OpenWrt/LEDE Project

Attached to Project: OpenWrt/LEDE Project
Opened by RemiNV - 15.08.2020
Last edited by Petr Štetiar - 06.10.2020

fw3 does not parse boolean options properly: { “bool_attr”: “true” } is fine, but { “bool_attr”: true } (no quotes) is parsed as false.

Repro steps:

Assuming there is a “wanclient” DHCPv6 client logical interface, based on a eth0.2 switch VLAN interface:

ubus  call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": true, "snat_ip": "192.168.42.42", "snat_port": "63345-63346" }]}}'
iptables -t nat -S POSTROUTING

Shows the following iptables SNAT rule:

  -A POSTROUTING -o eth0.2 -p icmp -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346

Notice that it does not specify connlimit options, even though ‘“connlimit_ports”: true’ was specified in the ubus call.
However if the same is done with ‘“connlimit_ports”: “true”’ (note the quotes around “true”):

ubus  call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": "true", "snat_ip": "192.168.42.42", "snat_port": "63345-63346" }]}}'

The correct iptables rule is added:

  -A POSTROUTING -o eth0.2 -p icmp -m connlimit --connlimit-upto 2 --connlimit-mask 32 --connlimit-daddr -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346

This seems to be a bug in firewall3/options.c: in fw3_parse_blob_options, boolean options as parsed as string options (with blobmsg_get_string), which seems to return an empty string for an actual boolean option (true without quotes).

I have a patch and will try to send it.