Modify

Opened 5 years ago

Last modified 4 years ago

#13635 accepted defect

AA: firewall3 creates duplicate "eth1" with odhcp6c WAN6 interface

Reported by: anonymous Owned by: jow
Priority: high Milestone: Attitude Adjustment 12.09.1
Component: packages Version: Attitude Adjustment 12.09
Keywords: firewall3 odhcp6c wan6 ipv6 Cc:

Description

When firewall3 package is used in AA together with odhcp6c package to get native IPv6, iptable rules containing WAN interface "eth1" is repeated on every chain.

When this is included in /etc/config/network:

config interface wan6
       option ifname '@wan'
       option proto 'dhcpv6'

You'll see these on every chain in the v4 and v6 iptables when explicit eth1 (WAN) interface is used in the rules. Examples:

# iptables-save | grep eth1
-A delegate_postrouting -o eth1 -j zone_wan_postrouting
-A delegate_postrouting -o eth1 -j zone_wan_postrouting
-A delegate_prerouting -i eth1 -j zone_wan_prerouting
-A delegate_prerouting -i eth1 -j zone_wan_prerouting
-A FORWARD -o eth1 -j qos_Default
-A OUTPUT -o eth1 -j qos_Default
-A mssfix -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A mssfix -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A delegate_forward -i eth1 -j zone_wan_forward
-A delegate_forward -i eth1 -j zone_wan_forward
-A delegate_input -i eth1 -j zone_wan_input
-A delegate_input -i eth1 -j zone_wan_input
-A delegate_output -o eth1 -j zone_wan_output
-A delegate_output -o eth1 -j zone_wan_output
-A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
-A zone_wan_dest_DROP -o eth1 -j DROP
-A zone_wan_dest_DROP -o eth1 -j DROP
-A zone_wan_src_DROP -i eth1 -j DROP
-A zone_wan_src_DROP -i eth1 -j DROP

This doesn't break traffic, but packets are probably getting processed twice on some chains.

Attachments (0)

Change History (6)

comment:1 Changed 5 years ago by anonymous

Looks like firewall3 considers WAN6 as a separate eth1 connection. This is from system log:

Jun  3 09:50:23 nrouter kern.notice firewall: Reloading firewall due to ifup of wan (eth1)
Jun  3 09:50:23 nrouter daemon.notice odhcp6c[1617]: Sending REQUEST (timeout 4294967295s)
Jun  3 09:50:33 nrouter daemon.notice odhcp6c[1617]: Got a valid reply after 10065ms
Jun  3 09:50:33 nrouter daemon.notice odhcp6c[1617]: entering stateful-mode on eth1
Jun  3 09:50:33 nrouter daemon.notice odhcp6c[1617]: Sending <POLL> (timeout 86400s)
Jun  3 09:50:33 nrouter daemon.notice netifd: Interface 'wan6' is now up
Jun  3 09:50:35 nrouter kern.notice firewall: Reloading firewall due to ifup of wan6 (eth1)

comment:2 Changed 5 years ago by anonymous

6in4 interface is also replicated in v4 iptables. Can firewall3 be coded to add v6 interfaces (6in4, native v6) only in ip6tables to avoid extra unused rules on both sides?

# iptables-save | grep henet
-A delegate_postrouting -o 6in4-henet -j zone_wan_postrouting
-A delegate_prerouting -i 6in4-henet -j zone_wan_prerouting
-A mssfix -o 6in4-henet -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A delegate_forward -i 6in4-henet -j zone_wan_forward
-A delegate_input -i 6in4-henet -j zone_wan_input
-A delegate_output -o 6in4-henet -j zone_wan_output
-A zone_wan_dest_ACCEPT -o 6in4-henet -j ACCEPT
-A zone_wan_dest_DROP -o 6in4-henet -j DROP
-A zone_wan_src_DROP -i 6in4-henet -j DROP

comment:3 Changed 5 years ago by anonymous

Please close this ticket. I realized that firewall can be configured with explicit v4 and v6 zones. By creating a new ipv6 zone and explicitly marking it with "option family ipv6", it will produce the right iptables.

config zone
        option name 'wan6'
        option network 'wan6 henet'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option family 'ipv6'

comment:4 Changed 5 years ago by jow

  • Owner changed from developers to jow
  • Status changed from new to accepted

I could change the firewall logic to skip interfaces in ip(4)tables which have no IPv4 address assigned, that would probably help to avoid unecessary rules in iptables. Not sure about alieases being treated as separate connections, that is harder to fix and not as severe since the extra rules are never reached, so it does not result in more overhead.

comment:5 Changed 5 years ago by anonymous

I think the current logic is really fine. If the family class is not defined in a zone, it is correct assumption that the zone contains both v4 and v6 traffic and iptables are created for both family on each interface.

Perhaps the firewall wiki page should indicate that if family is not defined for each zone, there will be duplicate rules. And recommend examples how an additional zone can be created to separate v6 rules and traffic from v4.

comment:6 Changed 4 years ago by jow

The issue is fixed in git now, see:
http://nbd.name/gitweb.cgi?p=firewall3.git;a=commitdiff;h=76976c044de639bb4bf170aa1c7a33fbeca1f1a5

That will ensure that at most one rule of a given kind will exist within the chain.

Add Comment

Modify Ticket

Action
as accepted .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.