OpenWrt 24.10.x
Flow offload + PBR
Mitigation & Repro

Flow Offload + PBR Wrong-MAC Mitigation

Feeds, installs, and docs for the nftables guard that keeps policy-routed/NAT flows out of flow offload to prevent wrong-LAN-MAC delivery.

Quick Install (opkg feed)

Add the feed and install the mitigation package on your router.

echo 'src/gz flowoffloadpbr https://a29pine.github.io/openwrt-flowoffload-pbr-mac-misroute/ipk' >> /etc/opkg/customfeeds.conf
opkg update
opkg install openwrt-flowoffload-pbr-mitigation

The package drops /etc/nftables.d/99-flowoffload-pbr.nft and reloads firewall4 so the guard is active immediately.

Downloads

Feed artifacts

Release assets

Direct feed URL

https://a29pine.github.io/openwrt-flowoffload-pbr-mac-misroute/ipk
Open

What This Fixes

  • OpenWrt 24.10.0 with flow offload + PBR: policy-routed NAT UDP flows can be delivered to the wrong LAN MAC (often the PBR next-hop/VPN MAC).
  • Root cause: flowtable keeps PBR/NAT flows; neighbor/route cache mismatch causes misdelivery.
  • Mitigation: skip flow offload when meta mark != 0 (PBR) or ct status { dnat, snat } (NAT).

Usage on OpenWrt

Apply mitigation now

opkg install openwrt-flowoffload-pbr-mitigation

Rollback

opkg remove openwrt-flowoffload-pbr-mitigation

The include is a conffile; removing the package also reloads firewall4 to drop it.

Reproduce + Validate (host)

  • Netns lab: ./reproducer/netns-lab.sh run (Linux host, root). Toggle offload with FLOW_OFFLOAD=1, mitigation with MITIGATION=0/1.
  • Smoke test: make smoke (runs lab offload off/on, ensures MAC correctness).
  • Cleanup: make clean or ./reproducer/netns-lab.sh clean.

Diagnostics (router)

  • Collector: diagnostics/collect.sh (run on router; gathers nft ruleset, flowtable, conntrack, tcpdump hints).
  • Key evidence for upstream: nft flowtable entries, tcpdump L2 headers showing wrong MAC, conntrack entries for affected flows.

Manual Commands (router)

  • nft list flowtable inet fw4 ftoffload — confirm guards are keeping PBR/NAT flows out.
  • nft monitor trace — trace packet path vs flowtable decisions.
  • ip -s neigh show — watch neighbor churn.
  • tcpdump -nn -e -i br-lan udp port 53 — verify destination MAC on replies.

Versioning

  • Current: 0.1.2 (tag v0.1.2).
  • Package version matches the latest git tag; override with VERSION=<ver> ./scripts/build-ipk.sh if building locally.

Report Issues

Open an issue on the GitHub repo with:

  • nft ruleset + flowtable listing
  • tcpdump -e trace showing wrong destination MAC vs expected
  • conntrack entries for the affected flow
  • Router model, OpenWrt version, flow offload mode (sw/hw), PBR config

File an issue