Modify

Opened 5 years ago

Closed 5 years ago

#13130 closed defect (fixed)

Iptable rules get duplicated during hotplug firewall reload

Reported by: anonymous Owned by: developers
Priority: response-needed Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: Cc:

Description

When wan (pppoe) interface is brought up and hotplug firewall reload script is executed, iptable rules get duplicated.

Tables affected are:

NAT table - PREROUTING and POSTROUTING chains
Mangle table - FORWARD chain
Raw table - PREROUTING chain

furthermore rules entered via /etc/firewall.user script aren't preserved during reload

Attachments (0)

Change History (10)

comment:1 Changed 5 years ago by jow

  • Priority changed from normal to response-needed

Please show a listing of the duplicated rules and a copy of your firewall.user. I can reproduce neither.

comment:2 Changed 5 years ago by anonymous

Here they are:

Table: NAT

Chain PREROUTING (policy ACCEPT 1189 packets, 183K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1207  185K delegate_prerouting  all  --  any    any     anywhere             anywhere            
 1193  184K delegate_prerouting  all  --  any    any     anywhere             anywhere            
 1189  183K delegate_prerouting  all  --  any    any     anywhere             anywhere            

Chain INPUT (policy ACCEPT 79 packets, 7079 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 186 packets, 15267 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 28 packets, 3963 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1025  111K delegate_postrouting  all  --  any    any     anywhere             anywhere            
   29  4067 delegate_postrouting  all  --  any    any     anywhere             anywhere            
   28  3963 delegate_postrouting  all  --  any    any     anywhere             anywhere            

Chain delegate_postrouting (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 1080  119K postrouting_rule  all  --  any    any     anywhere             anywhere            
  996  107K zone_wan_postrouting  all  --  any    pppoe-wan  anywhere             anywhere            

Chain delegate_prerouting (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 3567  550K prerouting_rule  all  --  any    any     anywhere             anywhere            

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  996  107K MASQUERADE  all  --  any    any     anywhere             anywhere            

Table: Mangle

Chain PREROUTING (policy ACCEPT 4934 packets, 1094K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 1445 packets, 143K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 3294 packets, 868K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3294  868K mssfix     all  --  any    any     anywhere             anywhere            
 3294  868K mssfix     all  --  any    any     anywhere             anywhere            
 3294  868K mssfix     all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 1492 packets, 356K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 4787 packets, 1224K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain mssfix (3 references)
 pkts bytes target     prot opt in     out     source               destination         
  204 11304 TCPMSS     tcp  --  any    pppoe-wan  anywhere             anywhere            tcp flags:SYN,RST/SYN /* wan (mtu_fix) */ TCPMSS clamp to PMTU 

Table: Raw

Chain PREROUTING (policy ACCEPT 4934 packets, 1094K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4961 1097K notrack    all  --  any    any     anywhere             anywhere            
 4947 1096K notrack    all  --  any    any     anywhere             anywhere            
 4934 1094K notrack    all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 1493 packets, 356K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain notrack (3 references)
 pkts bytes target     prot opt in     out     source               destination         

and /etc/firewall.user:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

iptables -t nat --insert zone_wan_postrouting 1 --jump ACCEPT --match policy --strict --dir out --pol ipsec --proto esp

after '/etc/init.d/firewall reload' everything is as it should be (including the rule from firewall.user). However doing 'ifdown wan; ifup wan' duplicate rules reappear

The router is D-Link DIR-825 rev B1, Openwrt is rev. r35890 (custom compiled to include strongswan).

And here are my network and firewall configs (nothing special):

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0.1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.0.0.254'

config interface 'wan'
        option ifname 'eth1'
        option proto 'pppoe'
        option username '******'
        option password '******'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

