OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Medium
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by LLEACHII - 25.05.2017
Last edited by Jo-Philipp Wich - 17.07.2018

FS#806 - Does not equal iptables rule not working

The following was entered in LuCI and confirmed by looking at /etc/config/firewall:

config rule
	option enabled '1'
	option family 'ipv4'
	option proto 'all'
	option src '*'
	option src_ip '!'
	option target 'DROP'
	option name 'Drop_OUT_InvalidSRC'
	option dest '*'
	option extra '-o eth0.2'

I’ve also made the rule without option extra, and by specifying the dest WAN. The rule never appears on my firewall; but adding it via the Custom Firewall rule is works.

Closed by  Jo-Philipp Wich
17.07.2018 13:54
Reason for closing:  Fixed
Additional comments about closing:  

Fixed with https://g;a= commitdiff;h=6e46f6edc4ee8ad127658c55616 bb9d32a8f2d1a

Jo-Philipp Wich commented on 26.05.2017 17:01

There's two issues preventing your rule to work with the current firewall implementation.

1) "option extra" has no support for "-i", "-o", "-s" or "-d".

So far, only match specific options were allowed in "option extra" which causes your
rule to get rejected with "Bad argument" during parsing.

A workaround is to use "option dest wan" instead.

Support for "-i", "-o", "-s" and "-d" has now been added to upstream firewall3.git with

2) "option src_ip" must have no space between the "!" and the IP address.

Since "option src_ip" is parsed as space separated list for "config rule" sections,
your "option src_ip '!'" is interpreted as

list src_ip '!'
list src_ip ''

which leads to an error like

Warning: Option @rule[0].src_ip has invalid value '!'

A workaround is to remove the space between the exclamation mark and the address.

A fix for this parsing behavior has been added to upstream firewall3.git with

LLEACHII commented on 29.05.2017 21:17


The work around (removing the space) places the rule on my iptables!

It seems to hit all packets, but calls the thats WAN's drop chain. I see zero drops, which is expected (since I have a Custom RAW table rule dropping incoming from the LAN bridge also not equaling the SRC address).

I will test the space parsing in the next release.



Available keyboard shortcuts


Task Details

Task Editing