New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#500 - firewall3: missing targets with IPv6 NAT #8534
Comments
hnyman: I think that the firewall fw3 only defines & creates those prerouting/postrouting chains for ipv4, and then later some other part of the firewall (zone rules creation?) finds also the ipv6 NAT table (due to nat6 being installed) and tries to attach similar rules to it as for the ipv4 NAT table, but it fails due to the missing chains. I think that the definition of the pre/postrouting chains for only ipv4 "family" can be seen from: https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=zones.c;hb=HEAD#l26 https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=defaults.c;hb=HEAD#l25 IPv6 NAT being installed is so rare, that it seems to expose a bug in the firewall code. |
user1831: Let's solve this problem, NAT is a fundamental feature! I had a look at the executed IPv4 iptables nat commands (fw3 -4 print | grep " nat ") and re-executed those as ip6tables commands. For this purpose, I have changed /etc/init.d/firewall so that the targets above are existent before the rules are applied. Unhappily it didn't solve the problem! I created the targets, but it seems they couldn't found:
* Populating IPv6 nat table
* Zone 'lan'
Warning: ip6tc_append_entry(): No chain/target/match by that name
Warning: ip6tc_append_entry(): No chain/target/match by that name
* Zone 'wan'
Warning: ip6tc_append_entry(): No chain/target/match by that name
Warning: ip6tc_append_entry(): No chain/target/match by that name
instead of:
* Populating IPv6 nat table
* Zone 'lan'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
* Zone 'wan'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
Executed after flushing and before re-starting fw3:
ip6tables -t nat -N prerouting_rule
ip6tables -t nat -N postrouting_rule
I found https://github.com/akatrevorjay/openwrt-masq6, but I'm not sure about ULA prefix (-s "$ula_prefix"). Is this parameter mandatory? |
nwf: Several places in the firewall3 code for handling redirects explicitly reject IPv6, despite what's hinted in the documentation and the... shall we say somewhat aspirational inclusion of a 'family' parameter. Looking at the initial positions that stand out are lines 119, 243, 256-258, 275, 413, 630-631, and 650. All of these would seemingly need IPv6 analogs in order for redirects to work properly. I've taken the wimp's way out and just added what I need to /etc/firewall.user: ip6tables -A forwarding_wan_rule -m conntrack --ctstate DNAT -j ACCEPT A userland script maintains the contents of the 'me6' ipset to the union of the addresses assigned to interfaces I want redirected; it's all a big mess, because this machine is both a router and an endpoint with services. In any case, that script is: #!/bin/sh The more usual way that this is done, with "iptables -t nat -A PREROUTING -i $IFACE ... -j DNAT ..." doesn't work if we expect to route across $IFACE to other machines and don't wish to intercept traffic: PREROUTING happens entirely before the local routing decision, so we're looking at packets both intended for us and intended to route across us, and have no easy way of distinguishing; thus, the ipset and script. A similar stunt would, I think, be necessary with ipv4 in a similarly complex situation, but it just happens not to arise as often, AFAICT. |
vgaetera: The issue is valid for OpenWrt 18.06. Use cases:
|
hnyman: Why was this closed? Bug has been opened for master in 2017, well before there was 18.06. I have diagnosed it a bit in 2017. Somebody has a year later mentioned that this is valid for 18.06, but that does not remove the fact that this still still also valid for master (and later 19.07.) From the current master
OpenWrt SNAPSHOT, r15151-13961da6ce |
1 similar comment
hnyman: Why was this closed? Bug has been opened for master in 2017, well before there was 18.06. I have diagnosed it a bit in 2017. Somebody has a year later mentioned that this is valid for 18.06, but that does not remove the fact that this still still also valid for master (and later 19.07.) From the current master
OpenWrt SNAPSHOT, r15151-13961da6ce |
@hnyman I assume this is too old, right? Anyway, try to reproduce it with the latest release and feel free to ask for issue reopening if the problem is still present, thanks. |
The PKG_CPE_ID links to NIST CPE version 2.2. Assign PKG_CPE_ID to all remaining package which have a CPE ID. Not every package has CPE id. Related: openwrt#8534 Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
The PKG_CPE_ID links to NIST CPE version 2.2. Assign PKG_CPE_ID to all remaining tools which have a CPE ID. Not every tool has CPE id. Related: openwrt#8534 Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
The PKG_CPE_ID links to NIST CPE version 2.2. Assign PKG_CPE_ID to all remaining package which have a CPE ID. Not every package has a CPE id. Related: openwrt#8534 Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
The PKG_CPE_ID links to NIST CPE version 2.2. Assign PKG_CPE_ID to all remaining tools which have a CPE ID. Not every tool has CPE id. Related: openwrt#8534 Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
The PKG_CPE_ID links to NIST CPE version 2.2. Assign PKG_CPE_ID to all remaining package which have a CPE ID. Not every package has a CPE id. Related: openwrt#8534 Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
josephcsible:
When the kmod-ipt-nat6 package is installed, running /etc/init.d/firewall reload or /etc/init.d/firewall restart produces warnings that targets are missing:
* Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Zone 'wan'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
I tested this on an Archer C7 v2 running LEDE 17.01.0rc2.
The text was updated successfully, but these errors were encountered: