Routing fwmark to VPN gateway using nftables mark

Question

I'm trying to setup selective routing of a traffic filtered by IP address over OpenVPN on my OpenWRT router

I have an OpenVPN profile up and working with route-nopull option to disable setting default gateway.

The following commands are meant to have packets targeted to a set of ip addresses and marked with 0x1 mark in mangle prerouting section:

nft add set inet fw4 marker { type ipv4_addr \;}
nft add element inet fw4 marker {40.81.94.43}
nft insert rule inet fw4 mangle_prerouting ip daddr @marker counter meta mark set 0x1

Then I have an ip route table setup to route the marked packets through VPN gateway:

ip rule add fwmark 1 table vpn
ip route add default via 10.211.1.118 dev tun_vpn table vpn

This setup doesn‘t work for some reason: the traffic just goes through a default wan gateway, although the nft counter shows packets get to the marking rule.

However if I explicitly set the routing table to be used for the ip address it works as expected:

ip rule add to 40.81.94.43 table vpn

directs traffic to 40.81.94.43 through the vpn gateway as intended

Seems either nft doesn‘t mark packets with 0x1 mark or ip rule add fwmark 1 doesn‘t catch it for some reason. What am I missing?

score 0 · Answer 1 · answered May 15 '22 at 15:11

0

Answering my own question in case it could be useful for someone:

After finding "[SOLVED] iproute2 ignores connection marks set with nftables" thread I've updated the nft rules set to the following:

nft insert rule inet fw4 mangle_prerouting ip daddr @marker counter ct mark set 390
nft add rule inet fw4 mangle_prerouting ip daddr @marker counter meta mark set ct mark

And it worked! Turns out I needed to set a connection mark not a meta mark

answered May 15 '22 at 15:11

Alexey Martemyanov

1
1
2

Can you comment on from where the 390 came? That looks very different than 0x1. – Frank Samuelson Apr 05 '23 at 16:33

Routing fwmark to VPN gateway using nftables mark

1 Answers1