#config interface 'modem'
#       option ifname 'eth1'
#       option proto 'static'
#       option ipaddr '192.168.1.2'
#       option netmask '255.255.255.0'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'

config zone
        option name 'lan'
        option network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Enforce-ULA-Border-Src'
        option src '*'
        option dest 'wan'
        option proto 'all'
        option src_ip 'fc00::/7'
        option family 'ipv6'
        option target 'REJECT'

config rule
        option name 'Enforce-ULA-Border-Dest'
        option src '*'
        option dest 'wan'
        option proto 'all'
        option dest_ip 'fc00::/7'
        option family 'ipv6'
        option target 'REJECT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Drop-SSH'
        option src 'wan'
        option proto 'tcp'
        option dest_port '22'
        option target 'DROP'
        option family 'ipv4'
        option extra '-m state --state NEW -m recent --name SSH --update --seconds 60 --hitcount 3 --rsource'

config rule
        option name 'Allow-SSH'
        option src 'wan'
        option proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'
        option family 'ipv4'
        option extra '-m state --state NEW -m recent --name SSH --set --rsource'

config rule
        option name 'IKE'
        option src 'wan'
        option dest_ip '***.***.***.***'
        option proto 'udp'
        option dest_port '500'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'ESP'
        option src 'wan'
        option dest_ip '***.***.***.***'
        option proto 'esp'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'NAT-T'
        option src 'wan'
        option dest_ip '***.***.***.***'
        option proto 'udp'
        option dest_port '4500'
        option target 'ACCEPT'
        option family 'ipv4'

comment:3 Changed 5 years ago by jow

Well the hotplug handler does exactly that, calling fw3 reload - additionally locking is performed to ensure that multiple instances do not race each other. Do you use any nonstandard hotplug scripts?

comment:4 Changed 5 years ago by anonymous

no, stock hotplug script is used.

At least for the firewall.user file I believe it isn't processed when 'fw3 reload' is used.

The output of 'fw3 reload':

Warning: Unable to locate ipset utility, disabling ipset support
Removing IPv4 rules ...
 * Clearing filter table
 * Clearing nat table
 * Clearing mangle table
 * Clearing raw table
Constructing IPv4 rules ...
 * Populating filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Drop-SSH'
   * Rule 'Allow-SSH'
   * Rule 'IKE'
   * Rule 'ESP'
   * Rule 'NAT-T'
   * Forward 'lan' -> 'wan'
 * Populating nat table
   * Zone 'wan'
 * Populating mangle table
 * Populating raw table

and the output of 'fw3 restart' as used in /etc/init.d/firewall reload':

Warning: Unable to locate ipset utility, disabling ipset support
Removing IPv4 rules ...
 * Flushing filter table
 * Flushing nat table
 * Flushing mangle table
 * Flushing raw table
Warning: Unable to execute ip6tables-restore
Flushing conntrack table ...
Warning: Unable to locate ipset utility, disabling ipset support
Setting sysctl values
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
Constructing IPv4 rules ...
 * Populating filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Drop-SSH'
   * Rule 'Allow-SSH'
   * Rule 'IKE'
   * Rule 'ESP'
   * Rule 'NAT-T'
   * Forward 'lan' -> 'wan'
 * Populating nat table
   * Zone 'wan'
 * Populating mangle table
 * Populating raw table
 * Running script '/etc/firewall.user'

comment:5 Changed 5 years ago by anonymous

It looks like each consecutive 'fw3 reload' simply adds new rules to tables, leaving old ones intact. So after entering 'fw3 reload' 3 times in a row I get (only raw table shown here, but the same applies to above mentioned tables too):

Chain PREROUTING (policy ACCEPT 225 packets, 16312 bytes)
 pkts bytes target     prot opt in     out     source               destination
  429 48486 notrack    all  --  any    any     anywhere             anywhere
  264 18884 notrack    all  --  any    any     anywhere             anywhere
  241 17192 notrack    all  --  any    any     anywhere             anywhere
  225 16312 notrack    all  --  any    any     anywhere             anywhere

comment:6 Changed 5 years ago by jow

Attach the output of "fw3 -d reload"

comment:7 Changed 5 years ago by anonymous

output of 'fw3 -d reload':

Warning: Unable to locate ipset utility, disabling ipset support
Removing IPv4 rules ...
 * Clearing filter table
*filter
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:FORWARD DROP [0:0]
-D INPUT -j delegate_input
-D OUTPUT -j delegate_output
-D FORWARD -j delegate_forward
-F delegate_input
-F delegate_output
-F delegate_forward
-F reject
-F syn_flood
-F zone_lan_input
-F zone_lan_output
-F zone_lan_forward
-F zone_lan_src_ACCEPT
-F zone_lan_dest_ACCEPT
-F zone_lan_dest_REJECT
-F zone_wan_input
-F zone_wan_output
-F zone_wan_forward
-F zone_wan_src_REJECT
-F zone_wan_dest_ACCEPT
-F zone_wan_dest_REJECT
-X delegate_input
-X delegate_output
-X delegate_forward
-X reject
-X syn_flood
-X zone_lan_input
-X zone_lan_output
-X zone_lan_forward
-X zone_lan_src_ACCEPT
-X zone_lan_dest_ACCEPT
-X zone_lan_dest_REJECT
-X zone_wan_input
-X zone_wan_output
-X zone_wan_forward
-X zone_wan_src_REJECT
-X zone_wan_dest_ACCEPT
-X zone_wan_dest_REJECT
COMMIT
 * Clearing nat table
*nat
COMMIT
 * Clearing mangle table
*mangle
COMMIT
 * Clearing raw table
*raw
COMMIT
Constructing IPv4 rules ...
 * Populating filter table
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:delegate_forward - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
   * Zone 'lan'
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
   * Zone 'wan'
-A INPUT -j delegate_input
-A OUTPUT -j delegate_output
-A FORWARD -j delegate_forward
-A delegate_input -i lo -j ACCEPT
-A delegate_output -o lo -j ACCEPT
-A delegate_input -j input_rule
-A delegate_output -j output_rule
-A delegate_forward -j forwarding_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A syn_flood -p tcp --syn -m limit --limit 25/second --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A delegate_input -p tcp --syn -j syn_flood
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with port-unreach
   * Rule 'Allow-DHCP-Renew'
-A zone_wan_input -p 17 --dport 68 -m comment --comment "Allow-DHCP-Renew" -j ACCEPT
   * Rule 'Allow-Ping'
-A zone_wan_input -p 1 --icmp-type 8 -m comment --comment "Allow-Ping" -j ACCEPT
   * Rule 'Drop-SSH'
-A zone_wan_input -p 6 --dport 22 -m state --state NEW -m recent --name SSH --update --seconds 60 --hitcount 3 --rsource -m comment --comment "Drop-SSH" -j DROP
   * Rule 'Allow-SSH'
-A zone_wan_input -p 6 --dport 22 -m state --state NEW -m recent --name SSH --set --rsource -m comment --comment "Allow-SSH" -j ACCEPT
   * Rule 'IKE'
-A zone_wan_input -p 17 -d ***.***.***.***/32 --dport 500 -m comment --comment "IKE" -j ACCEPT
   * Rule 'ESP'
-A zone_wan_input -p 50 -d ***.***.***.***/32 -m comment --comment "ESP" -j ACCEPT
   * Rule 'NAT-T'
-A zone_wan_input -p 17 -d ***.***.***.***/32 --dport 4500 -m comment --comment "NAT-T" -j ACCEPT
   * Forward 'lan' -> 'wan'
-A zone_lan_forward -m comment --comment "forwarding lan->wan" -j zone_wan_dest_ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_forward -j zone_lan_dest_REJECT
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_dest_REJECT -o br-lan -j reject
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_output -o br-lan -j zone_lan_output
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
-A zone_wan_src_REJECT -i eth1 -j reject
-A zone_wan_dest_REJECT -o eth1 -j reject
-A delegate_input -i eth1 -j zone_wan_input
-A delegate_forward -i eth1 -j zone_wan_forward
-A delegate_output -o eth1 -j zone_wan_output
-A delegate_forward -j reject
COMMIT
 * Populating nat table
*nat
:delegate_prerouting - [0:0]
:delegate_postrouting - [0:0]
:zone_wan_postrouting - [0:0]
   * Zone 'wan'
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -j delegate_postrouting
-A delegate_prerouting -j prerouting_rule
-A delegate_postrouting -j postrouting_rule
-A zone_wan_postrouting -j MASQUERADE
-A delegate_postrouting -o eth1 -j zone_wan_postrouting
COMMIT
 * Populating mangle table
*mangle
:mssfix - [0:0]
-A FORWARD -j mssfix
-A mssfix -o eth1 -p tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
 * Populating raw table
*raw
:notrack - [0:0]
-A PREROUTING -j notrack
COMMIT

comment:8 Changed 5 years ago by jow

Please try r35969

comment:9 Changed 5 years ago by anonymous

It seems to be fixed. Thanks.

comment:10 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.