Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#500 - firewall3: missing targets with IPv6 NAT #8534

Closed
openwrt-bot opened this issue Feb 12, 2017 · 7 comments
Closed

FS#500 - firewall3: missing targets with IPv6 NAT #8534

openwrt-bot opened this issue Feb 12, 2017 · 7 comments
Labels
flyspray release/18.06 pull request/issue targeted (also) for OpenWrt 18.06 release

Comments

@openwrt-bot
Copy link

josephcsible:

When the kmod-ipt-nat6 package is installed, running /etc/init.d/firewall reload or /etc/init.d/firewall restart produces warnings that targets are missing:
* Populating IPv6 nat table

  • Zone 'lan'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
  • Zone 'wan'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

    I tested this on an Archer C7 v2 running LEDE 17.01.0rc2.
@openwrt-bot
Copy link
Author

hnyman:

I think that the firewall fw3 only defines & creates those prerouting/postrouting chains for ipv4, and then later some other part of the firewall (zone rules creation?) finds also the ipv6 NAT table (due to nat6 being installed) and tries to attach similar rules to it as for the ipv4 NAT table, but it fails due to the missing chains.

I think that the definition of the pre/postrouting chains for only ipv4 "family" can be seen from:

https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=zones.c;hb=HEAD#l26

https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=defaults.c;hb=HEAD#l25

IPv6 NAT being installed is so rare, that it seems to expose a bug in the firewall code.

@openwrt-bot
Copy link
Author

user1831:

Let's solve this problem, NAT is a fundamental feature!

I had a look at the executed IPv4 iptables nat commands (fw3 -4 print | grep " nat ") and re-executed those as ip6tables commands.

For this purpose, I have changed /etc/init.d/firewall so that the targets above are existent before the rules are applied. Unhappily it didn't solve the problem!

I created the targets, but it seems they couldn't found:

* Populating IPv6 nat table * Zone 'lan' Warning: ip6tc_append_entry(): No chain/target/match by that name Warning: ip6tc_append_entry(): No chain/target/match by that name * Zone 'wan' Warning: ip6tc_append_entry(): No chain/target/match by that name Warning: ip6tc_append_entry(): No chain/target/match by that name

instead of:

* Populating IPv6 nat table * Zone 'lan' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule' * Zone 'wan' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

Executed after flushing and before re-starting fw3:

ip6tables -t nat -N prerouting_rule ip6tables -t nat -N postrouting_rule

ip6tables -t nat -N zone_lan_postrouting
ip6tables -t nat -N zone_lan_prerouting
ip6tables -t nat -N prerouting_lan_rule
ip6tables -t nat -N postrouting_lan_rule
ip6tables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
ip6tables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule

ip6tables -t nat -N zone_wan_postrouting
ip6tables -t nat -N zone_wan_prerouting
ip6tables -t nat -N prerouting_wan_rule
ip6tables -t nat -N postrouting_wan_rule
ip6tables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
ip6tables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule

I found https://github.com/akatrevorjay/openwrt-masq6, but I'm not sure about ULA prefix (-s "$ula_prefix"). Is this parameter mandatory?

@openwrt-bot
Copy link
Author

nwf:

Several places in the firewall3 code for handling redirects explicitly reject IPv6, despite what's hinted in the documentation and the... shall we say somewhat aspirational inclusion of a 'family' parameter.

Looking at

https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=redirects.c;h=e651dddef381375a912d4d3882e49b3ef0cdcf21;hb=HEAD

the initial positions that stand out are lines 119, 243, 256-258, 275, 413, 630-631, and 650. All of these would seemingly need IPv6 analogs in order for redirects to work properly.

