1
kmod-mt76-core - 5.15.134+2023-08-14-b14c2351-1
kmod-mt7603 - 5.15.134+2023-08-14-b14c2351-1
kmod-mt76x02-common - 5.15.134+2023-08-14-b14c2351-1
kmod-mt76x2 - 5.15.134+2023-08-14-b14c2351-1
kmod-mt76x2-common - 5.15.134+2023-08-14-b14c2351-1
kmod-nf-conncount - 5.15.134-1
kmod-nf-conntrack - 5.15.134-1
kmod-nf-conntrack6 - 5.15.134-1
kmod-nf-flow - 5.15.134-1
kmod-nf-ipt - 5.15.134-1
kmod-nf-ipt6 - 5.15.134-1
kmod-nf-log - 5.15.134-1
kmod-nf-log6 - 5.15.134-1
kmod-nf-nat - 5.15.134-1
kmod-nf-nat6 - 5.15.134-1
kmod-nf-reject - 5.15.134-1
kmod-nf-reject6 - 5.15.134-1
kmod-nfnetlink - 5.15.134-1
kmod-nft-compat - 5.15.134-1
kmod-nft-core - 5.15.134-1
kmod-nft-fib - 5.15.134-1
kmod-nft-nat - 5.15.134-1
kmod-nft-offload - 5.15.134-1
kmod-nls-base - 5.15.134-1
kmod-ppp - 5.15.134-1
kmod-pppoe - 5.15.134-1
kmod-pppox - 5.15.134-1
kmod-sdhci-mt7620 - 5.15.134-1
kmod-slhc - 5.15.134-1
kmod-tun - 5.15.134-1
kmod-usb-core - 5.15.134-1
kmod-usb-xhci-hcd - 5.15.134-1
kmod-usb-xhci-mtk - 5.15.134-1
kmod-usb3 - 5.15.134-1
libblobmsg-json20230523 - 2023-05-23-75a3b870-1
libc - 1.2.4-4
libgcc1 - 12.3.0-4
libip4tc2 - 1.8.8-1
libip6tc2 - 1.8.8-1
libiptext0 - 1.8.8-1
libiptext6-0 - 1.8.8-1
libiwinfo-data - 2023-07-01-ca79f641-1
libiwinfo20230701 - 2023-07-01-ca79f641-1
libjson-c5 - 0.16-3
libjson-script20230523 - 2023-05-23-75a3b870-1
liblucihttp-ucode - 2023-03-15-9b5b683f-1
liblucihttp0 - 2023-03-15-9b5b683f-1
libmbedtls12 - 2.28.4-1
libmnl0 - 1.0.5-1
libnftnl11 - 1.2.6-1
libnl-tiny1 - 2023-07-27-bc92a280-1
libpthread - 1.2.4-4
librt - 1.2.4-4
libubox20230523 - 2023-05-23-75a3b870-1
libubus20230605 - 2023-06-05-f787c97b-1
libuci20130104 - 2023-08-10-5781664d-1
libuclient20201210 - 2023-04-13-007d9454-1
libucode20220812 - 2023-06-06-c7d84aae-1
libustream-mbedtls20201210 - 2023-02-25-498f6e26-1
libxtables12 - 1.8.8-1
logd - 2022-08-13-4c7b720b-2
luci - git-23.051.66410-a505bb1
luci-app-firewall - git-23.208.40260-9504081
luci-app-opkg - git-23.009.82915-ec3aac4
luci-base - git-23.236.53405-fc638c8
luci-light - git-23.024.33244-34dee82
luci-mod-admin-full - git-19.253.48496-3f93650
luci-mod-network - git-23.283.21598-257f54c
luci-mod-status - git-23.236.53405-9b3c7d3
luci-mod-system - git-23.118.78765-58f7b27
luci-proto-ipv6 - git-21.148.48881-79947af
luci-proto-ppp - git-21.158.38888-88b9d84
luci-theme-bootstrap - git-23.085.34270-d94a728
mtd - 26
netifd - 2023-09-19-7a58b995-1
nftables-json - 1.0.8-1
odhcp6c - 2023-05-12-bcd28363-20
odhcpd-ipv6only - 2023-06-24-52112643-1
openwrt-keyring - 2022-03-25-62471e69-2
opkg - 2022-02-24-d038e5b6-2
ppp - 2.4.9.git-2021-01-04-4
ppp-mod-pppoe - 2.4.9.git-2021-01-04-4
procd - 2023-06-25-2db83655-2
procd-seccomp - 2023-06-25-2db83655-2
procd-ujail - 2023-06-25-2db83655-2
rpcd - 2023-07-01-c07ab2f9-1
rpcd-mod-file - 2023-07-01-c07ab2f9-1
rpcd-mod-iwinfo - 2023-07-01-c07ab2f9-1
rpcd-mod-luci - 20230123-1
rpcd-mod-rrdns - 20170710
rpcd-mod-ucode - 2023-07-01-c07ab2f9-1
ubi-utils - 2.1.5-1
ubox - 2022-08-13-4c7b720b-2
ubus - 2023-06-05-f787c97b-1
ubusd - 2023-06-05-f787c97b-1
uci - 2023-08-10-5781664d-1
uclient-fetch - 2023-04-13-007d9454-1
ucode - 2023-06-06-c7d84aae-1
ucode-mod-fs - 2023-06-06-c7d84aae-1
ucode-mod-html - 1
ucode-mod-math - 2023-06-06-c7d84aae-1
ucode-mod-nl80211 - 2023-06-06-c7d84aae-1
ucode-mod-rtnl - 2023-06-06-c7d84aae-1
ucode-mod-ubus - 2023-06-06-c7d84aae-1
ucode-mod-uci - 2023-06-06-c7d84aae-1
ucode-mod-uloop - 2023-06-06-c7d84aae-1
uhttpd - 2023-06-25-34a8a74d-1
uhttpd-mod-ubus - 2023-06-25-34a8a74d-1
urandom-seed - 3
urngd - 2023-07-25-7aefb47b-1
usign - 2020-05-23-f1f65026-1
wireless-regdb - 2023.09.01-1
wpad-basic-mbedtls - 2023-09-08-e5ccbfc6-4
xtables-legacy - 1.8.8-1

