FS#806 - Does not equal iptables rule not working #6595
Comments
|
jow-: There's two issues preventing your rule to work with the current firewall implementation.
So far, only match specific options were allowed in "option extra" which causes your A workaround is to use "option dest wan" instead. Support for "-i", "-o", "-s" and "-d" has now been added to upstream firewall3.git with http://git.lede-project.org/0e5dd73
Since "option src_ip" is parsed as space separated list for "config rule" sections, A workaround is to remove the space between the exclamation mark and the address. A fix for this parsing behavior has been added to upstream firewall3.git with http://git.lede-project.org/3d2c18a |
|
lleachii: Jo-Philipp, The work around (removing the space) places the rule on my iptables! It seems to hit all packets, but calls the thats WAN's drop chain. I see zero drops, which is expected (since I have a Custom RAW table rule dropping incoming from the LAN bridge also not equaling the SRC address). I will test the space parsing in the next release. Thanks! |
lleachii:
The following was entered in LuCI and confirmed by looking at /etc/config/firewall:
config rule option enabled '1' option family 'ipv4' option proto 'all' option src '*' option src_ip '! 192.168.1.0/24' option target 'DROP' option name 'Drop_OUT_InvalidSRC' option dest '*' option extra '-o eth0.2'I've also made the rule without option extra, and by specifying the dest WAN. The rule never appears on my firewall; but adding it via the Custom Firewall rule is works.
The text was updated successfully, but these errors were encountered: