Modify

Opened 6 years ago

Closed 6 years ago

#11460 closed defect (fixed)

Netifd causes firewall init errors for redirects due to missing WAN IP info

Reported by: hnyman Owned by: jow
Priority: high Milestone: Netifd Implementation
Component: base system Version: Trunk
Keywords: netifd firewall wanip Cc: hannu.nyman@…

Description

I built today my first firmware with netifd enabled. r31741 for ar71xx/WNDR3700.

After booting it I noticed firewall-related errors in the system log. There is first one "user.info sysinit: uci: Entry not found" and then an iptables error for each configured redirect:

Sep  9 00:08:34 OpenWrt user.info sysinit: Loading interfaces
Sep  9 00:08:34 OpenWrt user.info firewall: adding lan (br-lan) to zone lan
Sep  9 00:08:35 OpenWrt user.info firewall: adding wan (eth1) to zone wan
Sep  9 00:08:36 OpenWrt user.info sysinit: uci: Entry not found
Sep  9 00:08:36 OpenWrt user.info sysinit: Bad argument `tcp'
Sep  9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
Sep  9 00:08:36 OpenWrt user.info sysinit: Bad argument `udp'
Sep  9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
Sep  9 00:08:36 OpenWrt user.info sysinit: Bad argument `tcp'
Sep  9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
Sep  9 00:08:36 OpenWrt user.info sysinit: Bad argument `tcp'
Sep  9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
Sep  9 00:08:36 OpenWrt user.info sysinit: Bad argument `udp'
Sep  9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
Sep  9 00:08:36 OpenWrt user.info sysinit: Bad argument `udp'
Sep  9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
Sep  9 00:08:36 OpenWrt user.info sysinit: Bad argument `tcp'
Sep  9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
Sep  9 00:08:36 OpenWrt user.info sysinit: Bad argument `udp'
Sep  9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
Sep  9 00:08:37 OpenWrt user.info firewall: adding sixxs (6in4-sixxs) to zone wan
Sep  9 00:08:38 OpenWrt authpriv.info dropbear[7595]: Running in background
Sep  9 00:08:40 OpenWrt daemon.info radvd[8110]: version 1.8.3 started

I did some debugging and found the reason:

The UCI error is about failing to find the WAN IP address here on line 6:
https://dev.openwrt.org/browser/trunk/package/firewall/files/reflection.hotplug#L6

and that then leads later to erroneous iptables commands on line 106 (as $exthost is supposed to be wanip):
https://dev.openwrt.org/browser/trunk/package/firewall/files/reflection.hotplug#L106

That might be related to #11459, where jow also referenced a known issue regarding the WAN IP info.

Syslog with additional debug statements being logged. The missing wanip/exthost causes the following -p to be handled as an ip address, and thus -p's argument tcp gets handled as an option:

May 16 00:09:35 OpenWrt user.info firewall: Bug triggered here: adding wan (eth1) to zone wan
May 16 00:09:35 OpenWrt user.notice root: bug here?
May 16 00:09:35 OpenWrt user.info sysinit: uci: Entry not found
May 16 00:09:35 OpenWrt user.notice root: yes, bug was here
May 16 00:09:36 OpenWrt user.notice root: iptables -t nat -A nat_reflection_in -s 192.168.1.1/255.255.255.0 -d  -p tcp --dport 2149 -j DNAT --to 192.168.1.188:2149
May 16 00:09:36 OpenWrt user.info sysinit: Bad argument `tcp'
May 16 00:09:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
May 16 00:09:36 OpenWrt user.notice root: iptables -t nat -A nat_reflection_in -s 192.168.1.1/255.255.255.0 -d  -p udp --dport 2149 -j DNAT --to 192.168.1.188:2149
May 16 00:09:36 OpenWrt user.info sysinit: Bad argument `udp'
May 16 00:09:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
May 16 00:09:36 OpenWrt user.notice root: iptables -t nat -A nat_reflection_in -s 192.168.1.1/255.255.255.0 -d  -p tcp --dport 338 -j DNAT --to 192.168.1.188:338
May 16 00:09:36 OpenWrt user.info sysinit: Bad argument `tcp'
May 16 00:09:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.

If the actual WAN IP can not be obtained, either the iptables command should be modified to exclude that argument, or alternatively some dummy default be set to that on line 83.

If I remove the -d $exthost argument from line 107, the error disappears.

Attachments (0)

Change History (2)

comment:1 Changed 6 years ago by jow

  • Owner changed from developers to jow
  • Status changed from new to accepted

Yes, since netifd there is no uci state information anymore. The ip address detection must be changed. Note that removing the -d $exthost argument will effectively render the nat-loppback rules useless.

comment:2 Changed 6 years ago by jow

  • Resolution set to fixed
  • Status changed from accepted to closed

Should be fixed with r31754 (note that it also depends on r31747)

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

AttachmentsDescription
 
Note: See TracTickets for help on using tickets.