this is the output of the lsmod:

cfg80211 293611 5 mt76x2_common,mt76x02_lib,mt7603e,mt76,mac80211
cmac 2546 0
compat 734 2 mac80211,cfg80211
crc_ccitt 1806 1 ppp_async
crc32c_generic 1458 1
drbg 17714 0
gpio_button_hotplug 6770 0
hmac 2578 0
ip6_tables 11324 3 ip6table_nat,ip6table_mangle,ip6table_filter
ip6t_NPT 2386 0
ip6t_REJECT 1330 0
ip6table_filter 914 0
ip6table_mangle 1362 0
ip6table_nat 1458 0
ipt_REJECT 1298 0
iptable_filter 914 1
iptable_mangle 1106 1
iptable_nat 1426 0
jitterentropy_rng 7561 0
leds_gpio 3154 0
libcrc32c 759 1 nf_tables
mac80211 603163 4 mt76x2e,mt76x02_lib,mt7603e,mt76
mmc_block 28410 0
mmc_core 98741 2 mmc_block,mtk_sd
mt76 52405 4 mt76x2e,mt76x2_common,mt76x02_lib,mt7603e
mt7603e 40796 0
mt76x02_lib 44204 2 mt76x2e,mt76x2_common
mt76x2_common 12354 1 mt76x2e
mt76x2e 10721 0
mtk_sd 15874 0
nf_conncount 7272 1 xt_connlimit
nf_conntrack 75455 16 nft_masq,nft_redir,nft_ct,xt_state,xt_nat,xt_helper,xt_conntrack,xt_connmark,xt_connlimit,xt_connbytes,xt_REDIRECT,xt_NETMAP,xt_MASQUERADE,nf_flow_table,nf_conncount,nf_nat
nf_defrag_ipv4 1441 1 nf_conntrack
nf_defrag_ipv6 6492 1 nf_conntrack
nf_flow_table 23962 1 xt_FLOWOFFLOAD
nf_log_syslog 10674 0
nf_nat 25134 9 nft_masq,nft_chain_nat,nft_redir,xt_nat,xt_REDIRECT,xt_NETMAP,xt_MASQUERADE,iptable_nat,ip6table_nat
nf_reject_ipv4 4127 3 nft_reject_ipv4,nft_reject_inet,ipt_REJECT
nf_reject_ipv6 4612 3 nft_reject_ipv6,nft_reject_inet,ip6t_REJECT
nf_tables 178808194 nft_masq,nft_chain_nat,nft_fib_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_log,nft_limit,nft_hash,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_ct,nft_counter,nft_compat
nfnetlink 6662 2 nft_compat,nf_tables
nft_chain_nat 978 2
nft_compat 6098 0
nft_counter 2418 16
nft_ct 7698 4
nft_fib 1622 3 nft_fib_inet,nft_fib_ipv6,nft_fib_ipv4
nft_fib_inet 786 0
nft_fib_ipv4 2165 1 nft_fib_inet
nft_fib_ipv6 2965 1 nft_fib_inet
nft_hash 2514 0
nft_limit 3666 5
nft_log 1970 0
nft_masq 1906 1
nft_numgen 1618 0
nft_objref 1938 0
nft_quota 2162 0
nft_redir 1906 0
nft_reject 1415 3 nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet
nft_reject_inet 1010 2
nft_reject_ipv4 754 0
nft_reject_ipv6 754 0
nls_base 5466 1 usbcore
ppp_async 7138 0
ppp_generic 27183 3 pppoe,ppp_async,pppox
pppoe 9714 0
pppox 1520 1 pppoe
seqiv 1714 0
sha512_generic 9597 0
slhc 5378 1 ppp_generic
tun 34705 2
usb_common 4063 4 xhci_plat_hcd,xhci_mtk_hcd,xhci_hcd,usbcore
usbcore 156924 4 xhci_plat_hcd,xhci_pci,xhci_mtk_hcd,xhci_hcd
xhci_hcd 116949 3 xhci_plat_hcd,xhci_pci,xhci_mtk_hcd
xhci_mtk_hcd 10191 0
xhci_pci 4402 0
xhci_plat_hcd 6194 0
xt_FLOWOFFLOAD 5378 0
xt_LOG 978 0
xt_MASQUERADE 946 0
xt_NETMAP 1650 0
xt_REDIRECT 818 0
xt_TCPMSS 3250 2
xt_comment 594 0
xt_connbytes 1874 0
xt_connlimit 1202 0
xt_connmark 1906 0
xt_conntrack 2514 0
xt_coova 6354 0
xt_helper 1106 0
xt_limit 1426 0
xt_mac 754 0
xt_mark 786 0
xt_multiport 1426 0
xt_nat 2450 0
xt_recent 8066 0
xt_state 914 0
xt_time 2130 0

