Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3284 - firewall3 parses boolean options as false #8233

Closed
openwrt-bot opened this issue Aug 15, 2020 · 2 comments
Closed

FS#3284 - firewall3 parses boolean options as false #8233

openwrt-bot opened this issue Aug 15, 2020 · 2 comments
Labels

Comments

@openwrt-bot
Copy link

RemiNV:

fw3 does not parse boolean options properly: { "bool_attr": "true" } is fine, but { "bool_attr": true } (no quotes) is parsed as false.

Repro steps:

Assuming there is a "wanclient" DHCPv6 client logical interface, based on a eth0.2 switch VLAN interface:

ubus call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": true, "snat_ip": "192.168.42.42", "snat_port": "63345-63346" }]}}'
iptables -t nat -S POSTROUTING

Shows the following iptables SNAT rule:

-A POSTROUTING -o eth0.2 -p icmp -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346

Notice that it does not specify connlimit options, even though '"connlimit_ports": true' was specified in the ubus call.
However if the same is done with '"connlimit_ports": "true"' (note the quotes around "true"):

ubus call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": "true", "snat_ip": "192.168.42.42", "snat_port": "63345-63346" }]}}'

The correct iptables rule is added:

-A POSTROUTING -o eth0.2 -p icmp -m connlimit --connlimit-upto 2 --connlimit-mask 32 --connlimit-daddr -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346

This seems to be a bug in firewall3/options.c: in fw3_parse_blob_options, boolean options as parsed as string options (with blobmsg_get_string), which seems to return an empty string for an actual boolean option (true without quotes).

I have a patch and will try to send it.

@openwrt-bot
Copy link
Author

@openwrt-bot
Copy link
Author

RemiNV:

Note that because of this bug, the map-e protocol (implemented in package/network/ipv6/map/files/map.sh) does not function properly, as the "connlimit_ports" option does not get applied, so the first iptables rule catches all connections and runs out of ports.

People have been resorting to really hacky workarounds to get it to work, such as: https://gist.github.com/anonymous/0fdec75fa20a7f1ce4806391d6b0429b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant