Modify ↓
Opened 5 years ago
Last modified 4 years ago
#13103 new defect
Traffic rules for icmp has a duplicate entry on zone_wan iptables chain.
| Reported by: | phuque99 <phuque99@…> | Owned by: | developers |
|---|---|---|---|
| Priority: | normal | Milestone: | Barrier Breaker 14.07 |
| Component: | base system | Version: | Attitude Adjustment 12.09 Beta |
| Keywords: | Cc: |
Description
I found this on r35817 while auditing the firewall rules. So I'm not sure when was this bug introduced. The following default rule is enabled on /etc/config/firewall:
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
This will result with duplicate icmp accept rule in the zone_wan chain:
Chain zone_wan (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
4 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
1113 61947 input_wan all -- * * 0.0.0.0/0 0.0.0.0/0
1113 61947 zone_wan_DROP all -- * * 0.0.0.0/0 0.0.0.0/0
I'm still reviewing the code and will add my comments if I find what triggered this bug.
Attachments (0)
Change History (2)
comment:1 Changed 5 years ago by phuque99 <phuque99@…>
comment:2 Changed 4 years ago by jow
- Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07
Milestone Attitude Adjustment 12.09 deleted
Note: See
TracTickets for help on using
tickets.
I experimented and found out that this issue is reproducible only when the next rule in /etc/config/firewall is disabled (with option enabled '0'). In short, if there's config entry that is disabled, the preceding iptables rule will have a duplicate entry. This looks like a parsing issue with /sbin/fw.