and when i run nft list ruleset i get this:
table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
jump handle_reject
}

chain forward {
	type filter hook forward priority filter; policy drop;
	ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
	iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
	iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
	jump handle_reject
}

chain output {
	type filter hook output priority filter; policy accept;
	oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
	ct state established,related accept comment "!fw4: Allow outbound established and related flows"
	oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
	oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}

chain prerouting {
	type filter hook prerouting priority filter; policy accept;
	iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}

chain handle_reject {
	meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
	reject comment "!fw4: Reject any other traffic"
}

chain syn_flood {
	limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
	drop comment "!fw4: Drop excess packets"
}

chain input_lan {
	jump accept_from_lan
}

chain output_lan {
	jump accept_to_lan
}

chain forward_lan {
	jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
	jump accept_to_lan
}

chain helper_lan {
}

chain accept_from_lan {
	iifname "br-lan" counter packets 84 bytes 7383 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}

chain accept_to_lan {
	oifname "br-lan" counter packets 6 bytes 512 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}

chain input_wan {
	meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
	icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
	meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
	meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
	ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
	icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 2 bytes 184 accept comment "!fw4: Allow-ICMPv6-Input"
	icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 16 bytes 1112 accept comment "!fw4: Allow-ICMPv6-Input"
	jump accept_from_wan
}

chain output_wan {
	jump accept_to_wan
}

chain forward_wan {
	icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
	icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
	meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
	udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
	jump accept_to_wan
}

chain accept_from_wan {
	iifname "wan" counter packets 11 bytes 856 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}

chain accept_to_wan {
	meta nfproto ipv4 oifname "wan" ct state invalid counter packets 10 bytes 400 drop comment "!fw4: Prevent NAT leakage"
	oifname "wan" counter packets 108 bytes 14404 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}

chain dstnat {
	type nat hook prerouting priority dstnat; policy accept;
}

chain srcnat {
	type nat hook postrouting priority srcnat; policy accept;
	oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}

chain srcnat_wan {
	meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}

chain raw_prerouting {
	type filter hook prerouting priority raw; policy accept;
}

chain raw_output {
	type filter hook output priority raw; policy accept;
}

chain mangle_prerouting {
	type filter hook prerouting priority mangle; policy accept;
}

chain mangle_postrouting {
	type filter hook postrouting priority mangle; policy accept;
}

chain mangle_input {
	type filter hook input priority mangle; policy accept;
}

chain mangle_output {
	type route hook output priority mangle; policy accept;
}

chain mangle_forward {
	type filter hook forward priority mangle; policy accept;
	iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
	oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}

