New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#2122 - NAT-Loopback not working with NCM protocol #6970
Comments
ThomasCr: I think, the bug must be located somewhere in this file https://git.openwrt.org/?p=project/firewall3.git;a=blob;f=redirects.c;hb=HEAD I tried to figure out how it works, but didn't found the right function where the ip address get resolved - on this point should be a query if the proto is ncm and if yes the ip should be get from interface_4 or interface_6 to add it to the reflection rule. |
ThomasCr: ok, I think I located the right point for the fix: https://git.openwrt.org/?p=project/firewall3.git;a=blob;f=zones.c On function fw3_resolve_zone_addresses() |
jow-: The firewall package is not the proper place to fix this. Please try the attached patch (you can edit the ncm.sh file live on your router and reboot if you do not want to compile). |
ThomasCr: thanks - I have patched /lib/netifd/proto/ncm.sh and made a reboot. this only affects now the firewall - or other packages too? When I get it right - you add only the zone identifier to the virtual interface? Because I know, that some packages have now be fixed to get the ips from _4 and _6 virtual interfaces for ncm (like the mwan3 package) EDIT: hmmm - the router don't come online again. Need to call someone tomorrow :-( |
jow-: Yes, it ensures that _4 and _6 subinterfaces are put into the same firewall zone as the parent interface. The firewall draws its IP information for loopback setup from all interfaces members of a given zone (as seen by "ifstatus xxx"). Hardcoding any _4 or _6 subinterface assumptions is not the proper fix since this is a protocol specific implementation detail. |
ThomasCr: what ever happened - it looks like something goes wrong with this fix - because the router wont get online again. EDIT: cant connect from external via ssh and even the computer from behind the router dont come online - because the host dont come up in teamviewer. I made a backup of the original ncm.sh - tomorrow I will report back, when someone it at the site to recover the original. I have patched the file with the patch util and entered the right filename.
can't find file to patch at input line 16 Perhaps you used the wrong -p or --strip option? The text leading up to this was: |
Signed-off-by: Jo-Philipp Wich jo@mein.io |
---|
package/network/utils/comgt/files/ncm.sh |
1 file changed, 12 insertions(+) |
|
|diff --git a/package/network/utils/comgt/files/ncm.sh b/package/network/utils/comgt/files/ncm.sh
|index 60b39655ec..e3c820ab3f 100644
|--- a/package/network/utils/comgt/files/ncm.sh
|+++ b/package/network/utils/comgt/files/ncm.sh
File to patch: /lib/netifd/proto/ncm.sh
patching file /lib/netifd/proto/ncm.sh
ThomasCr: ok, I could solve the problem - it was the LTE usb stick - the stick was in an unexpected state. All trys (reboots/poweroff/on/change usb port and restore the original ncm.sh) did not solve the problem. I saved the logfile - maybe I make a bug report. OpenWRT should implement a better initialization of the lte stick. I put the stick to my laptop with Ubuntu 18.04 installed and made a connection. All was working well. So now back to topic: I patched the file again and made a new reboot - but the reflection rules are not present and on the network page of luci the virtual interfaces are still not the same color like the parent (wwan) interface |
ThomasCr: today I had time to debug this a little: I added the follow line down under the local zone="...
and I got
so it seams, that on this point, the zone is not known to fw3. But when the interface is connected, I can get the zone without any problems:
|
ThomasCr: grr.. after reading again my comment I get the problem: $ifname = wwan |
ThomasCr: so, ok - the right patch should look like this:
--- /lib/netifd/proto/ncm.sh.orig 2019-02-14 17:09:58.000000000 +0100
+++ /lib/netifd/proto/ncm.sh 2019-02-18 22:36:51.000000000 +0100
@@ -146,12 +146,19 @@
proto_close_data
proto_send_update "$interface"
|
ThomasCr: But I also can not get the zone from ubus call...
How can I verify if the zone is set? |
ThomasCr: Is there not a proto_send_update needed? |
ThomasCr: Ok, I got it running: I modified the code like seen there: https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/ipv6/odhcp6c/files/dhcpv6.script;h=dcb7a95d98f8342fb7626449a11ecadb2e050e5e;hb=refs/tags/v18.06.1
|
ThomasCr:
Hi,
today I updated my LEDE installation to OpenWRT 18.06.2 in hope, it fixes some problems:
One of them is, that the NAT loopback rules get not automatically created on interface up / firewall reload
I think, it is because of the virtually assigned _4 / _6 suffix of the interface name.
The text was updated successfully, but these errors were encountered: