Modify

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#13658 closed defect (fixed)

AA: firewall3 not using "option limit" in redirect/forwarding config

Reported by: anonymous Owned by: developers
Priority: high Milestone: Attitude Adjustment 12.09.1
Component: packages Version: Attitude Adjustment 12.09
Keywords: firewall3 firewall iptables limit Cc:

Description

This is reproducible on AA r36855. Firewall configuration has the following two rules, for both v4 and v6, with "option limit '1/min'":

config redirect
        option name 'redirect test'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '55123'
        option dest_ip '192.168.2.123'
        option dest_port '55123'
        option limit '1/min'
        option reflection '0'

config rule
        option name 'v6 redirect test'
        option src 'wan6'
        option src_ip '2233:123::/64'
        option dest 'lan'
        option src_ip '2233:124::/64'
        option dest_port '55123'
        option proto 'tcp'
        option limit '1/min'
        option family 'ipv6'
        option target 'ACCEPT'

The 1/min "-m limit" parameter is not added on v4 port forward rules, while they show up on v6. This are the results of the firewall generated:

# iptables-save|grep 55123
-A zone_wan_prerouting -p tcp -m tcp --dport 55123 -m comment --comment "redirect test" -j DNAT --to-destination 192.168.2.123:55123
-A zone_wan_forward -d 192.168.2.123/32 -p tcp -m tcp --dport 55123 -m comment --comment "redirect test" -j ACCEPT


# ip6tables-save|grep 55123
-A zone_wan6_forward -s 2233:124::/64 -p tcp -m tcp --dport 55123 -m limit --limit 1/min -m comment --comment "v6 redirect test" -j zone_lan_dest_ACCEPT


Based on wiki, "option limit" is valid for redirects. Is this still true?

http://wiki.openwrt.org/doc/uci/firewall#redirects

Attachments (0)

Change History (3)

comment:1 Changed 5 years ago by fclql@…

luci does not support the option limit, right?

comment:2 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Afair limit for redirects was not supported in the old shall based firewall either, so this is/was probably a documentation bug. Anyhow, I added support for it in r36871 (http://nbd.name/gitweb.cgi?p=firewall3.git;a=commitdiff;h=d4980027ea0ff55b01004cc19bed176cbb9e768e)

comment:3 Changed 5 years ago by anonymous

Some of us don't use luci and have not webgui in the firmware, so we wouldn't know. Openwrt is more powerful if you know what you can do on command line. Not everything can be configured via Luci.

Thanks for adding support!!

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.