Configuration syntax changes in v21? Max 11 character fw zone breaks my config

I'm using ansible to configure openwrt, on v19 I have no issues in vlans being able to use a route lookup rule - but it seems that in v20.02 this is not working.

My understanding is that v21 configuration syntax has changes:

  • 'ifname' is now 'device' (I have fixed this in my ansible playbook)

However I think other changes have been made because on v19 when running this same setup it works as expected with VLAN routing over specific tables but in v20.02 this isn't working.

uci export network

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc3:ef08:ee27::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.44.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'force'
        option reqprefix 'no'
        option defaultroute '1'

config interface 'vpn_privacy'
        option device 'eth0.666'
        option netmask '255.255.255.0'
        option ipaddr '172.66.6.1'
        option proto 'static'

config interface 'untrusted'
        option device 'eth0.100'
        option netmask '255.255.255.0'
        option ipaddr '172.100.0.1'
        option ip6assign '64'
        option proto 'static'

config interface 'vms'
        option device 'eth0.200'
        option netmask '255.255.255.0'
        option ipaddr '172.200.0.1'
        option ip6assign '64'
        option proto 'static'

config rule 'vpn_privacy_routing'
        option priority '30000'
        option lookup '30'
        option in 'vpn_privacy'

config rule 'untrusted_routing'
        option priority '30000'
        option lookup '20'
        option in 'untrusted'

config interface 'surfsharktun'
        option device 'tun0'
        option ip4table '30'
        option ip6table '30'
        option proto 'none'

config interface 'vpsgw'
        option private_key 'x'
        list addresses '10.100.100.10/24'
        list addresses 'x::10/64'
        option proto 'wireguard'
        option mtu '1350'
        option ip4table '20'
        option ip6table '20'

config wireguard_vpsgw 'wgserver'
        secret

uci export firewall

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option masq6 '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include
        option path '/etc/firewall.nat6'
        option name 'nat6'
        option reload '1'

config zone
        option name 'vpn_privacy'
        option device 'eth0.666'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn_privacy'
        option output 'ACCEPT'

config rule
        option name 'Allow-vlan666-Ping'
        option src 'vpn_privacy'
        option target 'ACCEPT'
        option proto 'icmp'

config rule
        option name 'vlan666-to-router'
        option src 'vpn_privacy'
        option target 'ACCEPT'

config forwarding
        option dest 'surfsharktun'
        option src 'vpn_privacy'

config zone
        option name 'untrusted'
        option device 'eth0.100'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'untrusted'
        option output 'ACCEPT'

config rule
        option name 'Allow-vlan100-Ping'
        option src 'untrusted'
        option target 'ACCEPT'
        option proto 'icmp'

config rule
        option name 'vlan100-to-router'
        option src 'untrusted'
        option target 'ACCEPT'

config forwarding
        option dest 'vpsgw'
        option src 'untrusted'

config forwarding
        option dest 'surfsharktun'
        option src 'untrusted'

config zone
        option name 'vms'
        option device 'eth0.200'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vms'
        option output 'ACCEPT'

config rule
        option name 'Allow-vlan200-Ping'
        option src 'vms'
        option target 'ACCEPT'
        option proto 'icmp'

config rule
        option name 'vlan200-to-router'
        option src 'vms'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'vms'

config forwarding
        option dest 'wan'
        option src 'vms'

config zone
        option name 'surfsharktun'
        option network 'surfsharktun'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        option device 'tun0'
        option input 'REJECT'
        option mtu_fix '1'

config zone
        option device 'vpsgw'
        option masq6 '1'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        option input 'REJECT'
        option network 'vpsgw'
        option name 'vpsgw'

Routing table seems to be setup as expected.

root@meow:~# ip route show table 30
default dev tun0 scope link
root@meow:~# ping -I tun0 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=118 time=247.840 ms
64 bytes from 8.8.8.8: seq=1 ttl=118 time=247.042 ms

After some tinkering - I found in luci > firewall settings > surfsharktun an error that is not shown anywhere else... apparently version 20.02 has a character limit that in v19 is either not enforced or not an issue.

After I rename 'surfsharktun' FW zone to 'surfshark0' my routing is now fixed... I was surprised and not expecting this new limitation - is this documented somewhere? shouldn't openwrt have given an error or failed when trying to setup a FW zone >11 characters?

There is a length limit for interface names, in addition to prefixes being automatically added for bridges and similar (reducing the maximum length further) - so keep it short.