Modify

Opened 2 years ago

Last modified 2 years ago

#21608 accepted defect

firwall doesn't start on boot

Reported by: James.Bottomlely@… Owned by: jow
Priority: low Milestone:
Component: packages Version: Trunk
Keywords: boot firewall Cc:

Description

The firewall fails to start when invoked from S19firewall on first boot. Debugging the init scripts, fw3 fails because it can't connect to ubus. Digging deeper, the fw3 ubus connect routine has this:

bool
fw3_ubus_connect(void)
{

bool status = false;
uint32_t id;
struct ubus_context *ctx = ubus_connect(NULL);
struct blob_buf b = { };

if (!ctx)

goto out;

if (ubus_lookup_id(ctx, "network.interface", &id))

goto out;

if (ubus_invoke(ctx, id, "dump", NULL, dump_cb, NULL, 500))

goto out;

Meaning the firewall will never come up if the network isn't up. With the start priority of 19 for the firewall and 20 for the network it is impossible to satisfy this condition.

Even moving the network to a start priority of 21 still fails because it takes about 2s to get a network.interface dump after starting the network, so the 500ms timeout is too short. Fixing both of these finally allows the firewall to start on boot.

Attachments (0)

Change History (3)

comment:1 follow-up: Changed 2 years ago by jow

  • Priority changed from high to response-needed

Thats usually not critical because the firewall start is triggered again by hotplug. Did you check why this isn't the case for you?

comment:2 in reply to: ↑ 1 Changed 2 years ago by James.Bottomlely@…

Replying to jow:

Thats usually not critical because the firewall start is triggered again by hotplug. Did you check why this isn't the case for you?

I think it's because all the rules are set up by firewall.user and the hotplug script 20-firewall skips doing anything if /etc/config/firewall doesn't mention the interface

comment:3 Changed 2 years ago by jow

  • Owner changed from developers to jow
  • Priority changed from response-needed to low
  • Status changed from new to accepted

Thats not really its intended use case, better simply source your firewall.user from rc.local or a custom init script.

Add Comment

Modify Ticket

Action
as accepted .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.