- Status Unconfirmed Reopened
- Percent Complete
- Task Type Bug Report
- Category Base system
- Assigned To No-one
- Operating System All
- Severity Low
- Priority Very Low
- Reported Version openwrt-18.06
- Due in Version Undecided
-
Due Date
Undecided
- Private
Attached to Project: OpenWrt/LEDE Project
Opened by Joseph C. Sible - 12.02.2017
Last edited by Petr Štetiar - 17.12.2020
Opened by Joseph C. Sible - 12.02.2017
Last edited by Petr Štetiar - 17.12.2020
FS#500 - firewall3: missing targets with IPv6 NAT
When the kmod-ipt-nat6 package is installed, running /etc/init.d/firewall reload or /etc/init.d/firewall restart produces warnings that targets are missing:
* Populating IPv6 nat table * Zone 'lan' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule' * Zone 'wan' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
I tested this on an Archer C7 v2 running LEDE 17.01.0rc2.
I think that the firewall fw3 only defines & creates those prerouting/postrouting chains for ipv4, and then later some other part of the firewall (zone rules creation?) finds also the ipv6 NAT table (due to nat6 being installed) and tries to attach similar rules to it as for the ipv4 NAT table, but it fails due to the missing chains.
I think that the definition of the pre/postrouting chains for only ipv4 "family" can be seen from:
https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=zones.c;hb=HEAD#l26
https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=defaults.c;hb=HEAD#l25
IPv6 NAT being installed is so rare, that it seems to expose a bug in the firewall code.
Let's solve this problem, NAT is a fundamental feature!
I had a look at the executed IPv4 iptables nat commands (fw3 -4 print | grep " nat ") and re-executed those as ip6tables commands.
For this purpose, I have changed /etc/init.d/firewall so that the targets above are existent before the rules are applied. Unhappily it didn't solve the problem!
I created the targets, but it seems they couldn't found:
instead of:
Executed after flushing and before re-starting fw3:
I found https://github.com/akatrevorjay/openwrt-masq6, but I'm not sure about ULA prefix (-s "$ula_prefix"). Is this parameter mandatory?
Several places in the firewall3 code for handling redirects explicitly reject IPv6, despite what's hinted in the documentation and the... shall we say somewhat aspirational inclusion of a 'family' parameter.
Looking at
https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=redirects.c;h=e651dddef381375a912d4d3882e49b3ef0cdcf21;hb=HEAD
the initial positions that stand out are lines 119, 243, 256-258, 275, 413, 630-631, and 650. All of these would seemingly need IPv6 analogs in order for redirects to work properly.
I've taken the wimp's way out and just added what I need to /etc/firewall.user:
A userland script maintains the contents of the 'me6' ipset to the union of the addresses assigned to interfaces I want redirected; it's all a big mess, because this machine is both a router and an endpoint with services. In any case, that script is:
#!/bin/sh (ip -o -6 mon addr dev usb0 & ip -o -6 a s dev usb0 ; wait) | awk 'function ssfx(ip) { return gensub(/^([^\/]*)\/.*$/, "\\1", 1, ip) } /^[[:digit:]]+:.*global/{ print "ipset -! add me6 " ssfx($4) } /^Deleted.*global/{ print "ipset -! del me6 " ssfx($5) }' | shThe more usual way that this is done, with "iptables -t nat -A PREROUTING -i $IFACE ... -j DNAT ..." doesn't work if we expect to route across $IFACE to other machines and don't wish to intercept traffic: PREROUTING happens entirely before the local routing decision, so we're looking at packets both intended for us and intended to route across us, and have no easy way of distinguishing; thus, the ipset and script. A similar stunt would, I think, be necessary with ipv4 in a similarly complex situation, but it just happens not to arise as often, AFAICT.
The issue is valid for OpenWrt 18.06.
Use cases:
Why was this closed?
Bug has been opened for master in 2017, well before there was 18.06. I have diagnosed it a bit in 2017. Somebody has a year later mentioned that this is valid for 18.06, but that does not remove the fact that this still still also valid for master (and later 19.07.)
From the current master
* Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
OpenWrt SNAPSHOT, r15151-13961da6ce
Why was this closed?
Bug has been opened for master in 2017, well before there was 18.06. I have diagnosed it a bit in 2017. Somebody has a year later mentioned that this is valid for 18.06, but that does not remove the fact that this still still also valid for master (and later 19.07.)
From the current master
* Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can’t find target ‘prerouting_lan_rule’ Warning: fw3_ipt_rule_append(): Can’t find target ‘postrouting_lan_rule’ Warning: fw3_ipt_rule_append(): Can’t find target ‘prerouting_wan_rule’ Warning: fw3_ipt_rule_append(): Can’t find target ‘postrouting_wan_rule’ Warning: fw3_ipt_rule_append(): Can’t find target ‘prerouting_rule’ Warning: fw3_ipt_rule_append(): Can’t find target ‘postrouting_rule’
OpenWrt SNAPSHOT, r15151-13961da6ce