FS#3977 - fw3: ipset timeout option ignored when set to zero #8976

openwrt-bot · 2021-08-12T15:30:48Z

jorne-tremani:

When I define a timeout of 0 in a firewall config ipset rule, the ipset is created without timeout support. The fw3 code checks for "timeout > 0" and therefor ignores the timeout option while a timeout value of zero is actually valid for ipsets and stands for "indefinite".

expected:
making an ipset firewall rule with //option timeout 0// creates an ipset with timeout support.

device: all (tested on NanoPi R4S)
openwrt version: 21.02-rc4 (custom build), current trunk is also affected

example snippet from /etc/config/firewall
config ipset option name 'ssh-access' option match 'src_net' option family 'ipv6' option storage 'hash' option timeout '0' option loadfile '/etc/ipset/ssh-access.list'

config rule option src 'wan' option ipset 'ssh-access' option dest_port '22' option proto 'tcp' option target 'ACCEPT' option name 'Allow-External-SSH-ipset' option family 'ipv6'

Current workaround:

set the timeout to any value > 0
append " timeout 0" to all entries in the file loaded by loadfile

The text was updated successfully, but these errors were encountered:

openwrt-bot · 2021-08-14T06:28:56Z

ldir:

Would you like to test a proposed fix from my staging tree?

https://git.openwrt.org/?p=openwrt/staging/ldir.git;a=commit;h=c2035b35efbf20f0f87448d5c896f6bba2d09acf

openwrt-bot closed this as completed Aug 18, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FS#3977 - fw3: ipset timeout option ignored when set to zero #8976

FS#3977 - fw3: ipset timeout option ignored when set to zero #8976

openwrt-bot commented Aug 12, 2021

openwrt-bot commented Aug 14, 2021

FS#3977 - fw3: ipset timeout option ignored when set to zero #8976

FS#3977 - fw3: ipset timeout option ignored when set to zero #8976

Comments

openwrt-bot commented Aug 12, 2021

openwrt-bot commented Aug 14, 2021