Adding multiple networks to firewall zone w/ uci-defaults

I am trying to develop some uci-default scripts to add as custom files to my build. everything works except for adding a second network to an existing firewall zone.

in my script I have:

# add dockerlan to docker zone
uci add_list firewall.docker.network='dockerlan'
uci add_list firewall.docker.network='docker'

this results in the following at first boot:

# uci show firewall.docker
firewall.docker=zone
firewall.docker.input='ACCEPT'
firewall.docker.output='ACCEPT'
firewall.docker.forward='ACCEPT'
firewall.docker.name='docker'
firewall.docker.network='docker'

...but running uci add_list after first boot seems to add the network to the zone just fine:

root@OpenWrt:~# uci add_list firewall.docker.network='dockerlan'
root@OpenWrt:~# uci show firewall.docker
firewall.docker=zone
firewall.docker.input='ACCEPT'
firewall.docker.output='ACCEPT'
firewall.docker.forward='ACCEPT'
firewall.docker.name='docker'
firewall.docker.network='docker' 'dockerlan'

So I am confused as to why uci add_list firewall.docker.network='dockerlan' in my script doesnt add dockerlan to the docker zone.

How do i add a new interface to an existing firewall zone with uci-defaults contributed at build?

What else is in the uci-defaults script?

that does seem like relevant context, huh?

#!/bin/bash

# Configure network interface for Docker
uci set network.dockerlan=interface
uci set network.dockerlan.proto='none'
uci set network.dockerlan.device='docker1'
uci commit

# add dockerlan to docker zone
uci add_list firewall.docker.network='dockerlan'
uci add_list firewall.docker.network='docker'

# Configure firewall forwards for Docker zone
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='docker'
uci set firewall.@forwarding[-1].dest='lan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='docker'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='docker'

# Add redirect rule for luci-http
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='luci-http'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='8180'
uci set firewall.@redirect[-1].dest_port='80'

# Add redirect rule for ssh-wan
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='ssh-wan'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='2200'
uci set firewall.@redirect[-1].dest_port='22'

# Add firewall rule for code-server
uci add firewall rule
uci set firewall.@rule[-1].name='code-server'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='8443'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled='0'

# Add firewall rule for mxi-agent
uci add firewall rule
uci set firewall.@rule[-1].name='mxi-agent'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='5000'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled='0'

# Add redirect rule for dozzle
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='dozzle'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='8880'
uci set firewall.@redirect[-1].dest_port='8080'
uci set firewall.@redirect[-1].enabled='0'

# Add firewall rule for mxi-config
uci add firewall rule
uci set firewall.@rule[-1].name='mxi-config'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='8000'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled='0'

# Add firewall rule for ttyd (webtty) on port 7681
uci add firewall rule
uci set firewall.@rule[-1].name='ttyd'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='7681'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled='1'

# Set system time zone and hostname
uci set system.@system[0].zonename='America/Los_Angeles'
uci set system.@system[0].hostname='OpenWrt'

# Commit the changes
uci commit

Where is the zone docker being created? In the docker init script? Could it be overwriting your changes?

good question, i see there is no uci add for the docker zone. it is provided by the docker in the background. I had assumed it was present before this script is run, but maybe not

uci-defaults run at sequence 95 in the startup process. The dockerd init script runs at 99 (after), so that might explain it. Never used docker on the router myself.

1 Like

the forwards for docker zone seem to get applied, are those not reliant on "docker" named zone?

# Configure firewall forwards for Docker zone
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='docker'
uci set firewall.@forwarding[-1].dest='lan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='docker'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='docker'

ill test it; but if i create the zone here, will dockerd "find" it?

If you create it the same way it would, you might be fine. If it finds the zone pre-existing, it won’t create it again.

1 Like

well i added construction of the docker zone to make sure it is present prior to adding networks:

#!/bin/bash

# Configure network interface for Docker
uci set network.dockerlan=interface
uci set network.dockerlan.proto='none'
uci set network.dockerlan.device='docker1'
uci commit

# add docker firewall zone
uci add firewall zone
uci set firewall.@zone[-1].name='docker'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci add_list firewall.@zone[-1].network='docker'
uci add_list firewall.@zone[-1].network='dockerlan'

# Configure firewall forwards for Docker zone
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='docker'
uci set firewall.@forwarding[-1].dest='lan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='docker'
uci set firewall.@forwarding[-1].dest='wan'

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='docker'

# Add redirect rule for luci-http
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='luci-http'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='8180'
uci set firewall.@redirect[-1].dest_port='80'

# Add redirect rule for ssh-wan
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='ssh-wan'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='2200'
uci set firewall.@redirect[-1].dest_port='22'

# Add firewall rule for code-server
uci add firewall rule
uci set firewall.@rule[-1].name='code-server'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='8443'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled='0'

# Add firewall rule for mxi-agent
uci add firewall rule
uci set firewall.@rule[-1].name='mxi-agent'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='5000'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled='0'

# Add redirect rule for dozzle
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='dozzle'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='8880'
uci set firewall.@redirect[-1].dest_port='8080'
uci set firewall.@redirect[-1].enabled='0'

# Add firewall rule for mxi-config
uci add firewall rule
uci set firewall.@rule[-1].name='mxi-config'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='8000'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled='0'

# Add firewall rule for ttyd (webtty) on port 7681
uci add firewall rule
uci set firewall.@rule[-1].name='ttyd'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='7681'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled='1'

# Set system time zone and hostname
uci set system.@system[0].zonename='America/Los_Angeles'
uci set system.@system[0].hostname='OpenWrt'

# Commit the changes
uci commit

...but that seemed to 1) add an additional zone, also named 'docker' but 2) added the dockerlan to the previous docker zone, but not this new zone?

Why does uci allow multiple instances with the same name?

Because the uci section names probably end up different. Check with uci show firewall. Add this to your script:

uci rename firewall.@zone[-1]='docker'

So it will have the same zone section name as the init script.