}

Please suggest what I am missing in this?

@pparent76 please help if you are manage to run coovachilli with xtcoova in 23.05.

Many thanks

[brada4]

Opt1 fw4+iptables-nft+kmod_nft (inactive ipt kmods are used by iptables-nft)
Opt2 fw4+iptables-nft+kmod-nft-compat (hard to achieve on v23, on v22 dependencies were much looser)
Opt3 fw3+iptables-zz+kmod_ipt

fw4+iptables-zz -> no go.

[raheelhirani35]

Thank you for your reply @brada4.

For Opt1 do we have to change anything in coovachilli code or in up.sh or down.sh script for iptable rules? Also we donot need any kmod-ipt for this option?

For opt3 can we compile 23.05 without fw4 and only with fw3 + iptables-zz+kmod-ipt? If yes can you please provide guide because i saw fw4 is by default in 23.05

Thanks once again

[brada4]

Opt1: ipt modules will be installed as a dependecy of iptables-nft
Opt3: you do not have to compile anything, remove firewall4 add firewall in e.g imagebuilder

[raheelhirani35]

Hi @brada4

Thank you for your response. I tried opt1 with fw4 and iptables-nft keeping ipt and nft modules in there but it is not redirecting user to page on connect with coovachilli. I have just used fw4, iprables-nft and kmod_nft and ipt and did not remove anything and run coovachilli as it is without any change. Am i missing something?

Also for opt3 i checked using makemenuconfig i cannot remove firewall4. How to add firewall3 and remove firewall4 during image builder a little guide will be helpful. Thank you.

Thanks once again.

[brada4]

Check iptables --version -> should say nft
Then iptables -A FORWAR -m coova --help
Then iptables-save -> should contain 2 coova rules
Then nft list ruleset -> should contain xt match coova or something like that twice
This is more of a forum discussion, especially that now coova module can be loaded and programmed by iptables.

[raheelhirani35]

Hi @brada4 , thank you your reply and sorry to bother you but i just need a way as i saw discussion here that it will work.

iptables --version:
iptables v1.8.8 (nf_tables): no command specified

iptables--save:
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i br-lan -j DROP
-A INPUT -d 192.168.182.1/32 -i tun0 -p icmp -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -p tcp -m tcp --dport 4990 -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -j DROP
-A FORWARD -i tun0 -o wan -j ACCEPT
-A FORWARD -i tun0 ! -o wan -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o br-lan -j DROP
-A FORWARD -i br-lan -j DROP
COMMIT

nft list ruleset has this iptables-nft based rules. (i am currently testing it without xt_coova for it to work atleast)

(comment):Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
iifname "br-lan" counter packets 331 bytes 35098 drop
iifname "tun0" meta l4proto icmp ip daddr 192.168.182.1 counter packets 0 bytes 0 accept
iifname "tun0" ip daddr 192.168.182.1 udp dport 53 counter packets 0 bytes 0 accept
iifname "tun0" ip daddr 192.168.182.1 udp dport 67-68 counter packets 0 bytes 0 accept
iifname "tun0" ip daddr 255.255.255.255 udp dport 67-68 counter packets 0 bytes 0 accept
iifname "tun0" ip daddr 192.168.182.1 tcp dport 4990 counter packets 0 bytes 0 accept
iifname "tun0" ip daddr 192.168.182.1 tcp dport 3990 counter packets 0 bytes 0 accept
iifname "tun0" ip daddr 192.168.182.1 counter packets 0 bytes 0 drop
}

chain FORWARD {
	type filter hook forward priority filter; policy accept;
	iifname "tun0" oifname "wan" counter packets 0 bytes 0 accept
	iifname "tun0" oifname != "wan" counter packets 0 bytes 0 drop
	tcp flags syn / syn,rst counter packets 1012 bytes 60720 xt target "TCPMSS"
	oifname "tun0" counter packets 0 bytes 0 accept
	iifname "tun0" counter packets 0 bytes 0 accept
	oifname "br-lan" counter packets 0 bytes 0 drop
	iifname "br-lan" counter packets 1307 bytes 149363 drop
}

}
(comment): Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
tcp flags syn / syn,rst counter packets 1012 bytes 60720 xt target "TCPMSS"
}

Please guide if you see any issue in here.

