Modify

Opened 7 years ago

Closed 7 years ago

Last modified 4 years ago

#8955 closed defect (fixed)

Firewall ignores arguments when using IPv4/IPv6 only

Reported by: rovo Owned by: jow
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: firewall Cc:

Description

While trying to set up a SixXS tunnel+subnet on my Netgear WNDR3700v2 router (running on trunk of OpenWrt), I came across a problem with the firewall. I set my WAN interface to IPv4-only. Afterwards, I got the error message "iptables v1.4.10: TCPMSS target: At least one parameter is required" whenever I restarted the firewall. Here is a trace which shows why this error message occurs:

iptables --table filter --append zone_lan_ACCEPT --jump ACCEPT -o br-lan
ip6tables --table filter --append zone_lan_ACCEPT --jump ACCEPT -o br-lan
...
iptables --table filter --append zone_lan_MSSFIX --jump TCPMSS -o br-lan -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu
ip6tables --table filter --append zone_lan_MSSFIX --jump TCPMSS -o br-lan -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu
...
iptables --table filter --append zone_wan_ACCEPT --jump ACCEPT
iptables --table filter --append zone_wan_ACCEPT --jump ACCEPT
...
iptables --table filter --append zone_wan_MSSFIX --jump TCPMSS
iptables v1.4.10: TCPMSS target: At least one parameter is required
Try `iptables -h' or 'iptables --help' for more information.

As you can see, the last part is simply ignored for WAN. I am not sure which the best place for a fix would be. One thing I found was in core_interface.sh:

case "$mode/$subnet" in
    # Zone supports v6 only or dual, need v6
    G6/*:*|i/*:*)
        inet="-s $subnet -d ::/0"
        onet="-s ::/0 -d $subnet"
        mode=6
    ;;

    # Zone supports v4 only or dual, need v4
    G4/*.*.*.*|i/*.*.*.*)
        inet="-s $subnet -d 0.0.0.0/0"
        onet="-s 0.0.0.0/0 -d $subnet"
        mode=4
    ;;

This misses out the case when the subnet is empty, which is true for my configuration. For me it worked fine when I added this:

    G6/)
        mode=6
    ;;

    G4/)
        mode=4
    ;;

I hope this helps someone to build a patch. :)

By the way (if someone has the same problem): Only active interfaces are considered, so the TUN device has to be tricked into being active by adding option 'up' '1' in /etc/config/network.

Attachments (0)

Change History (6)

comment:1 Changed 7 years ago by jow

  • Owner changed from developers to jow
  • Status changed from new to accepted

comment:2 Changed 7 years ago by jow

Please attach your /etc/config/firewall and /etc/config/network.

comment:3 Changed 7 years ago by jow

Disregard the configs, please try the following patch:

--- package/firewall/files/lib/core_interface.sh	(revision 25713)
+++ package/firewall/files/lib/core_interface.sh	(working copy)
@@ -70,6 +70,9 @@
 
 			# Need v4 while zone is v6
 			*/*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;;
+
+			# Strip prefix
+			*) mode="${mode#G}" ;;
 		esac
 
 		lock /var/run/firewall-interface.lock

comment:4 Changed 7 years ago by rovo

That works fine for me, the iptable commands are generated as expected without any error messages.

comment:5 Changed 7 years ago by jow

  • Resolution set to fixed
  • Status changed from accepted to closed

Fix added in r25813 and r25814 - thank you for reporting and testing.

comment:6 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.