Modify

Opened 5 years ago

Closed 3 years ago

Last modified 3 years ago

#13138 closed defect (too_vague)

[firewall3] some rules from firewall.user are missing

Reported by: Damian Kaczkowski <damian.kaczkowski+openwrt@…> Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

As topic says, fw3 omit or flush some 'firewall.user' rules.

Steps to reproduce:

root@OpenWrt:~# cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

iptables -I zone_wan_input 1 -j test_chain
root@OpenWrt:~# fw3 reload
Warning: Unable to locate ipset utility, disabling ipset support
Removing IPv4 rules ...
 * Clearing filter table
 * Clearing nat table
 * Clearing mangle table
 * Clearing raw table
Warning: Unable to execute ip6tables-restore
Constructing IPv4 rules ...
 * Populating filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Forward 'lan' -> 'wan'
 * Populating nat table
   * Zone 'wan'
 * Populating mangle table
 * Populating raw table
Warning: Unable to execute ip6tables-restore
root@OpenWrt:~# iptables -S zone_wan_input
-N zone_wan_input
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT

As you see, rule from 'firewall.user' is missing.

Now try to manually execute 'firewall.user' rule.

root@OpenWrt:~# iptables -I zone_wan_input 1 -j test_chain
root@OpenWrt:~# iptables -S zone_wan_input
-N zone_wan_input
-A zone_wan_input -j test_chain
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT

This time the rule is in place.

Not all rules are omited/flushed, only some. The above behavior is also true for other includes from '/etc/config/firewall' not only for '/etc/firewall.user' . Old firewall2 got no problem with that.

Attachments (0)

Change History (11)

comment:1 Changed 5 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>

Tested on ar71xx r35899

comment:2 Changed 5 years ago by jow

  • Resolution set to wontfix
  • Status changed from new to closed

You're hooking into an internal chain, don't do that. Either use the *_rule chains which are guaranteed to be left alone during a reload or place your custom rules outside of any uci chains (e.g. directly in INPUT / FORWARD etc.

comment:3 Changed 5 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>

  • Resolution wontfix deleted
  • Status changed from closed to reopened
  1. Hmm, but this is exactly where I want to hook. Why would the firewall app won't let me do this if I know what I am doing? There is one good reason why one to hook into there. I am for example working with many different routers. Some of them got WAN on eth1, some on eth0.1, some on eth0.2, some on wlan, ect. Hooking up in 'zone_wan_input' give me the advantage that I don't have to worry and adjust my scripts every time I change eth device linked to WAN iface. I can freely change switch config, link WAN to any eth device, and I am always sure that my rules are in the proper place (first jump in 'zone_wan_input' chain (where I desired)). This was quite flexible, error proof, and secure(?) .
  1. Also what about firewall scripts that someone have written for IPSec, available on openwrt wiki:

http://wiki.openwrt.org/doc/howto/vpn.ipsec.firewall
http://wiki.openwrt.org/doc/howto/vpn.ipsec.firewall.racoon

They were quite ok. Will they work with fw3?

  1. To sum up. If for some reasons you could not allow hooking up where user desire, then is there any change that you could implement some '_rule' chain as the first jump in zone_xxx_input chains? eg:
    iptables -I zone_wan_input 1 -j zone_wan_input_user_rules
    iptables -I zone_lan_input 1 -j zone_lan_input_user_rules
    iptables -I zone_vpn_input 1 -j zone_vpn_input_user_rules
    etc.
    

So we can freely hook into there? Or maybe you have some better advice/suggestion?

comment:4 Changed 5 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>

  1. And maybe some similar solution for FORWARD chains?

comment:5 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from reopened to closed

See r35903. Use the input_wan_rule, output_wan_rule, forwarding_wan_rule etc. chains.

comment:6 Changed 5 years ago by Andrej Surkov <surae@…>

Damian, have you resolved an issue? If not yet - try to add newline to /etc/firewall.user last line and then restart the firewall ...

comment:7 Changed 5 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>

Hello Andrej. All works fine since jow commits. I now use user chains and got no problem at all. Also, as far as I remember correctly I had those newline char at the end of the file during tests. So back then it was surely a firewall app problem, not ash. Anyway, thanks for tip. Greets.

comment:8 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

comment:9 Changed 3 years ago by fred

  • Resolution fixed deleted
  • Status changed from closed to reopened

same problem

I would like to use these:
zone_wan_prerouting

especially:
zone_wan_postrouting

where I am removing "iptables -t nat -A zone_wan_postrouting -j MASQUERADE"
and using more specific SNATing

I realize it can interfere with another services based on your firewall logic but even commented option as PURE-IPTABLES-POST-EDIT would be nice

I think there should be a possibility to use iptables-only as complete post-edit and give option to not learn and understand another firewall syntax

finally I will try to bypass current problem by directly adding own iptables script to /etc/init.d/firewall (Will let you know if I brick my dev :))

comment:10 Changed 3 years ago by jow

  • Resolution set to too_vague
  • Status changed from reopened to closed

Use prerouting_wan_rule and postrouting_wan_rule. Or use use SNAT rules. The option to use raw iptables is there, just uninstall firewall3.

comment:11 Changed 3 years ago by anonymous

FWIW another option is to use:
uci set 'firewall.@include[0].reload=1'
uci commit

@include[0] should be the include where path=/etc/firewall.user

Or you can add another include entry/script.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.