Modify

Opened 5 years ago

Closed 5 years ago

#13133 closed defect (fixed)

firewall3 / differences in the allowed rules compared to firewall2

Reported by: hnyman <hannu.nyman@…> Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: base system Version: Trunk
Keywords: firewall Cc: hannu.nyman@…

Description

I noticed that there are subtle changes in firewall3 regarding allowed redirect rules. I lost my port forwardings, as I had the protocol written as "tcpudp". That seems to choke firewall3, although is acceptable by firewall2.

For example, the following port-forward gets accepted by firewall2+iptables1.4.10, but gets discarded by firewall3+iptables1.4.18:

config 'redirect'
        option 'name' 'Test'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'src_dport' '16600-16620'
        option 'dest_ip' '192.168.1.188'
        option 'target' 'DNAT'
        option 'dest' 'lan'

Changing 'tcpudp' to 'tcp udp' makes it acceptable also for firewall3.

Tested by appending that rule to the default firewall config. No other changes.

Console log:

root@OpenWrt:/etc/config# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Removing IPv4 rules ...
 * Flushing filter table
 * Flushing nat table
 * Flushing mangle table
 * Flushing raw table
Removing IPv6 rules ...
 * Flushing filter table
 * Flushing mangle table
 * Flushing raw table
Flushing conntrack table ...
Warning: Unable to locate ipset utility, disabling ipset support
Setting sysctl values
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
Constructing IPv4 rules ...
 * Populating filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Redirect 'Test'
   * Forward 'lan' -> 'wan'
 * Populating nat table
   * Zone 'lan'
   * Zone 'wan'
   * Redirect 'Test'
 * Populating mangle table
 * Populating raw table
line 43: unknown option "--dport"
line 78: unknown option "--dport"
Constructing IPv6 rules ...
 * Populating filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Enforce-ULA-Border-Src'
   * Rule 'Enforce-ULA-Border-Dest'
   * Forward 'lan' -> 'wan'
line 42: unknown option "--icmpv6-type"
line 43: unknown option "--icmpv6-type"
line 44: unknown option "--icmpv6-type"
line 45: unknown option "--icmpv6-type"
line 46: unknown option "--icmpv6-type"
line 47: unknown option "--icmpv6-type"
line 48: unknown option " * Populating mangle table
 * Populating raw table
--icmpv6-type"
line 49: unknown option "--icmpv6-type"
line 50: unknown option "--icmpv6-type"
line 51: unknown option "--icmpv6-type"
line 52: unknown option "--icmpv6-type"
line 53: unknown option "--icmpv6-type"
line 54: unknown option "--icmpv6-type"
line 55: unknown option "--icmpv6-type"
line 56: unknown option "--icmpv6-type"
line 57: unknown option "--icmpv6-type"
line 58: unknown option "--icmpv6-type"
line 59: unknown option "--icmpv6-type"
 * Running script '/etc/firewall.user'
root@OpenWrt:/etc/config#

(Additionally, the default firewall config produces lots of icmpv6 errors.)

Attachments (0)

Change History (2)

comment:1 Changed 5 years ago by cyrus

ICMPv6-errors fixed in r35898

comment:2 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.