OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by RemiNV - 15.08.2020
Last edited by Petr Štetiar - 06.10.2020

FS#3284 - firewall3 parses boolean options as false

fw3 does not parse boolean options properly: { “bool_attr”: “true” } is fine, but { “bool_attr”: true } (no quotes) is parsed as false.

Repro steps:

Assuming there is a “wanclient” DHCPv6 client logical interface, based on a eth0.2 switch VLAN interface:

ubus  call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": true, "snat_ip": "", "snat_port": "63345-63346" }]}}'
iptables -t nat -S POSTROUTING

Shows the following iptables SNAT rule:

  -A POSTROUTING -o eth0.2 -p icmp -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source

Notice that it does not specify connlimit options, even though ‘“connlimit_ports”: true’ was specified in the ubus call.
However if the same is done with ‘“connlimit_ports”: “true”’ (note the quotes around “true”):

ubus  call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": "true", "snat_ip": "", "snat_port": "63345-63346" }]}}'

The correct iptables rule is added:

  -A POSTROUTING -o eth0.2 -p icmp -m connlimit --connlimit-upto 2 --connlimit-mask 32 --connlimit-daddr -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source

This seems to be a bug in firewall3/options.c: in fw3_parse_blob_options, boolean options as parsed as string options (with blobmsg_get_string), which seems to return an empty string for an actual boolean option (true without quotes).

I have a patch and will try to send it.

Closed by  Petr ┼átetiar
06.10.2020 07:36
Reason for closing:  Fixed
Additional comments about closing:  


RemiNV commented on 15.08.2020 04:59

Note that because of this bug, the map-e protocol (implemented in package/network/ipv6/map/files/ does not function properly, as the "connlimit_ports" option does not get applied, so the first iptables rule catches all connections and runs out of ports.

People have been resorting to really hacky workarounds to get it to work, such as:


Available keyboard shortcuts


Task Details

Task Editing