Modify

Opened 3 years ago

Last modified 3 years ago

#17772 new defect

firewall zone extra* options suppress rule creation

Reported by: i@… Owned by: developers
Priority: normal Milestone:
Component: base system Version: Trunk
Keywords: Cc:

Description

I have a firewall zone configured thus:

config zone 'internet'
	option name 'internet'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option device '+'
	option extra_src '-s !10.0.0.0/8'
	option extra_dest '-d !10.0.0.0/8'

However, no rules get generated:

root@hg:~# fw3 -4 print|grep internet
iptables -t filter -N zone_internet_input
iptables -t filter -N zone_internet_output
iptables -t filter -N zone_internet_forward
iptables -t filter -N zone_internet_src_ACCEPT
iptables -t filter -N zone_internet_dest_ACCEPT
iptables -t filter -N input_internet_rule
iptables -t filter -N output_internet_rule
iptables -t filter -N forwarding_internet_rule
iptables -t filter -A zone_internet_input -m comment --comment "user chain for input" -j input_internet_rule
iptables -t filter -A zone_internet_output -m comment --comment "user chain for output" -j output_internet_rule
iptables -t filter -A zone_internet_forward -m comment --comment "user chain for forwarding" -j forwarding_internet_rule
iptables -t filter -A zone_internet_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_internet_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_internet_input -j zone_internet_src_ACCEPT
iptables -t filter -A zone_internet_forward -j zone_internet_dest_ACCEPT
iptables -t filter -A zone_internet_output -j zone_internet_dest_ACCEPT
iptables -t nat -N zone_internet_postrouting
iptables -t nat -N zone_internet_prerouting
iptables -t nat -N prerouting_internet_rule
iptables -t nat -N postrouting_internet_rule
iptables -t nat -A zone_internet_prerouting -m comment --comment "user chain for prerouting" -j prerouting_internet_rule
iptables -t nat -A zone_internet_postrouting -m comment --comment "user chain for postrouting" -j postrouting_internet_rule
iptables -t raw -N zone_internet_notrack
iptables -t raw -A zone_internet_notrack -j CT --notrack

Compared to,

config zone 'internet'                                                                                                  
        option input 'ACCEPT'                                                                                           
        option output 'ACCEPT'                                                                                          
        option forward 'ACCEPT'                                                                                         
        option name 'internet'                                                                                          
        option device '+'                                                                                               

which yields

iptables -t filter -N zone_internet_input
iptables -t filter -N zone_internet_output
iptables -t filter -N zone_internet_forward
iptables -t filter -N zone_internet_src_ACCEPT
iptables -t filter -N zone_internet_dest_ACCEPT
iptables -t filter -N input_internet_rule
iptables -t filter -N output_internet_rule
iptables -t filter -N forwarding_internet_rule
iptables -t filter -A zone_internet_input -m comment --comment "user chain for input" -j input_internet_rule
iptables -t filter -A zone_internet_output -m comment --comment "user chain for output" -j output_internet_rule
iptables -t filter -A zone_internet_forward -m comment --comment "user chain for forwarding" -j forwarding_internet_rule
iptables -t filter -A zone_internet_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_internet_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_internet_input -j zone_internet_src_ACCEPT
iptables -t filter -A zone_internet_forward -j zone_internet_dest_ACCEPT
iptables -t filter -A zone_internet_output -j zone_internet_dest_ACCEPT
iptables -t filter -A zone_internet_src_ACCEPT -i + -j ACCEPT
iptables -t filter -A zone_internet_dest_ACCEPT -o + -j ACCEPT
iptables -t filter -A delegate_input -i + -j zone_internet_input
iptables -t filter -A delegate_output -o + -j zone_internet_output
iptables -t filter -A delegate_forward -i + -j zone_internet_forward
iptables -t nat -N zone_internet_postrouting
iptables -t nat -N zone_internet_prerouting
iptables -t nat -N prerouting_internet_rule
iptables -t nat -N postrouting_internet_rule
iptables -t nat -A zone_internet_prerouting -m comment --comment "user chain for prerouting" -j prerouting_internet_rule
iptables -t nat -A zone_internet_postrouting -m comment --comment "user chain for postrouting" -j postrouting_internet_rule
iptables -t nat -A delegate_prerouting -i + -j zone_internet_prerouting
iptables -t nat -A delegate_postrouting -o + -j zone_internet_postrouting
iptables -t raw -N zone_internet_notrack
iptables -t raw -A zone_internet_notrack -j CT --notrack
iptables -t raw -A delegate_notrack -i + -j zone_internet_notrack

Attachments (0)

Change History (1)

comment:1 Changed 3 years ago by anonymous

-s !1.2.3.4 is invalid iptables syntax, you need a space between the exclamation mark and the ipaddr. That however is deprecated syntax, the proper format is:

option extra_src '! -s 1.2.3.4'

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.