[22.02] Firewall fw4 issue

Hi all.
I have a very basic follow firewall configuration:

root@OpenWrt:/# uci show firewall 
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].custom_chains='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].synflood_rate='25/s'
firewall.@defaults[0].synflood_burst='50'
firewall.@defaults[0].tcp_ecn='1'
firewall.@defaults[0].tcp_syncookies='1'
firewall.@defaults[0].tcp_window_scaling='1'

After commit, typing command reload command:
fw4 reload

an issue occur (fw4 script equipted with set -x):

root@OpenWrt:/# fw4 reload
+ set -o pipefail
+ MAIN=/usr/share/firewall4/main.uc
+ LOCK=/var/run/fw4.lock
+ STATE=/var/run/fw4.state
+ VERBOSE=
+ '[' -e /dev/stdin ]
+ STDIN=/dev/stdin
+ '[' -t 2 ]
+ export 'TTY=1'
+ '[' -n reload ]
+ break
+ start reload
+ flock -x 1000
+ '[' '!' -f /var/run/fw4.state ]
+ rm -f /var/run/fw4.state
+ nft -f /dev/stdin
+ ACTION=start utpl -S /usr/share/firewall4/main.uc
Section @defaults[0] option 'custom_chains' is not supported by fw4
/dev/stdin:21:8-12: Error: Could not process rule: Not supported
        chain input {
              ^^^^^
/dev/stdin:31:8-14: Error: Could not process rule: Not supported
        chain forward {
              ^^^^^^^
/dev/stdin:39:8-13: Error: Could not process rule: Not supported
        chain output {
              ^^^^^^
/dev/stdin:48:8-17: Error: Could not process rule: Not supported
        chain prerouting {
              ^^^^^^^^^^
/dev/stdin:67:8-13: Error: Could not process rule: Not supported
        chain dstnat {
              ^^^^^^
/dev/stdin:71:8-13: Error: Could not process rule: Not supported
        chain srcnat {
              ^^^^^^
/dev/stdin:80:8-21: Error: Could not process rule: Not supported
        chain raw_prerouting {
              ^^^^^^^^^^^^^^
/dev/stdin:84:8-17: Error: Could not process rule: Not supported
        chain raw_output {
              ^^^^^^^^^^
/dev/stdin:93:8-24: Error: Could not process rule: Not supported
        chain mangle_prerouting {
              ^^^^^^^^^^^^^^^^^
/dev/stdin:97:8-25: Error: Could not process rule: Not supported
        chain mangle_postrouting {
              ^^^^^^^^^^^^^^^^^^
/dev/stdin:101:8-19: Error: Could not process rule: Not supported
        chain mangle_input {
              ^^^^^^^^^^^^
/dev/stdin:105:8-20: Error: Could not process rule: Not supported
        chain mangle_output {
              ^^^^^^^^^^^^^
/dev/stdin:109:8-21: Error: Could not process rule: Not supported
        chain mangle_forward {
              ^^^^^^^^^^^^^^
/dev/stdin:21:8-12: Error: Could not process rule: No such file or directory
        chain input {
              ^^^^^
/dev/stdin:21:8-12: Error: Could not process rule: No such file or directory
        chain input {
              ^^^^^
/dev/stdin:21:8-12: Error: Could not process rule: No such file or directory
        chain input {
              ^^^^^
/dev/stdin:21:8-12: Error: Could not process rule: No such file or directory
        chain input {
              ^^^^^
/dev/stdin:31:8-14: Error: Could not process rule: No such file or directory
        chain forward {
              ^^^^^^^
/dev/stdin:31:8-14: Error: Could not process rule: No such file or directory
        chain forward {
              ^^^^^^^
/dev/stdin:31:8-14: Error: Could not process rule: No such file or directory
        chain forward {
              ^^^^^^^
/dev/stdin:39:8-13: Error: Could not process rule: No such file or directory
        chain output {
              ^^^^^^
/dev/stdin:39:8-13: Error: Could not process rule: No such file or directory
        chain output {
              ^^^^^^
/dev/stdin:39:8-13: Error: Could not process rule: No such file or directory
        chain output {
              ^^^^^^
/dev/stdin:53:20-25: Error: Could not process rule: No such file or directory
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                                 ^^^^^^
/dev/stdin:54:3-8: Error: Could not process rule: No such file or directory
                reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
                ^^^^^^
+ ACTION=includes utpl -S /usr/share/firewall4/main.uc

Thanks in advance for support.

Fabrizio.

Can you remove the following line

firewall.@defaults[0].custom_chains='1'

Do you need it?

1 Like

Hi.
I don't need.
I removed it but issue is there.
the problem seems related to uc file /usr/share/firewall4/main.uc that call ./usr/share/firewall4/templates/ruleset.uc.

Hi.
seems that fail the nft add command for all add rules.

Moreover:

root@OpenWrt:/# nft -i
nft: interactive CLI not supported in this build

Are there some specific package to add?

regards

  • What happens when you reset the router?
  • Are you using custom firewall files or rules?
  • Are you properly using UCI on command line or /etc/config/firewall to make firewall rules?

See:

Hi all.
I checked config-5.15:
CONFIG_NF_TABLES_INET was not set.
Enabling it, nft commands work and fw4 start correctly.

Thanks.
Fabrizio

In the future, you may wish to note that you built the image.

Glad you got it working.

Hi.

In the future, you may wish to note that you built the image.

yes sorry. step 0 was built image with CONFIG_NF_TABLES_INET enabled.

thanks to report it.

1 Like