Flint 3 - ipset cannot use src_net, but src_ip works

This is my first time using GLiNet router (Flint 3) and it has been a great experience so far! However, I am not familiar with openWRT and I currently have a problem setting up an ipset within LuCI.

My goal is to have port forwarding with IP whitelist (in the form of a file). In the GLiNet admin panel, I have created a rule for the port forwarding part easily and it works as expected.

Now to have the whitelist, I went to the LuCI panel and go to Network -> Panel -> IP Sets. Then I do the following.

1. Create a new IP set
2. Select "Packet Field Match" to "src_net"
3. Upload and select my whitelist file containing IPs with CIDR notation
4. Use the newly created ipset in the port forwarding rule

This does not work. If i went to the router via ssh then check the list with nft list sets, there is no list at all. However, when I change the "Packet Field Match" to "src_ip" and check it again with nft list sets, the list will be visible (but without the CIDR notation, since it is parsed as an IP and not subnet).

Using this ipset with "src_ip" works. For example if the file contains 1.2.3.4/8 it will be parsed as 1.2.3.4 and I can access the forwarded port from that IP, so I am sure that I did the rules correctly. It seems to me that the option "src_net" simply doesn't work or I misunderstood it. Can anyone point me on how to use a list with subnet? Thanks!

Hello,

Please try to disable the network acceleration first in GL GUI.

Hello,

I did more tests and I think I have found the problem. Running service firewall reload after I created the ipset and use it in the port forward rules return the following error.

root@GL-BE9300:~# service firewall reload
Section @ipset[0] (test) match type 'net' requires kernel 5.6 or later
...

root@GL-BE9300:~# uname -r
5.4.213

So it seems that this function is not possible with the current kernel version. Is there any plan to update the kernel for Flint 3?

+1
I have the same issue.

Hello,

R&D team is checking the SDK.

can anyone else confirm that opkg install kmod-sctp ends up with roouter crash/reboot ?

We are aware of this situation, and the issue will fix it on firmware v4.8.3. Thank you!

Hi Bruce, I just downloaded the new firmware v4.8.3. and did a clean install on my Flint 3, but I still got the same error message

Do you mean kmod-sctp?
Please share screenshots or provide logs

Sorry I wasn’t so clear before. The problem from my original post is still exist in firmware v4.8.3.

Just to reiterate: I did a firmware upgrade to v4.8.3. and before upgrading, I chose to not to keep my settings. So this should be a clean installation.

Then, in the IP sets section in LuCI, when I want to match an IP subnet (for example src_net) like in the following screenshot, it can be saved seemingly without error.

image1800×1490 205 KB

However, it doesn’t do anything and the cause can be seen when reloading the firewall via SSH (after saving the IP set).

root@GL-BE9300:~# service firewall reload
Section @ipset[0] (test) match type 'net' requires kernel 5.6 or later

root@GL-BE9300:~# uname -r
5.4.213

It seems the “easy“ way out is to upgrade the kernel, which currently is still at v5.4.213 like before.

Sorry, I tested it locally and also reproduce this issue.
Luci is able to save rule, but the rule cannot be loaded into nft firewall, the actual rules cannot take effect.

If possible, please create the rules in Firewall -> Traffic Rules, which support subnet configuration.

If src_net requires kernel 5.6 or above as mentioned, this requirement may not be support at this time. The current QSDK version has no plan to upgraded the openwrt version.