I've taken the wimp's way out and just added what I need to /etc/firewall.user:

ip6tables -A forwarding_wan_rule -m conntrack --ctstate DNAT -j ACCEPT
ip6tables -t nat -A PREROUTING -p tcp -m tcp --dport 25 -m set --match-set me6 dst -j DNAT --to-destination '[fdec:...]:25'

A userland script maintains the contents of the 'me6' ipset to the union of the addresses assigned to interfaces I want redirected; it's all a big mess, because this machine is both a router and an endpoint with services. In any case, that script is:

#!/bin/sh
(ip -o -6 mon addr dev usb0 & ip -o -6 a s dev usb0 ; wait) |
awk 'function ssfx(ip) { return gensub(/^([^\/])/.$/, "\1", 1, ip) } /^[[:digit:]]+:.*global/{ print "ipset -! add me6 " ssfx($4) } /^Deleted.*global/{ print "ipset -! del me6 " ssfx($5) }' |
sh

The more usual way that this is done, with "iptables -t nat -A PREROUTING -i $IFACE ... -j DNAT ..." doesn't work if we expect to route across $IFACE to other machines and don't wish to intercept traffic: PREROUTING happens entirely before the local routing decision, so we're looking at packets both intended for us and intended to route across us, and have no easy way of distinguishing; thus, the ipset and script. A similar stunt would, I think, be necessary with ipv4 in a similarly complex situation, but it just happens not to arise as often, AFAICT.

@openwrt-bot
Copy link
Author

vgaetera:

The issue is valid for OpenWrt 18.06.

Use cases:

  • DNS6 traffic interception for DNS hijacking.
  • TCP6 and DNS6 traffic interception for Tor client.
  • IPv6 masquerading for dual-stack setup with no prefix, e.g. VPNs, VPSs, some ISPs, etc.

@openwrt-bot
Copy link
Author

hnyman:

Why was this closed?

Bug has been opened for master in 2017, well before there was 18.06. I have diagnosed it a bit in 2017. Somebody has a year later mentioned that this is valid for 18.06, but that does not remove the fact that this still still also valid for master (and later 19.07.)

From the current master

  • Populating IPv6 nat table
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

OpenWrt SNAPSHOT, r15151-13961da6ce

1 similar comment
@openwrt-bot
Copy link
Author

hnyman:

Why was this closed?

Bug has been opened for master in 2017, well before there was 18.06. I have diagnosed it a bit in 2017. Somebody has a year later mentioned that this is valid for 18.06, but that does not remove the fact that this still still also valid for master (and later 19.07.)

From the current master

  • Populating IPv6 nat table
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

OpenWrt SNAPSHOT, r15151-13961da6ce

@aparcar aparcar added the release/18.06 pull request/issue targeted (also) for OpenWrt 18.06 release label Feb 22, 2022
@ynezz
Copy link
Member

ynezz commented May 24, 2022

@hnyman I assume this is too old, right? Anyway, try to reproduce it with the latest release and feel free to ask for issue reopening if the problem is still present, thanks.

@ynezz ynezz closed this as completed May 24, 2022
lynxis added a commit to lynxis/openwrt that referenced this issue Sep 18, 2023
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining package which have a CPE ID.
Not every package has CPE id.

Related: openwrt#8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
lynxis added a commit to lynxis/openwrt that referenced this issue Sep 18, 2023
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining tools which have a CPE ID.
Not every tool has CPE id.

Related: openwrt#8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
lynxis added a commit to lynxis/openwrt that referenced this issue Sep 18, 2023
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining package which have a CPE ID.
Not every package has a CPE id.

Related: openwrt#8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
lynxis added a commit to lynxis/openwrt that referenced this issue Sep 18, 2023
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining tools which have a CPE ID.
Not every tool has CPE id.

Related: openwrt#8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
lynxis added a commit to lynxis/openwrt that referenced this issue Sep 18, 2023
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining package which have a CPE ID.
Not every package has a CPE id.

Related: openwrt#8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
flyspray release/18.06 pull request/issue targeted (also) for OpenWrt 18.06 release
Projects
None yet
Development

No branches or pull requests

3 participants