Modify ↓
Opened 5 years ago
Closed 5 years ago
#13130 closed defect (fixed)
Iptable rules get duplicated during hotplug firewall reload
| Reported by: | anonymous | Owned by: | developers |
|---|---|---|---|
| Priority: | response-needed | Milestone: | Chaos Calmer 15.05 |
| Component: | packages | Version: | Trunk |
| Keywords: | Cc: |
Description
When wan (pppoe) interface is brought up and hotplug firewall reload script is executed, iptable rules get duplicated.
Tables affected are:
NAT table - PREROUTING and POSTROUTING chains
Mangle table - FORWARD chain
Raw table - PREROUTING chain
furthermore rules entered via /etc/firewall.user script aren't preserved during reload
Attachments (0)
Change History (10)
comment:1 Changed 5 years ago by jow
- Priority changed from normal to response-needed
comment:2 Changed 5 years ago by anonymous
Here they are:
Table: NAT Chain PREROUTING (policy ACCEPT 1189 packets, 183K bytes) pkts bytes target prot opt in out source destination 1207 185K delegate_prerouting all -- any any anywhere anywhere 1193 184K delegate_prerouting all -- any any anywhere anywhere 1189 183K delegate_prerouting all -- any any anywhere anywhere Chain INPUT (policy ACCEPT 79 packets, 7079 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 186 packets, 15267 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 28 packets, 3963 bytes) pkts bytes target prot opt in out source destination 1025 111K delegate_postrouting all -- any any anywhere anywhere 29 4067 delegate_postrouting all -- any any anywhere anywhere 28 3963 delegate_postrouting all -- any any anywhere anywhere Chain delegate_postrouting (3 references) pkts bytes target prot opt in out source destination 1080 119K postrouting_rule all -- any any anywhere anywhere 996 107K zone_wan_postrouting all -- any pppoe-wan anywhere anywhere Chain delegate_prerouting (3 references) pkts bytes target prot opt in out source destination 3567 550K prerouting_rule all -- any any anywhere anywhere Chain postrouting_rule (1 references) pkts bytes target prot opt in out source destination Chain prerouting_rule (1 references) pkts bytes target prot opt in out source destination Chain zone_wan_postrouting (1 references) pkts bytes target prot opt in out source destination 996 107K MASQUERADE all -- any any anywhere anywhere Table: Mangle Chain PREROUTING (policy ACCEPT 4934 packets, 1094K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1445 packets, 143K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 3294 packets, 868K bytes) pkts bytes target prot opt in out source destination 3294 868K mssfix all -- any any anywhere anywhere 3294 868K mssfix all -- any any anywhere anywhere 3294 868K mssfix all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 1492 packets, 356K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 4787 packets, 1224K bytes) pkts bytes target prot opt in out source destination Chain mssfix (3 references) pkts bytes target prot opt in out source destination 204 11304 TCPMSS tcp -- any pppoe-wan anywhere anywhere tcp flags:SYN,RST/SYN /* wan (mtu_fix) */ TCPMSS clamp to PMTU Table: Raw Chain PREROUTING (policy ACCEPT 4934 packets, 1094K bytes) pkts bytes target prot opt in out source destination 4961 1097K notrack all -- any any anywhere anywhere 4947 1096K notrack all -- any any anywhere anywhere 4934 1094K notrack all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 1493 packets, 356K bytes) pkts bytes target prot opt in out source destination Chain notrack (3 references) pkts bytes target prot opt in out source destination
and /etc/firewall.user:
# This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. iptables -t nat --insert zone_wan_postrouting 1 --jump ACCEPT --match policy --strict --dir out --pol ipsec --proto esp
after '/etc/init.d/firewall reload' everything is as it should be (including the rule from firewall.user). However doing 'ifdown wan; ifup wan' duplicate rules reappear
The router is D-Link DIR-825 rev B1, Openwrt is rev. r35890 (custom compiled to include strongswan).
And here are my network and firewall configs (nothing special):
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.254'
config interface 'wan'
option ifname 'eth1'
option proto 'pppoe'
option username '******'
option password '******'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
#config interface 'modem'
# option ifname 'eth1'
# option proto 'static'
# option ipaddr '192.168.1.2'
# option netmask '255.255.255.0'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option disable_ipv6 '1'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Enforce-ULA-Border-Src'
option src '*'
option dest 'wan'
option proto 'all'
option src_ip 'fc00::/7'
option family 'ipv6'
option target 'REJECT'
config rule
option name 'Enforce-ULA-Border-Dest'
option src '*'
option dest 'wan'
option proto 'all'
option dest_ip 'fc00::/7'
option family 'ipv6'
option target 'REJECT'
config include
option path '/etc/firewall.user'
config rule
option name 'Drop-SSH'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'DROP'
option family 'ipv4'
option extra '-m state --state NEW -m recent --name SSH --update --seconds 60 --hitcount 3 --rsource'
config rule
option name 'Allow-SSH'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv4'
option extra '-m state --state NEW -m recent --name SSH --set --rsource'
config rule
option name 'IKE'
option src 'wan'
option dest_ip '***.***.***.***'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'ESP'
option src 'wan'
option dest_ip '***.***.***.***'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'NAT-T'
option src 'wan'
option dest_ip '***.***.***.***'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
option family 'ipv4'
comment:3 Changed 5 years ago by jow
Well the hotplug handler does exactly that, calling fw3 reload - additionally locking is performed to ensure that multiple instances do not race each other. Do you use any nonstandard hotplug scripts?
comment:4 Changed 5 years ago by anonymous
no, stock hotplug script is used.
At least for the firewall.user file I believe it isn't processed when 'fw3 reload' is used.
The output of 'fw3 reload':
Warning: Unable to locate ipset utility, disabling ipset support Removing IPv4 rules ... * Clearing filter table * Clearing nat table * Clearing mangle table * Clearing raw table Constructing IPv4 rules ... * Populating filter table * Zone 'lan' * Zone 'wan' * Rule 'Allow-DHCP-Renew' * Rule 'Allow-Ping' * Rule 'Drop-SSH' * Rule 'Allow-SSH' * Rule 'IKE' * Rule 'ESP' * Rule 'NAT-T' * Forward 'lan' -> 'wan' * Populating nat table * Zone 'wan' * Populating mangle table * Populating raw table
and the output of 'fw3 restart' as used in /etc/init.d/firewall reload':
Warning: Unable to locate ipset utility, disabling ipset support Removing IPv4 rules ... * Flushing filter table * Flushing nat table * Flushing mangle table * Flushing raw table Warning: Unable to execute ip6tables-restore Flushing conntrack table ... Warning: Unable to locate ipset utility, disabling ipset support Setting sysctl values * Set tcp_ecn to off * Set tcp_syncookies to on * Set tcp_window_scaling to on Constructing IPv4 rules ... * Populating filter table * Zone 'lan' * Zone 'wan' * Rule 'Allow-DHCP-Renew' * Rule 'Allow-Ping' * Rule 'Drop-SSH' * Rule 'Allow-SSH' * Rule 'IKE' * Rule 'ESP' * Rule 'NAT-T' * Forward 'lan' -> 'wan' * Populating nat table * Zone 'wan' * Populating mangle table * Populating raw table * Running script '/etc/firewall.user'
comment:5 Changed 5 years ago by anonymous
It looks like each consecutive 'fw3 reload' simply adds new rules to tables, leaving old ones intact. So after entering 'fw3 reload' 3 times in a row I get (only raw table shown here, but the same applies to above mentioned tables too):
Chain PREROUTING (policy ACCEPT 225 packets, 16312 bytes) pkts bytes target prot opt in out source destination 429 48486 notrack all -- any any anywhere anywhere 264 18884 notrack all -- any any anywhere anywhere 241 17192 notrack all -- any any anywhere anywhere 225 16312 notrack all -- any any anywhere anywhere
comment:6 Changed 5 years ago by jow
Attach the output of "fw3 -d reload"
comment:7 Changed 5 years ago by anonymous
output of 'fw3 -d reload':
Warning: Unable to locate ipset utility, disabling ipset support Removing IPv4 rules ... * Clearing filter table *filter :INPUT DROP [0:0] :OUTPUT DROP [0:0] :FORWARD DROP [0:0] -D INPUT -j delegate_input -D OUTPUT -j delegate_output -D FORWARD -j delegate_forward -F delegate_input -F delegate_output -F delegate_forward -F reject -F syn_flood -F zone_lan_input -F zone_lan_output -F zone_lan_forward -F zone_lan_src_ACCEPT -F zone_lan_dest_ACCEPT -F zone_lan_dest_REJECT -F zone_wan_input -F zone_wan_output -F zone_wan_forward -F zone_wan_src_REJECT -F zone_wan_dest_ACCEPT -F zone_wan_dest_REJECT -X delegate_input -X delegate_output -X delegate_forward -X reject -X syn_flood -X zone_lan_input -X zone_lan_output -X zone_lan_forward -X zone_lan_src_ACCEPT -X zone_lan_dest_ACCEPT -X zone_lan_dest_REJECT -X zone_wan_input -X zone_wan_output -X zone_wan_forward -X zone_wan_src_REJECT -X zone_wan_dest_ACCEPT -X zone_wan_dest_REJECT COMMIT * Clearing nat table *nat COMMIT * Clearing mangle table *mangle COMMIT * Clearing raw table *raw COMMIT Constructing IPv4 rules ... * Populating filter table *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :delegate_input - [0:0] :delegate_output - [0:0] :delegate_forward - [0:0] :reject - [0:0] :syn_flood - [0:0] :zone_lan_input - [0:0] :zone_lan_output - [0:0] :zone_lan_forward - [0:0] :zone_lan_src_ACCEPT - [0:0] :zone_lan_dest_ACCEPT - [0:0] :zone_lan_dest_REJECT - [0:0] * Zone 'lan' :zone_wan_input - [0:0] :zone_wan_output - [0:0] :zone_wan_forward - [0:0] :zone_wan_src_REJECT - [0:0] :zone_wan_dest_ACCEPT - [0:0] :zone_wan_dest_REJECT - [0:0] * Zone 'wan' -A INPUT -j delegate_input -A OUTPUT -j delegate_output -A FORWARD -j delegate_forward -A delegate_input -i lo -j ACCEPT -A delegate_output -o lo -j ACCEPT -A delegate_input -j input_rule -A delegate_output -j output_rule -A delegate_forward -j forwarding_rule -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A syn_flood -p tcp --syn -m limit --limit 25/second --limit-burst 50 -j RETURN -A syn_flood -j DROP -A delegate_input -p tcp --syn -j syn_flood -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -j REJECT --reject-with port-unreach * Rule 'Allow-DHCP-Renew' -A zone_wan_input -p 17 --dport 68 -m comment --comment "Allow-DHCP-Renew" -j ACCEPT * Rule 'Allow-Ping' -A zone_wan_input -p 1 --icmp-type 8 -m comment --comment "Allow-Ping" -j ACCEPT * Rule 'Drop-SSH' -A zone_wan_input -p 6 --dport 22 -m state --state NEW -m recent --name SSH --update --seconds 60 --hitcount 3 --rsource -m comment --comment "Drop-SSH" -j DROP * Rule 'Allow-SSH' -A zone_wan_input -p 6 --dport 22 -m state --state NEW -m recent --name SSH --set --rsource -m comment --comment "Allow-SSH" -j ACCEPT * Rule 'IKE' -A zone_wan_input -p 17 -d ***.***.***.***/32 --dport 500 -m comment --comment "IKE" -j ACCEPT * Rule 'ESP' -A zone_wan_input -p 50 -d ***.***.***.***/32 -m comment --comment "ESP" -j ACCEPT * Rule 'NAT-T' -A zone_wan_input -p 17 -d ***.***.***.***/32 --dport 4500 -m comment --comment "NAT-T" -j ACCEPT * Forward 'lan' -> 'wan' -A zone_lan_forward -m comment --comment "forwarding lan->wan" -j zone_wan_dest_ACCEPT -A zone_lan_input -j zone_lan_src_ACCEPT -A zone_lan_forward -j zone_lan_dest_REJECT -A zone_lan_output -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT -A zone_lan_dest_REJECT -o br-lan -j reject -A delegate_input -i br-lan -j zone_lan_input -A delegate_forward -i br-lan -j zone_lan_forward -A delegate_output -o br-lan -j zone_lan_output -A zone_wan_input -j zone_wan_src_REJECT -A zone_wan_forward -j zone_wan_dest_REJECT -A zone_wan_output -j zone_wan_dest_ACCEPT -A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT -A zone_wan_src_REJECT -i eth1 -j reject -A zone_wan_dest_REJECT -o eth1 -j reject -A delegate_input -i eth1 -j zone_wan_input -A delegate_forward -i eth1 -j zone_wan_forward -A delegate_output -o eth1 -j zone_wan_output -A delegate_forward -j reject COMMIT * Populating nat table *nat :delegate_prerouting - [0:0] :delegate_postrouting - [0:0] :zone_wan_postrouting - [0:0] * Zone 'wan' -A PREROUTING -j delegate_prerouting -A POSTROUTING -j delegate_postrouting -A delegate_prerouting -j prerouting_rule -A delegate_postrouting -j postrouting_rule -A zone_wan_postrouting -j MASQUERADE -A delegate_postrouting -o eth1 -j zone_wan_postrouting COMMIT * Populating mangle table *mangle :mssfix - [0:0] -A FORWARD -j mssfix -A mssfix -o eth1 -p tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu COMMIT * Populating raw table *raw :notrack - [0:0] -A PREROUTING -j notrack COMMIT
comment:8 Changed 5 years ago by jow
Please try r35969
comment:9 Changed 5 years ago by anonymous
It seems to be fixed. Thanks.
comment:10 Changed 5 years ago by jow
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Please show a listing of the duplicated rules and a copy of your firewall.user. I can reproduce neither.