nftables: omit reflection filter on corerouters

pktpls · pktpls · commit e74ae158b87c · 2024-10-16T01:34:39.000+02:00
(if and endif are the only changes, the rest is indentation fixes.)

Intermittently breaks routed IP traffic to mesh neighbours if the mesh interface
is using the underlying (wifi) interface directly, instead of a bridge or VLAN.

The filter is supposed to learn our own mac addresses from outgoing traffic
and then reject incoming reflected packets with our own src address.
If we don't filter these, logread gets cluttered with informational messages
saying "received packet with our own address".

However, if a mesh interface uses the underlying interface directly (instead of
wrapping it in a bridge or VLAN), we somehow end up blocking our mesh neighbours.
This is the case e.g. on corerouters that mesh on their own, with integrated antennas.

For now let's "fix" this by not using the reflection filter on corerouters anymore.
diff --git a/roles/cfg_openwrt/templates/common/nftables.conf.j2 b/roles/cfg_openwrt/templates/common/nftables.conf.j2
@@ -60,20 +60,21 @@ table bridge client_isolation {
   {% endif %}
 {% endfor %}
 
-{% for network in networks | selectattr('role', 'equalto', 'mesh') | selectattr('name','in', network_ifname_map|map(attribute='network')) %}
-  {% set wifi_if = network_ifname_map | selectattr('network', 'equalto', network['name']) | map(attribute='ifname') | first %}
-  {% set set_localrouter = 'localrouter_' + network['name'] %}
-  {% if loop.first %}
+{% if role == 'corerouter' %}
+  {% for network in networks | selectattr('role', 'equalto', 'mesh') | selectattr('name','in', network_ifname_map|map(attribute='network')) %}
+    {% set wifi_if = network_ifname_map | selectattr('network', 'equalto', network['name']) | map(attribute='ifname') | first %}
+    {% set set_localrouter = 'localrouter_' + network['name'] %}
+    {% if loop.first %}
 
-{# Corerouters have no bridge, therefore we need to hook in family inet.
-    See https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Netfilter_hooks_into_Linux_networking_packet_flows #}
-{% set type = 'bridge' if role == 'ap' else 'inet' %}
+      {# Corerouters have no bridge, therefore we need to hook in family inet.
+        See https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Netfilter_hooks_into_Linux_networking_packet_flows #}
+      {% set type = 'bridge' if role == 'ap' else 'inet' %}
 
 
 table {{ type }} prevent_mesh_reflection
 flush table {{ type }} prevent_mesh_reflection
 table {{ type }} prevent_mesh_reflection {
-  {% endif %}
+    {% endif %}
 	set {{ set_localrouter }} {
 		type ether_addr
 		size 5
@@ -88,7 +89,8 @@ table {{ type }} prevent_mesh_reflection {
 		iifname {{ wifi_if }} ether saddr @{{ set_localrouter }} counter drop
 
 	}
-  {% if loop.last %}
+    {% if loop.last %}
 }
-  {% endif %}
-{% endfor %}
+    {% endif %}
+  {% endfor %}
+{% endif %}
