- Status Closed
- Percent Complete
- Task Type Bug Report
- Category Base system
- Assigned To No-one
- Operating System All
- Severity Low
- Priority Very Low
- Reported Version Trunk
- Due in Version Undecided
-
Due Date
Undecided
- Private
Opened by RemiNV - 15.08.2020
Last edited by Petr Štetiar - 06.10.2020
FS#3284 - firewall3 parses boolean options as false
fw3 does not parse boolean options properly: { “bool_attr”: “true” } is fine, but { “bool_attr”: true } (no quotes) is parsed as false.
Repro steps:
Assuming there is a “wanclient” DHCPv6 client logical interface, based on a eth0.2 switch VLAN interface:
ubus call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": true, "snat_ip": "192.168.42.42", "snat_port": "63345-63346" }]}}' iptables -t nat -S POSTROUTING
Shows the following iptables SNAT rule:
-A POSTROUTING -o eth0.2 -p icmp -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346
Notice that it does not specify connlimit options, even though ‘“connlimit_ports”: true’ was specified in the ubus call.
However if the same is done with ‘“connlimit_ports”: “true”’ (note the quotes around “true”):
ubus call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": "true", "snat_ip": "192.168.42.42", "snat_port": "63345-63346" }]}}'
The correct iptables rule is added:
-A POSTROUTING -o eth0.2 -p icmp -m connlimit --connlimit-upto 2 --connlimit-mask 32 --connlimit-daddr -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346
This seems to be a bug in firewall3/options.c: in fw3_parse_blob_options, boolean options as parsed as string options (with blobmsg_get_string), which seems to return an empty string for an actual boolean option (true without quotes).
I have a patch and will try to send it.
06.10.2020 07:36
Reason for closing: Fixed
Additional comments about closing:
Requested
Sent a patch in https://patchwork.ozlabs.org/project/openwrt/patch/20200815045027.919125-1-remi.nguyenvan+openwrt@gmail.com/
Note that because of this bug, the map-e protocol (implemented in package/network/ipv6/map/files/map.sh) does not function properly, as the "connlimit_ports" option does not get applied, so the first iptables rule catches all connections and runs out of ports.
People have been resorting to really hacky workarounds to get it to work, such as: https://gist.github.com/anonymous/0fdec75fa20a7f1ce4806391d6b0429b