Modify

Opened 4 years ago

Closed 4 years ago

#14014 closed defect (fixed)

Firewall3 can't find 'NOTRACK' target

Reported by: alphasparc@… Owned by: developers
Priority: normal Milestone: Attitude Adjustment 12.09.1
Component: base system Version: Attitude Adjustment 12.09
Keywords: Cc:

Description

Using LuCI generated firewall rules I get
Warning: fw3_ipt_rule_append(): Can't find target 'NOTRACK'
When /etc/init.d/firewall restart

The ruleset is as shown below

config rule
	option dest_port '445'
	option name 'SAMBA'
	option src 'lan'
	option proto 'tcp'
	option dest_ip '192.168.1.1'
	option target 'NOTRACK'

Attachments (0)

Change History (10)

comment:1 Changed 4 years ago by anonymous

Invalid bug report. UCI firewall config file will add rules only to the filter table and notrack target exist only in the raw table. You can only add that custom rule in firewall.user file.

comment:2 Changed 4 years ago by jow

Nope, not invalid. The uci firewall will use the raw table if the rule target is "NOTRACK".
The underlying problem seems to be that iptables was built without support for the notrack match.

@alphasparc: please attach the output of ./scripts/diffconfig.sh here, for me the rule above works just fine.

Also is this trunk or AA branch and did you modify anything in the kernel config?

comment:3 Changed 4 years ago by alphasparc@…

Nope no changes this is AA branch.
Do you actually need to select any extra-kmods to do notrack?

CONFIG_TARGET_ar71xx=y
CONFIG_TARGET_ar71xx_generic=y
CONFIG_TARGET_ar71xx_generic_TLWR1043=y
CONFIG_ATH_USER_REGD=y
CONFIG_BUSYBOX_CONFIG_ADDGROUP=y
CONFIG_BUSYBOX_CONFIG_ADDUSER=y
CONFIG_BUSYBOX_CONFIG_EXTRA_CFLAGS="-Os -pipe -mips32r2 -mtune=24kc -mgp32 -mno-mips16 -mno-branch-likely -mplt"
CONFIG_BUSYBOX_CONFIG_FDISK=y
CONFIG_BUSYBOX_CONFIG_FEATURE_ADDUSER_TO_GROUP=y
CONFIG_BUSYBOX_CONFIG_FEATURE_CHECK_NAMES=y
CONFIG_BUSYBOX_CONFIG_FEATURE_EDITING_HISTORY=8
CONFIG_BUSYBOX_CONFIG_FEATURE_FDISK_WRITABLE=y
CONFIG_BUSYBOX_CONFIG_FEATURE_GPT_LABEL=y
CONFIG_BUSYBOX_CONFIG_FEATURE_HAVE_RPC=y
CONFIG_BUSYBOX_CONFIG_FEATURE_MIME_CHARSET="n"
CONFIG_BUSYBOX_CONFIG_FEATURE_MOUNT_LABEL=y
CONFIG_BUSYBOX_CONFIG_FEATURE_MOUNT_NFS=y
CONFIG_BUSYBOX_CONFIG_FEATURE_TRACEROUTE_USE_ICMP=y
CONFIG_BUSYBOX_CONFIG_FIRST_SYSTEM_ID=100
CONFIG_BUSYBOX_CONFIG_LAST_SYSTEM_ID=999
CONFIG_BUSYBOX_CONFIG_SENDMAIL=y
CONFIG_BUSYBOX_CONFIG_TRACEROUTE6=y
CONFIG_BUSYBOX_CONFIG_VOLUMEID=y
# CONFIG_BUSYBOX_CONFIG_WGET is not set
CONFIG_EXTROOT_SETTLETIME=10
# CONFIG_KERNEL_DEBUG_FS is not set
# CONFIG_KERNEL_ELF_CORE is not set
# CONFIG_KERNEL_MAGIC_SYSRQ is not set
CONFIG_LIGHTTPD_SSL=y
CONFIG_OPENSSL_THREADS=y
CONFIG_OPENSSL_WITH_EC=y
CONFIG_OPENSSL_WITH_EC2M=y
CONFIG_PACKAGE_6in4=y
CONFIG_PACKAGE_6rd=y
CONFIG_PACKAGE_6relayd=y
CONFIG_PACKAGE_6to4=y
# CONFIG_PACKAGE_MAC80211_DEBUGFS is not set
CONFIG_PACKAGE_SAMBA_MAX_DEBUG_LEVEL=-1
CONFIG_PACKAGE_blkid=y
CONFIG_PACKAGE_block-mount=y
CONFIG_PACKAGE_chat=y
CONFIG_PACKAGE_comgt=y
CONFIG_PACKAGE_ddns-scripts=y
CONFIG_PACKAGE_ds-lite=y
CONFIG_PACKAGE_e2fsprogs=y
CONFIG_PACKAGE_etherwake=y
CONFIG_PACKAGE_freifunk-p2pblock=y
CONFIG_PACKAGE_hd-idle=y
CONFIG_PACKAGE_ip=y
CONFIG_PACKAGE_ip6tables=y
CONFIG_PACKAGE_ipset=y
CONFIG_PACKAGE_iptables-mod-conntrack-extra=y
CONFIG_PACKAGE_iptables-mod-filter=y
CONFIG_PACKAGE_iptables-mod-ipopt=y
CONFIG_PACKAGE_iptables-mod-ipp2p=y
CONFIG_PACKAGE_iptables-mod-ipset=y
CONFIG_PACKAGE_iptables-mod-nat-extra=y
CONFIG_PACKAGE_ipv6-support=y
CONFIG_PACKAGE_kmod-8021q=y
CONFIG_PACKAGE_kmod-fs-ext4=y
CONFIG_PACKAGE_kmod-ifb=y
CONFIG_PACKAGE_kmod-ip6-tunnel=y
CONFIG_PACKAGE_kmod-ip6tables=y
CONFIG_PACKAGE_kmod-ipt-compat-xtables=y
CONFIG_PACKAGE_kmod-ipt-conntrack-extra=y
CONFIG_PACKAGE_kmod-ipt-filter=y
CONFIG_PACKAGE_kmod-ipt-ipopt=y
CONFIG_PACKAGE_kmod-ipt-ipp2p=y
CONFIG_PACKAGE_kmod-ipt-ipset=y
CONFIG_PACKAGE_kmod-ipt-nat-extra=y
CONFIG_PACKAGE_kmod-iptunnel4=y
CONFIG_PACKAGE_kmod-iptunnel6=y
CONFIG_PACKAGE_kmod-ipv6=y
CONFIG_PACKAGE_kmod-lib-crc16=y
CONFIG_PACKAGE_kmod-lib-textsearch=y
CONFIG_PACKAGE_kmod-libphy=y
CONFIG_PACKAGE_kmod-llc=y
CONFIG_PACKAGE_kmod-nfnetlink=y
CONFIG_PACKAGE_kmod-nls-utf8=y
CONFIG_PACKAGE_kmod-sched-connmark=y
CONFIG_PACKAGE_kmod-sched-core=y
CONFIG_PACKAGE_kmod-scsi-core=y
CONFIG_PACKAGE_kmod-sit=y
CONFIG_PACKAGE_kmod-stp=y
CONFIG_PACKAGE_kmod-swconfig=y
CONFIG_PACKAGE_kmod-switch-rtl8366-smi=y
CONFIG_PACKAGE_kmod-switch-rtl8366rb=y
CONFIG_PACKAGE_kmod-usb-ohci=y
CONFIG_PACKAGE_kmod-usb-printer=y
CONFIG_PACKAGE_kmod-usb-serial=y
CONFIG_PACKAGE_kmod-usb-serial-option=y
CONFIG_PACKAGE_kmod-usb-serial-wwan=y
CONFIG_PACKAGE_kmod-usb-storage=y
CONFIG_PACKAGE_kmod-usb-storage-extras=y
CONFIG_PACKAGE_l7-protocols=y
CONFIG_PACKAGE_libblkid=y
CONFIG_PACKAGE_libbz2=y
CONFIG_PACKAGE_libcom_err=y
CONFIG_PACKAGE_libexif=y
CONFIG_PACKAGE_libext2fs=y
CONFIG_PACKAGE_libffmpeg-mini=y
CONFIG_PACKAGE_libflac=y
CONFIG_PACKAGE_libid3tag=y
CONFIG_PACKAGE_libiwinfo=y
CONFIG_PACKAGE_libiwinfo-lua=y
CONFIG_PACKAGE_libjpeg=y
CONFIG_PACKAGE_liblua=y
CONFIG_PACKAGE_libmnl=y
CONFIG_PACKAGE_libnfnetlink=y
CONFIG_PACKAGE_libogg=y
CONFIG_PACKAGE_libopenssl=y
CONFIG_PACKAGE_libpcre=y
CONFIG_PACKAGE_libpthread=y
CONFIG_PACKAGE_librpc=y
CONFIG_PACKAGE_librt=y
CONFIG_PACKAGE_libsqlite3=y
CONFIG_PACKAGE_libubus-lua=y
CONFIG_PACKAGE_libuci-lua=y
CONFIG_PACKAGE_libusb=y
CONFIG_PACKAGE_libuuid=y
CONFIG_PACKAGE_libvorbis=y
CONFIG_PACKAGE_lighttpd=y
CONFIG_PACKAGE_lighttpd-mod-cgi=y
CONFIG_PACKAGE_lua=y
CONFIG_PACKAGE_luci-app-ddns=y
CONFIG_PACKAGE_luci-app-firewall=y
CONFIG_PACKAGE_luci-app-hd-idle=y
CONFIG_PACKAGE_luci-app-minidlna=y
CONFIG_PACKAGE_luci-app-multiwan=y
CONFIG_PACKAGE_luci-app-p2pblock=y
CONFIG_PACKAGE_luci-app-p910nd=y
CONFIG_PACKAGE_luci-app-qos=y
CONFIG_PACKAGE_luci-app-samba=y
CONFIG_PACKAGE_luci-app-tinyproxy=y
CONFIG_PACKAGE_luci-app-upnp=y
CONFIG_PACKAGE_luci-app-wol=y
CONFIG_PACKAGE_luci-i18n-english=y
CONFIG_PACKAGE_luci-lib-core=y
CONFIG_PACKAGE_luci-lib-core_compile=y
# CONFIG_PACKAGE_luci-lib-core_source is not set
CONFIG_PACKAGE_luci-lib-ipkg=y
CONFIG_PACKAGE_luci-lib-nixio=y
CONFIG_PACKAGE_luci-lib-sys=y
CONFIG_PACKAGE_luci-lib-web=y
CONFIG_PACKAGE_luci-mod-admin-core=y
CONFIG_PACKAGE_luci-mod-admin-full=y
CONFIG_PACKAGE_luci-proto-3g=y
CONFIG_PACKAGE_luci-proto-core=y
CONFIG_PACKAGE_luci-proto-ipv6=y
CONFIG_PACKAGE_luci-proto-ppp=y
CONFIG_PACKAGE_luci-proto-relay=y
CONFIG_PACKAGE_luci-sgi-cgi=y
CONFIG_PACKAGE_luci-theme-base=y
CONFIG_PACKAGE_luci-theme-bootstrap=y
CONFIG_PACKAGE_minidlna=y
CONFIG_PACKAGE_miniupnpd=y
CONFIG_PACKAGE_multiwan=y
CONFIG_PACKAGE_odhcp6c=y
CONFIG_PACKAGE_p910nd=y
CONFIG_PACKAGE_qos-scripts=y
CONFIG_PACKAGE_relayd=y
CONFIG_PACKAGE_restorefactory=y
CONFIG_PACKAGE_samba36-server=y
CONFIG_PACKAGE_swap-utils=y
CONFIG_PACKAGE_tc=y
CONFIG_PACKAGE_tinyproxy=y
CONFIG_PACKAGE_usb-modeswitch=y
CONFIG_PACKAGE_usb-modeswitch-data=y
CONFIG_PACKAGE_vsftpd-tls=y
CONFIG_PACKAGE_wget=y
CONFIG_PACKAGE_zlib=y
# CONFIG_PACKAGE_luci-theme-openwrt is not set

comment:4 Changed 4 years ago by alphasparc@…

ok i did a google apparently you need iptables-mod-extra which I did not select well because it was not stated in the help options
Let me try adding it

comment:5 Changed 4 years ago by alphasparc@…

After selecting the module warning message still exist.

comment:6 Changed 4 years ago by jow

Did you rebuild firewall after selecting iptables-mod-extra?

comment:7 Changed 4 years ago by alphasparc@…

I did make clean, problem still exist.

comment:8 Changed 4 years ago by alphasparc@…

Ok I tested on Barrier Breaker exactly the same configuration, no warning message so it should be an Attitude Adjustment problem.

comment:9 Changed 4 years ago by alphasparc@…

After changeset [37777]
Tested on Trunk: Ok
Tested on Attitude Adjustment (manual update package): Ok

comment:10 Changed 4 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.