Opened 6 years ago
Closed 6 years ago
#11460 closed defect (fixed)
Netifd causes firewall init errors for redirects due to missing WAN IP info
Reported by: | hnyman | Owned by: | jow |
---|---|---|---|
Priority: | high | Milestone: | Netifd Implementation |
Component: | base system | Version: | Trunk |
Keywords: | netifd firewall wanip | Cc: | hannu.nyman@… |
Description
I built today my first firmware with netifd enabled. r31741 for ar71xx/WNDR3700.
After booting it I noticed firewall-related errors in the system log. There is first one "user.info sysinit: uci: Entry not found" and then an iptables error for each configured redirect:
Sep 9 00:08:34 OpenWrt user.info sysinit: Loading interfaces Sep 9 00:08:34 OpenWrt user.info firewall: adding lan (br-lan) to zone lan Sep 9 00:08:35 OpenWrt user.info firewall: adding wan (eth1) to zone wan Sep 9 00:08:36 OpenWrt user.info sysinit: uci: Entry not found Sep 9 00:08:36 OpenWrt user.info sysinit: Bad argument `tcp' Sep 9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. Sep 9 00:08:36 OpenWrt user.info sysinit: Bad argument `udp' Sep 9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. Sep 9 00:08:36 OpenWrt user.info sysinit: Bad argument `tcp' Sep 9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. Sep 9 00:08:36 OpenWrt user.info sysinit: Bad argument `tcp' Sep 9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. Sep 9 00:08:36 OpenWrt user.info sysinit: Bad argument `udp' Sep 9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. Sep 9 00:08:36 OpenWrt user.info sysinit: Bad argument `udp' Sep 9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. Sep 9 00:08:36 OpenWrt user.info sysinit: Bad argument `tcp' Sep 9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. Sep 9 00:08:36 OpenWrt user.info sysinit: Bad argument `udp' Sep 9 00:08:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. Sep 9 00:08:37 OpenWrt user.info firewall: adding sixxs (6in4-sixxs) to zone wan Sep 9 00:08:38 OpenWrt authpriv.info dropbear[7595]: Running in background Sep 9 00:08:40 OpenWrt daemon.info radvd[8110]: version 1.8.3 started
I did some debugging and found the reason:
The UCI error is about failing to find the WAN IP address here on line 6:
https://dev.openwrt.org/browser/trunk/package/firewall/files/reflection.hotplug#L6
and that then leads later to erroneous iptables commands on line 106 (as $exthost is supposed to be wanip):
https://dev.openwrt.org/browser/trunk/package/firewall/files/reflection.hotplug#L106
That might be related to #11459, where jow also referenced a known issue regarding the WAN IP info.
Syslog with additional debug statements being logged. The missing wanip/exthost causes the following -p to be handled as an ip address, and thus -p's argument tcp gets handled as an option:
May 16 00:09:35 OpenWrt user.info firewall: Bug triggered here: adding wan (eth1) to zone wan May 16 00:09:35 OpenWrt user.notice root: bug here? May 16 00:09:35 OpenWrt user.info sysinit: uci: Entry not found May 16 00:09:35 OpenWrt user.notice root: yes, bug was here May 16 00:09:36 OpenWrt user.notice root: iptables -t nat -A nat_reflection_in -s 192.168.1.1/255.255.255.0 -d -p tcp --dport 2149 -j DNAT --to 192.168.1.188:2149 May 16 00:09:36 OpenWrt user.info sysinit: Bad argument `tcp' May 16 00:09:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. May 16 00:09:36 OpenWrt user.notice root: iptables -t nat -A nat_reflection_in -s 192.168.1.1/255.255.255.0 -d -p udp --dport 2149 -j DNAT --to 192.168.1.188:2149 May 16 00:09:36 OpenWrt user.info sysinit: Bad argument `udp' May 16 00:09:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information. May 16 00:09:36 OpenWrt user.notice root: iptables -t nat -A nat_reflection_in -s 192.168.1.1/255.255.255.0 -d -p tcp --dport 338 -j DNAT --to 192.168.1.188:338 May 16 00:09:36 OpenWrt user.info sysinit: Bad argument `tcp' May 16 00:09:36 OpenWrt user.info sysinit: Try `iptables -h' or 'iptables --help' for more information.
If the actual WAN IP can not be obtained, either the iptables command should be modified to exclude that argument, or alternatively some dummy default be set to that on line 83.
If I remove the -d $exthost argument from line 107, the error disappears.
Attachments (0)
Change History (2)
comment:1 Changed 6 years ago by jow
- Owner changed from developers to jow
- Status changed from new to accepted
comment:2 Changed 6 years ago by jow
- Resolution set to fixed
- Status changed from accepted to closed
Yes, since netifd there is no uci state information anymore. The ip address detection must be changed. Note that removing the -d $exthost argument will effectively render the nat-loppback rules useless.