Add ip to ipset in fw4 do not work

SteffenSperling · May 16, 2023, 7:02am

Hi all,
I try for weeks to add an IP-address to a defined ipset. I defined the ipset in LUCA, then I defined the rule in the Firewall ( LUCA ).

The ipset runs with the loadfile option.

That works.

Now I try to add an new IP to the ipset-file and reload it.
It works only if I restart the entire networlk or reboot the BPI.

works not with:
uci commit firewall
service firewall restart
fw4 reload
/etc/init.d/firewall reload
/etc/init.d/firewall restart
/sbin/reload_config
fw4 reload-sets also not

Onloy works with:
service network restart
rebbot

But this interruppts all network traffic!

Can someone help?

Greetings Steffen

eduperez · May 16, 2023, 9:46am

Instead of adding IPs to the file and reloading them, you can add them directly to the ipset:

nft add element inet fw4 "${RULE}" { "${IP}" }

lleachii · May 16, 2023, 10:12am

What version of OpenWrt are you running?

There was a known issue with ipsets on some versions.

(Your command won't add the IP into the config though.)

SteffenSperling · May 16, 2023, 4:36pm

OpenWrt SNAPSHOT r22699-45f5115253 / LuCI Master git-23.104.28202-588c6a1

Kernel: 5.15.109

SteffenSperling · May 25, 2023, 6:12pm

nft add element inet fw4 "${RULE}" { "${IP}" }

I tryed this => and its added to the ipset, but it not works until I reload the entire network or reboot the device.

It is a bug? or has someone an trick to let it work?

lleachii · May 25, 2023, 6:21pm

~~Does fw4 reload-sets work?~~

But, why don't you add them directly into your OpenWrt UCI configs for the rule - and simply let the system make the proper nft stanzas for you automatically?

(Also, perhaps this thread will help: [22.03] Translate extra/raw firewall rules - in this thread I successfully converted my ipsets to fw4)

Additionally, 2 Examples:

config ipset                                  
        option name 'bogons'                  
        option match 'src_net'                
        list entry '0.0.0.0/8'                
        list entry '10.0.0.0/8'               
        list entry '100.64.0.0/10'            
        list entry '127.0.0.0/8'              
        list entry '169.254.0.0/16'           
        list entry '172.16.0.0/12'            
        list entry '192.0.0.0/24'             
        list entry '192.0.2.0/24'             
        list entry '192.168.0.0/16'           
        list entry '198.18.0.0/15'            
        list entry '198.51.100.0/24'          
        list entry '203.0.113.0/24'           
        list entry '224.0.0.0/4'              
        list entry '240.0.0.0/4' 

config ipset                                  
        option name 'test'              
        option match 'src_net'                
        list entry 'xxx.xxx.xxx.xxx'            
        option loadfile '/tmp/test_ipset.txt'

(The second example shows how you can additionally use a file with a list of IP/ranges.)

vgaetera · May 25, 2023, 6:29pm

That works for me, loading IP set from a file, using the latest stable OpenWrt release.
Most likely you are doing something wrong, here's a working example:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#dns_over_https

eduperez · May 25, 2023, 8:54pm

It works instantly for me...

Thu May 25 22:51:28 2023 daemon.err nginx[31282]: 2023/05/25 22:51:28 [error] 31298#0: *93996 directory index of "/www/default/" is forbidden, client: <some_address>, server: , request: "GET / HTTP/1.1", host: "<my_address>"
Thu May 25 22:51:29 2023 user.notice root: BANSPIDER '<some_address>'
Thu May 25 22:51:31 2023 kern.warn kernel: [5189878.649137] FW_BANNED IN=pppoe-wan OUT= MAC= SRC=<some_address> DST=<my_address> LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=30654 DF PROTO=TCP SPT=15182 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0