Modify

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#13633 closed defect (fixed)

firewall3 redirect rules with ipset will be missing in NAT table

Reported by: anonymous Owned by: jow
Priority: response-needed Milestone: Attitude Adjustment 12.09.1
Component: packages Version: Attitude Adjustment 12.09
Keywords: Cc:

Description

Using ipset in firewall3 redirect (port forwarding) rule will cause the rule not to appear in zone_wan_prerouting chain in NAT table. This will fail that port forwarding.

Example:

config redirect                        
        option name 'ftp'     
        option target 'DNAT'  
        option src 'wan'     
        option dest 'lan'   
        option proto 'tcp'  
        option src_dport '21'
        option dest_ip '192.168.1.14'
        option dest_port '21'      
        option ipset ftpacl
        option reflection '0'        

config ipset                         
        option external 'ftpacl'       
        option storage 'hash'   
        option match 'net'      

If "option ipset ftpacl" is removed, that port 21 forwarding will appear correctly in the NAT table. Running "/etc/init.d/firewall restart" with "option ipset" will yield the following error:

   * Redirect 'ftp'
fw3_ipt_rule_append(): Can't find match 'set'

Attachments (0)

Change History (4)

comment:1 Changed 5 years ago by jow

  • Owner changed from developers to jow
  • Priority changed from normal to response-needed
  • Status changed from new to accepted

Is iptables-mod-ipset installed?

comment:2 Changed 5 years ago by anonymous

Yes, I've been using ipset manually using firewall.user before trying out firewall3. In fact the rules are added to the filter table, just not nat. Here's a comparison output:

Without "option ipset ftpacl" (irrelevant chains filtered):

iptables -t filter -vnL
Chain zone_wan_forward (3 references)
 pkts bytes target     prot opt in     out     source               destination
92301 8360K forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for forwarding */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.14        tcp dpt:21 /* ftp */

iptables -t nat -vnL
Chain zone_wan_prerouting (3 references)
 pkts bytes target     prot opt in     out     source               destination
72113 7191K prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 /* ftp */ to:192.168.1.14:21

With "option ipset ftpacl" (irrelevant chains filtered):

iptables -t filter -vnL
Chain zone_wan_forward (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for forwarding */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.14        tcp dpt:21 match-set ftpacl src /* ftp */

iptables -t nat -vnL
Chain zone_wan_prerouting (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* user chain for prerouting */

comment:3 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from accepted to closed

Fixed with r36827

comment:4 Changed 5 years ago by anonymous

Thank you, fix is confirmed.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.