Thanks

[brada4]

Strange xt target tcpmss, shoould use native tcpmss

iptables-translate  -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
nft add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu

[raheelhirani35]

Hi @brada4,

thanks for reply.

I am now using xt coova:
this updated one for iptables-save:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
(comment): Completed on Thu Nov 14 18:00:18 2024
(comment): Generated by iptables-save v1.8.8 (nf_tables) on Thu Nov 14 18:00:18 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INPUT_tun0 - [0:0]
:INPUT_tun1 - [0:0]
-A INPUT -i tun1 -j INPUT_tun1
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 11.1.0.1/32 -i br-lan2 -p tcp -m tcp --dport 3990 -m coova--name chilli --source -j ACCEPT
-A INPUT -i tun13 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -o tun1 -j ACCEPT
-A FORWARD -i tun1 -j ACCEPT
-A FORWARD -o br-lan2 -m coova--name chilli --dest -j ACCEPT
-A FORWARD -i br-lan2 -m coova--name chilli --source -j ACCEPT
-A FORWARD -i tun1 -o wan -j ACCEPT
-A FORWARD -i wan -o tun1 -j ACCEPT
-A FORWARD -i wan -o br-lan2 -m coova--name chilli --dest -j ACCEPT
-A FORWARD -i br-lan2 -o wan -m coova--name chilli --source -j ACCEPT
-A FORWARD -i wan -o br-lan2 -m coova--name chilli --dest -j ACCEPT
-A FORWARD -i tun0 -o wan -j ACCEPT
-A FORWARD -i wan -o tun0 -j ACCEPT
-A INPUT_tun1 -d 11.1.0.1/32 -i tun1 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT_tun1 -j RETURN
COMMIT

this is nft list rule set :

(comment): Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
iifname "tun1" counter packets 0 bytes 0 jump INPUT_tun1
xt match "conntrack" counter packets 118 bytes 7860 accept
iifname "br-lan2" ip daddr 11.1.0.1 tcp dport 3990 xt match "coova" counter packets 0 bytes 0 accept
iifname "tun13" counter packets 0 bytes 0 accept
counter packets 23 bytes 7608 drop
}

chain FORWARD {
	type filter hook forward priority filter; policy accept;
	oifname "tun1" counter packets 0 bytes 0 accept
	iifname "tun1" counter packets 0 bytes 0 accept
	oifname "br-lan2" xt match "coova" counter packets 0 bytes 0 accept
	iifname "br-lan2" xt match "coova" counter packets 0 bytes 0 accept
	iifname "tun1" oifname "wan" counter packets 0 bytes 0 accept
	iifname "wan" oifname "tun1" counter packets 0 bytes 0 accept
	iifname "wan" oifname "br-lan2" xt match "coova" counter packets 0 bytes 0 accept
	iifname "br-lan2" oifname "wan" xt match "coova" counter packets 0 bytes 0 accept
	iifname "wan" oifname "br-lan2" xt match "coova" counter packets 0 bytes 0 accept
	iifname "tun0" oifname "wan" counter packets 0 bytes 0 accept
	iifname "wan" oifname "tun0" counter packets 0 bytes 0 accept
}

chain INPUT_tun0 {
}

chain INPUT_tun1 {
	iifname "tun1" ip daddr 11.1.0.1 tcp dport 3990 counter packets 0 bytes 0 accept
	counter packets 0 bytes 0 return
}

}
table ip mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
}

This tcpmss now removed from mangle but still not working not redirecting to uamserver

[brada4]

Please go to forums, and learn about formatting buttons </> and <>
Counters are incomplete, they show just existing connections continuing, you can flush conntrack with conntrack -D or wait 2h for all states to expire.

[aswanthk07]

Hi @raheelhirani35 , Did you figure how to make coova redirect using fw4 and xt_coova? Please let me know if you having any working solution. Thanks