Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#710 - Firewall gives warning msgs when kmod-ipt-nat6 is installed #7997

Closed
openwrt-bot opened this issue Apr 13, 2017 · 1 comment
Closed
Labels

Comments

@openwrt-bot
Copy link

luizluca:

After I installed kmod-ipt-nat6, firewall gives me these messages on every restart:

* Populating IPv6 nat table * Zone 'lan' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule' * Zone 'wan' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule' * Zone 'guest' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_guest_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_guest_rule' Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule' Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

It looks like fw3 is trying to do something with IPv6 NAT and failing. Maybe it should not do it
as NAT6 is just for special cases. I'm using in order to be able to connect to openvpn on the router
from a lan client.

@openwrt-bot
Copy link
Author

hnyman:

This was discussed in forum in February in my R7800 community build thread adn I briefly looked into it then. I copy my investigation results here:

I think that the firewall fw3 only defines & creates those prerouting/postrouting hooks for ipv4, and then later some other part of the firewall finds also the ipv6 NAT table (due to nat6 being installed) and tries to attach similar hook rules to it as for the ipv4 NAT table, but it fails due to the missing hooks.

The definition of the pre/postrouting rules for only ipv4 "V4" family can be seen from:

https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=zones.c;hb=HEAD#l26

https://git.lede-project.org/?p=project/firewall3.git;a=blob;f=defaults.c;hb=HEAD#l25

It is so rare to have IPv6 NAT installed, that it seems to expose a bug in the firewall code.

But I do not think that it generates any security risk, as it does not open anything for the outside world.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant