Opened 3 years ago

Last modified 3 years ago

#17466 new defect

About firewall custom rules of doubt (/etc/firewall.user)

Reported by: ctusky Owned by: developers
Priority: high Milestone: Chaos Calmer 15.05
Component: base system Version: Trunk
Keywords: iptables, firewall Cc:


OpenWrt Chaos Calmer r41945
When I use a firewall custom rules of /etc/firewall.user, there is the following:
1, when the system starts, /etc/firewall.user is called, I use the command echo "111" > > /tmp/fw.test will generate a file, but when using
Iptables -t NAT -N test_pre
Iptables -t NAT -A zone_wan_prerouting -j test_pre
Iptables -t NAT -N test_pre iptables -t NAT will take effect, while -A zone_wan_prerouting -j test_pre does not
2.1, when I use LUCI url:...../admin/status/iptables? Restart=1 to restart the firewall, /etc/firewall.user echo "111" > > /tmp/fw.test will not run again, unlike that said, every time to restart the firewall, firewall.user will be loaded
2.2, when using the /etc/init.d/firewall restart, the abnormal situation, do not exist, will once again into the firewall.user
Why the system starts when firewall.user will load, but the script like "iptables -t NAT -A zone_wan_prerouting....." code will not take effect, and use the /etc/init.d/firewall restart will be perfect effect

Attachments (0)

Change History (3)

comment:1 Changed 3 years ago by ctusky

Sorry, that is to use "*_wan_rule", give you trouble, thank you

comment:2 Changed 3 years ago by anonymous


I can confirm that there is something strange with scripts regarding firewall. The user part is only applied as rule if the firewall is restarted by init script e.g. OpenWrt - System - Startup - Firewall restart. Restart by OpenWrt - Status - Firewall - Restart Firewall does not apply the user rule.

Recognized this behavior with simple rule to log dropped/rejected packets >> iptables --insert zone_wan_src_REJECT --jump LOG --log-prefix "--REJECT-- " --log-level 4 <<

HW: D-Link DIR600 Rev. B2
SW: Prebuilt Barrier Braker 14.07 RC3

comment:3 Changed 3 years ago by anonymous


can confirm that behaviour in Barrier breaker 14.07. Restarting firewall from luci will NOT call /etc/firewall.user


Add Comment

Modify Ticket

as new .

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.