How to run udp2raw with nftables?

[Twert8]

Hi everyone!
I tried to run udp2raw in Debian 12 unsuccessfully. Based on what I see in udp2raw log, it tries to install iptables rules, which fails, because I have no iptables installed in my systems, I'm wondering why udp2raw tries to do that - iptables is obsolete for a long time already and was replaced by nftables in recent Linux distributions. I don't want to create a mess in the system by installing iptables in addition to nftables. However, I haven't found yet how to run udp2raw at nftables-based systems.
Does anyone know how to do that? Appreciate your help!

[wangyu-]

and disable automatic generation of iptables/nftables reliant commands at all

It's mention on the home page: -a option automatically adds an iptables rule (or a few iptables rules) for you, udp2raw relies on this iptables rule to work stably. Be aware you dont forget -a (its a common mistake). If you dont want udp2raw to add iptables rule automatically, you can add it manually(take a look at -g option) and omit -a.

You can always disable -a, so that automatically adding is disabled

It would be a bad practice to create a mess in the system by installing iptables in addition to nftables or removing nftables at all.

Not really true. On newer linux distribution iptables is simply a compatible layer in user space that translate your input to nftables(kernel), and it has no problem of coexisting with nftables(command)

[wangyu-]

If you really don't want to install the iptables command , you have the option of using -g to generate the iptables. You translate them into nftables manually and add manually.

On client side:

# ./udp2raw -c -l0.0.0.0:3333  -r44.55.66.77:4096  -k "passwd" --raw-mode faketcp -g
generated iptables rule:
iptables -I INPUT -s 44.55.66.77 -p tcp -m tcp --sport 4096 -j DROP

you tranlsate it to something like:

chain input {
    ip saddr 44.55.66.77 tcp sport 4096 drop;
}

and add manually

On server side:

# ./udp2raw -s -l0.0.0.0:4096 -r 127.0.0.1:7777    -k "passwd" --raw-mode faketcp -g
generated iptables rule:
iptables -I INPUT -p tcp -m tcp --dport 4096 -j DROP

you tranlsate it to something like:

chain input {
    tcp dport 4096 drop;
}

and add manually

[wangyu-]

create an instruction on how to configure nftables

okay, I will add instructions in wiki or help page, and add the equivalent nftables commands into -g's output.

[Twert8]

Thank you! So, the only purpose for firewall rules is to protect Linux stack from processing TCP segments?
I configured the endoints, Wireguards sends packets but does not receive them, and I see in the udp2raw logs at the client multiple passes from client_handshake to client_idle. At the server, I see multiple received syn,sent syn ack back entries from different ports and resets like [WARN][IP.IP.IP.IP,47279]rst==1,cnt=1.
If possible, appreciate if you could create a step-by-step guide on how to establish WireGuard connection between udp2raw client and server with manual nftables firewall entries. Thank you!

[wangyu-]

So, the only purpose for firewall rules is to protect Linux stack from processing TCP segments?

Yes

At the server, I see multiple received syn,sent syn ack back entries from different ports and resets like [WARN][IP.IP.IP.IP,47279]rst==1,cnt=1.

That usually means the iptables/nftables is not working correctly.

Maybe better you install iptables and try. My above nftables are NOT tested since I don't have the environements at hand.

If possible, appreciate if you could create a step-by-step guide on how to establish WireGuard connection between udp2raw client and server with manual nftables firewall entries. Thank you!

No, I don't plan to add more step-by-step guides for very specific use cases. User with networking experience should be able to figure out it easily.

But below are some hints on the wiki.

https://github.com/wangyu-/udp2raw/wiki/udp2raw---wireguard-example-configurations

[Anillc]

The input filter did not work for me. The packet loss rate reached 80%. Finally, I dropped rst packets in the output chain and there is no more packet loss.

tcp sport xxx tcp flags rst drop
tcp dport yyy tcp flags rst drop

[wangyu-]

@Anillc thanks for the feedback. Maybe the behavior of nftables's drop is not really same as iptables. I will investigate a bit and see if there is a nftables way similiar to the current iptables way.

For now the solution is either : 1. install iptables or 2. drop rst as @Anillc did