You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Shows the following iptables SNAT rule:
-A POSTROUTING -o eth0.2 -p icmp -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346
Notice that it does not specify connlimit options, even though '"connlimit_ports": true' was specified in the ubus call.
However if the same is done with '"connlimit_ports": "true"' (note the quotes around "true"):
The correct iptables rule is added:
-A POSTROUTING -o eth0.2 -p icmp -m connlimit --connlimit-upto 2 --connlimit-mask 32 --connlimit-daddr -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346
This seems to be a bug in firewall3/options.c: in fw3_parse_blob_options, boolean options as parsed as string options (with blobmsg_get_string), which seems to return an empty string for an actual boolean option (true without quotes).
I have a patch and will try to send it.
The text was updated successfully, but these errors were encountered:
Note that because of this bug, the map-e protocol (implemented in package/network/ipv6/map/files/map.sh) does not function properly, as the "connlimit_ports" option does not get applied, so the first iptables rule catches all connections and runs out of ports.
RemiNV:
fw3 does not parse boolean options properly: { "bool_attr": "true" } is fine, but { "bool_attr": true } (no quotes) is parsed as false.
Repro steps:
Assuming there is a "wanclient" DHCPv6 client logical interface, based on a eth0.2 switch VLAN interface:
ubus call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": true, "snat_ip": "192.168.42.42", "snat_port": "63345-63346" }]}}'
iptables -t nat -S POSTROUTING
Shows the following iptables SNAT rule:
-A POSTROUTING -o eth0.2 -p icmp -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346
Notice that it does not specify connlimit options, even though '"connlimit_ports": true' was specified in the ubus call.
However if the same is done with '"connlimit_ports": "true"' (note the quotes around "true"):
ubus call network.interface notify_proto '{ "action": 0, "link-up": true, "interface": "wanclient", "ifname": "eth0.2", "data": { "firewall": [ { "type": "nat", "target": "SNAT", "family": "inet", "proto": "icmp", "connlimit_ports": "true", "snat_ip": "192.168.42.42", "snat_port": "63345-63346" }]}}'
The correct iptables rule is added:
-A POSTROUTING -o eth0.2 -p icmp -m connlimit --connlimit-upto 2 --connlimit-mask 32 --connlimit-daddr -m comment --comment "!fw3: ubus:wanclient[dhcpv6] nat 0" -j SNAT --to-source 192.168.42.42:63345-63346
This seems to be a bug in firewall3/options.c: in fw3_parse_blob_options, boolean options as parsed as string options (with blobmsg_get_string), which seems to return an empty string for an actual boolean option (true without quotes).
I have a patch and will try to send it.
The text was updated successfully, but these errors were encountered: