Webmon in PREROUTING or POSTROUTING instead of FORWARD

[greekstreet]

@ericpaulbishop
Dear Eric the Bishop,

Firstly, thank you for the great firmware especially the webmon part.

I port webmon_gargoyle to OpenWrt 18.06.4 and made a LUCI page and it works great! The only problem is that it conflicts with Flow Offloading. My router is Ubnt Edge Router X. HW offloading provides significant performance boost. After some digging, I found out that webmon_gargoyle is adding iptables rule to FORWARD chain where HW offloading is. That why they cannot work together. Is it possible to use nat PREROUTING or POSTROUTING? I tried modifying iptables rules in /etc/init.d/webmon_gargoyle. It seems not working.

[greekstreet]

BTW, I don't use QoS.

[lantis1008]

I do not think it is possible to use NAT PREROUTING in this manner. It worked fine for me using RAW PREROUTING.

This should be fine as i believe it sits before the FLOWOFFLOAD point.

@@ -63,8 +63,8 @@

        #remove existing rules
        delete_chain_from_table filter web_monitor
-       iptables -t filter -N web_monitor
-       iptables -t filter -I FORWARD -o "$wan_if" -j web_monitor
+       iptables -t raw -N web_monitor
+       iptables -t raw -I PREROUTING -j web_monitor

        #load parameters and insert rule
        webmon_params=""
@@ -83,13 +83,13 @@

        if   [ -e "$search_save_path" ] && [ -e "$domain_save_path" ] ; then
-           iptables -t filter -I web_monitor -m webmon $webmon_params --search_load_file "$search_save_path" --domain_load_file "$domain_save_path"
+           iptables -t raw -I web_monitor -m webmon $webmon_params --search_load_file "$search_save_path" --domain_load_file "$domain_save_path"
        elif [ -e "$search_save_path" ] ; then
-           iptables -t filter -I web_monitor -m webmon $webmon_params --search_load_file "$search_save_path" --clear_domain
+           iptables -t raw -I web_monitor -m webmon $webmon_params --search_load_file "$search_save_path" --clear_domain
        elif [ -e "$domain_save_path" ] ; then
-           iptables -t filter -I web_monitor -m webmon $webmon_params --domain_load_file "$domain_save_path" --clear_search
+           iptables -t raw -I web_monitor -m webmon $webmon_params --domain_load_file "$domain_save_path" --clear_search
        else
-           iptables -t filter -I web_monitor -m webmon $webmon_params --clear_domain --clear_search
+           iptables -t raw -I web_monitor -m webmon $webmon_params --clear_domain --clear_search
        fi

@@ -119,10 +119,10 @@

    #clear module data, and remove web_monitor chain
-   iptables -t filter -D web_monitor 1          >/dev/null 2>&1
-   iptables -t filter -A web_monitor -j RETURN  >/dev/null 2>&1
-   iptables -t filter -A web_monitor -m webmon --clear_domain --clear_search >/dev/null 2>&1
-   delete_chain_from_table filter web_monitor
+   iptables -t raw -D web_monitor 1          >/dev/null 2>&1
+   iptables -t raw -A web_monitor -j RETURN  >/dev/null 2>&1
+   iptables -t raw -A web_monitor -m webmon --clear_domain --clear_search >/dev/null 2>&1
+   delete_chain_from_table raw web_monitor
 }

 restart()

[greekstreet]

@lantis1008 Thank you very much for the detailed reply. Closing this issue.

[greekstreet]

I tried but seems not working when flow offloading turned on. I'll keep this issue closed since I implemented my own web monitor with dnsmasq.

[lantis1008]

Thanks for coming back. I'll have to read and understand more about flow offload. I didn't know it was picking up packets before the NAT stage.