#13138 closed defect (too_vague)
[firewall3] some rules from firewall.user are missing
Reported by: | Damian Kaczkowski <damian.kaczkowski+openwrt@…> | Owned by: | developers |
---|---|---|---|
Priority: | normal | Milestone: | Barrier Breaker 14.07 |
Component: | packages | Version: | Trunk |
Keywords: | Cc: |
Description
As topic says, fw3 omit or flush some 'firewall.user' rules.
Steps to reproduce:
root@OpenWrt:~# cat /etc/firewall.user # This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. iptables -I zone_wan_input 1 -j test_chain
root@OpenWrt:~# fw3 reload Warning: Unable to locate ipset utility, disabling ipset support Removing IPv4 rules ... * Clearing filter table * Clearing nat table * Clearing mangle table * Clearing raw table Warning: Unable to execute ip6tables-restore Constructing IPv4 rules ... * Populating filter table * Zone 'lan' * Zone 'wan' * Rule 'Allow-DHCP-Renew' * Rule 'Allow-Ping' * Forward 'lan' -> 'wan' * Populating nat table * Zone 'wan' * Populating mangle table * Populating raw table Warning: Unable to execute ip6tables-restore
root@OpenWrt:~# iptables -S zone_wan_input -N zone_wan_input -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT -A zone_wan_input -j zone_wan_src_REJECT
As you see, rule from 'firewall.user' is missing.
Now try to manually execute 'firewall.user' rule.
root@OpenWrt:~# iptables -I zone_wan_input 1 -j test_chain
root@OpenWrt:~# iptables -S zone_wan_input -N zone_wan_input -A zone_wan_input -j test_chain -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT -A zone_wan_input -j zone_wan_src_REJECT
This time the rule is in place.
Not all rules are omited/flushed, only some. The above behavior is also true for other includes from '/etc/config/firewall' not only for '/etc/firewall.user' . Old firewall2 got no problem with that.
Attachments (0)
Change History (11)
comment:1 Changed 5 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>
comment:2 Changed 5 years ago by jow
- Resolution set to wontfix
- Status changed from new to closed
You're hooking into an internal chain, don't do that. Either use the *_rule chains which are guaranteed to be left alone during a reload or place your custom rules outside of any uci chains (e.g. directly in INPUT / FORWARD etc.
comment:3 Changed 5 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>
- Resolution wontfix deleted
- Status changed from closed to reopened
- Hmm, but this is exactly where I want to hook. Why would the firewall app won't let me do this if I know what I am doing? There is one good reason why one to hook into there. I am for example working with many different routers. Some of them got WAN on eth1, some on eth0.1, some on eth0.2, some on wlan, ect. Hooking up in 'zone_wan_input' give me the advantage that I don't have to worry and adjust my scripts every time I change eth device linked to WAN iface. I can freely change switch config, link WAN to any eth device, and I am always sure that my rules are in the proper place (first jump in 'zone_wan_input' chain (where I desired)). This was quite flexible, error proof, and secure(?) .
- Also what about firewall scripts that someone have written for IPSec, available on openwrt wiki:
http://wiki.openwrt.org/doc/howto/vpn.ipsec.firewall
http://wiki.openwrt.org/doc/howto/vpn.ipsec.firewall.racoon
They were quite ok. Will they work with fw3?
- To sum up. If for some reasons you could not allow hooking up where user desire, then is there any change that you could implement some '_rule' chain as the first jump in zone_xxx_input chains? eg:
iptables -I zone_wan_input 1 -j zone_wan_input_user_rules iptables -I zone_lan_input 1 -j zone_lan_input_user_rules iptables -I zone_vpn_input 1 -j zone_vpn_input_user_rules etc.
So we can freely hook into there? Or maybe you have some better advice/suggestion?
comment:4 Changed 5 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>
- And maybe some similar solution for FORWARD chains?
comment:5 Changed 5 years ago by jow
- Resolution set to fixed
- Status changed from reopened to closed
See r35903. Use the input_wan_rule, output_wan_rule, forwarding_wan_rule etc. chains.
comment:6 Changed 5 years ago by Andrej Surkov <surae@…>
Damian, have you resolved an issue? If not yet - try to add newline to /etc/firewall.user last line and then restart the firewall ...
comment:7 Changed 5 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>
Hello Andrej. All works fine since jow commits. I now use user chains and got no problem at all. Also, as far as I remember correctly I had those newline char at the end of the file during tests. So back then it was surely a firewall app problem, not ash. Anyway, thanks for tip. Greets.
comment:8 Changed 4 years ago by jow
- Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07
Milestone Attitude Adjustment 12.09 deleted
comment:9 Changed 3 years ago by fred
- Resolution fixed deleted
- Status changed from closed to reopened
same problem
I would like to use these:
zone_wan_prerouting
especially:
zone_wan_postrouting
where I am removing "iptables -t nat -A zone_wan_postrouting -j MASQUERADE"
and using more specific SNATing
I realize it can interfere with another services based on your firewall logic but even commented option as PURE-IPTABLES-POST-EDIT would be nice
I think there should be a possibility to use iptables-only as complete post-edit and give option to not learn and understand another firewall syntax
finally I will try to bypass current problem by directly adding own iptables script to /etc/init.d/firewall (Will let you know if I brick my dev :))
comment:10 Changed 3 years ago by jow
- Resolution set to too_vague
- Status changed from reopened to closed
Use prerouting_wan_rule and postrouting_wan_rule. Or use use SNAT rules. The option to use raw iptables is there, just uninstall firewall3.
Tested on ar71xx r35899