[firewall3] some rules from firewall.user are missing

[Damian Kaczkowski <damian.kaczkowski+openwrt@…>]

As topic says, fw3 omit or flush some 'firewall.user' rules.

Steps to reproduce:

root@OpenWrt:~# cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

iptables -I zone_wan_input 1 -j test_chain

root@OpenWrt:~# fw3 reload
Warning: Unable to locate ipset utility, disabling ipset support
Removing IPv4 rules ...
 * Clearing filter table
 * Clearing nat table
 * Clearing mangle table
 * Clearing raw table
Warning: Unable to execute ip6tables-restore
Constructing IPv4 rules ...
 * Populating filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Forward 'lan' -> 'wan'
 * Populating nat table
   * Zone 'wan'
 * Populating mangle table
 * Populating raw table
Warning: Unable to execute ip6tables-restore

root@OpenWrt:~# iptables -S zone_wan_input
-N zone_wan_input
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT

As you see, rule from 'firewall.user' is missing.

Now try to manually execute 'firewall.user' rule.

root@OpenWrt:~# iptables -I zone_wan_input 1 -j test_chain

root@OpenWrt:~# iptables -S zone_wan_input
-N zone_wan_input
-A zone_wan_input -j test_chain
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT

This time the rule is in place.

Not all rules are omited/flushed, only some. The above behavior is also true for other includes from '/etc/config/firewall' not only for '/etc/firewall.user' . Old firewall2 got no problem with that.

[Damian Kaczkowski <damian.kaczkowski+openwrt@…>]

Tested on ar71xx r35899

[jow]

You're hooking into an internal chain, don't do that. Either use the *_rule chains which are guaranteed to be left alone during a reload or place your custom rules outside of any uci chains (e.g. directly in INPUT / FORWARD etc.

[Damian Kaczkowski <damian.kaczkowski+openwrt@…>]

1. Hmm, but this is exactly where I want to hook. Why would the firewall app won't let me do this if I know what I am doing? There is one good reason why one to hook into there. I am for example working with many different routers. Some of them got WAN on eth1, some on eth0.1, some on eth0.2, some on wlan, ect. Hooking up in 'zone_wan_input' give me the advantage that I don't have to worry and adjust my scripts every time I change eth device linked to WAN iface. I can freely change switch config, link WAN to any eth device, and I am always sure that my rules are in the proper place (first jump in 'zone_wan_input' chain (where I desired)). This was quite flexible, error proof, and secure(?) .

2. Also what about firewall scripts that someone have written for IPSec, available on openwrt wiki:

​http://wiki.openwrt.org/doc/howto/vpn.ipsec.firewall
​http://wiki.openwrt.org/doc/howto/vpn.ipsec.firewall.racoon

They were quite ok. Will they work with fw3?

3. To sum up. If for some reasons you could not allow hooking up where user desire, then is there any change that you could implement some '_rule' chain as the first jump in zone_xxx_input chains? eg:

   iptables -I zone_wan_input 1 -j zone_wan_input_user_rules
   iptables -I zone_lan_input 1 -j zone_lan_input_user_rules
   iptables -I zone_vpn_input 1 -j zone_vpn_input_user_rules
   etc.
   

So we can freely hook into there? Or maybe you have some better advice/suggestion?

[Damian Kaczkowski <damian.kaczkowski+openwrt@…>]

3. And maybe some similar solution for FORWARD chains?

[jow]

See r35903. Use the input_wan_rule, output_wan_rule, forwarding_wan_rule etc. chains.

[Andrej Surkov <surae@…>]

Damian, have you resolved an issue? If not yet - try to add newline to /etc/firewall.user last line and then restart the firewall ...

[Damian Kaczkowski <damian.kaczkowski+openwrt@…>]

Hello Andrej. All works fine since jow commits. I now use user chains and got no problem at all. Also, as far as I remember correctly I had those newline char at the end of the file during tests. So back then it was surely a firewall app problem, not ash. Anyway, thanks for tip. Greets.

[jow]

Milestone Attitude Adjustment 12.09 deleted

[fred]

same problem

I would like to use these:
zone_wan_prerouting

especially:
zone_wan_postrouting

where I am removing "iptables -t nat -A zone_wan_postrouting -j MASQUERADE"
and using more specific SNATing

I realize it can interfere with another services based on your firewall logic but even commented option as PURE-IPTABLES-POST-EDIT would be nice

I think there should be a possibility to use iptables-only as complete post-edit and give option to not learn and understand another firewall syntax

finally I will try to bypass current problem by directly adding own iptables script to /etc/init.d/firewall (Will let you know if I brick my dev :))

[jow]

Use prerouting_wan_rule and postrouting_wan_rule. Or use use SNAT rules. The option to use raw iptables is there, just uninstall firewall3.

[anonymous]

FWIW another option is to use:
uci set 'firewall.@include[0].reload=1'
uci commit

@include[0] should be the include where path=/etc/firewall.user

Or you can add another include entry/script.