OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To
    Kevin 'ldir' Darbyshire-Bryant
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Jorne Anders - 12.08.2021
Last edited by Kevin 'ldir' Darbyshire-Bryant - 18.08.2021

FS#3977 - fw3: ipset timeout option ignored when set to zero

When I define a timeout of 0 in a firewall config ipset rule, the ipset is created without timeout support. The fw3 code checks for “timeout > 0” and therefor ignores the timeout option while a timeout value of zero is actually valid for ipsets and stands for “indefinite”.

making an ipset firewall rule with option timeout 0 creates an ipset with timeout support.

device: all (tested on NanoPi R4S)
openwrt version: 21.02-rc4 (custom build), current trunk is also affected

example snippet from /etc/config/firewall

config ipset
        option name 'ssh-access'
        option match 'src_net'
        option family 'ipv6'
        option storage 'hash'
        option timeout '0'
        option loadfile '/etc/ipset/ssh-access.list'

config rule
        option src 'wan'
        option ipset 'ssh-access'
        option dest_port '22'
        option proto 'tcp'
        option target 'ACCEPT'
        option name 'Allow-External-SSH-ipset'
        option family 'ipv6'

Current workaround:

  • set the timeout to any value > 0
  • append " timeout 0” to all entries in the file loaded by loadfile
Closed by  Kevin 'ldir' Darbyshire-Bryant
18.08.2021 23:23
Reason for closing:  Fixed
Project Manager
Kevin 'ldir' Darbyshire-Bryant commented on 14.08.2021 06:28


Available keyboard shortcuts


Task Details

Task Editing