OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Medium
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by LLEACHII - 25.05.2017
Last edited by Jo-Philipp Wich - 17.07.2018

FS#806 - Does not equal iptables rule not working

The following was entered in LuCI and confirmed by looking at /etc/config/firewall:

config rule
	option enabled '1'
	option family 'ipv4'
	option proto 'all'
	option src '*'
	option src_ip '! 192.168.1.0/24'
	option target 'DROP'
	option name 'Drop_OUT_InvalidSRC'
	option dest '*'
	option extra '-o eth0.2'

I’ve also made the rule without option extra, and by specifying the dest WAN. The rule never appears on my firewall; but adding it via the Custom Firewall rule is works.

Closed by  Jo-Philipp Wich
17.07.2018 13:54
Reason for closing:  Fixed
Additional comments about closing:  

Fixed with https://g it.openwrt.org/?p=openwrt/openwrt.git;a= commitdiff;h=6e46f6edc4ee8ad127658c55616 bb9d32a8f2d1a

Admin
Jo-Philipp Wich commented on 26.05.2017 17:01

There's two issues preventing your rule to work with the current firewall implementation.

1) "option extra" has no support for "-i", "-o", "-s" or "-d".

So far, only match specific options were allowed in "option extra" which causes your
rule to get rejected with "Bad argument" during parsing.

A workaround is to use "option dest wan" instead.

Support for "-i", "-o", "-s" and "-d" has now been added to upstream firewall3.git with http://git.lede-project.org/0e5dd73

2) "option src_ip" must have no space between the "!" and the IP address.

Since "option src_ip" is parsed as space separated list for "config rule" sections,
your "option src_ip '! 192.168.1.0/24'" is interpreted as

list src_ip '!'
list src_ip '192.168.1.0/24'

which leads to an error like

Warning: Option @rule[0].src_ip has invalid value '!'

A workaround is to remove the space between the exclamation mark and the address.

A fix for this parsing behavior has been added to upstream firewall3.git with http://git.lede-project.org/3d2c18a

LLEACHII commented on 29.05.2017 21:17

Jo-Philipp,

The work around (removing the space) places the rule on my iptables!

It seems to hit all packets, but calls the thats WAN's drop chain. I see zero drops, which is expected (since I have a Custom RAW table rule dropping incoming from the LAN bridge also not equaling the SRC address).

I will test the space parsing in the next release.

Thanks!

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing