Firewall gives warning msgs when kmod-ipt-nat6 is installed

xiaobo · August 8, 2020, 4:33pm

* Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

It looks like fw3 is trying to do something with IPv6 NAT and failing. Maybe it should not do it
as NAT6 is just for special cases.
It is so rare to have IPv6 NAT installed, that it seems to expose a bug in the firewall code. But I do not think that it generates any security risk, as it does not open anything for the outside world.

pwned · August 8, 2020, 6:13pm

I think the script is trying to convert all the nat rules existing on ipv4 to ipv6. But not all nat rules can be converted. E. g. If a rule contains explicit values which are ipv4 only like an IP (192.xxx.xxx.xxx) or protocol (ipv4).
It will not hurt if those rules are not converted. You just have to be aware of that and do things manually. E. g. if you want a redirect to your server on ipv6 also.

EDIT: As this comment is wrong. Pls ignore it and go for @vgaetera's comment.

vgaetera · August 8, 2020, 6:55pm

https://bugs.openwrt.org/index.php?do=details&task_id=500

You can utilize NAT6 with one of the following method:
https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

It does not involve IPv4 rules, it fails because of the missing zone-named chains.
These chains should be created in the IPv6 NAT table beforehand, but it is not implemented in the firewall service for some reason.
It works fine if you clone zone-named chains from the IPv4 NAT table as mentioned above.

amteza · August 8, 2020, 9:06pm

Hi, @xiaobo,

It has been discussed and there are bug report opened already. Meanwhile you can fix it with this code in /etc/firewall.user, or in you /etc/firewall.nat6 if you follow wiki instructions:

# Recreate special user chains from IPv4 NAT tables
iptables-save -t nat | sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d" | ip6tables-restore -T nat
iptables-save -t raw | ip6tables-restore -T raw

Kind regards.

xiaobo · August 9, 2020, 2:19am

Thank you，testing found the following errors

root@OpenWrt:~# iptables-save -t nat | sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d" | ip6tables-restore -T nat
ip6tables-restore v1.8.4 (legacy): The protocol family of set china is IPv4, which is not applicable.

Error occurred at line: 27
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
root@OpenWrt:~# iptables-save -t raw | ip6tables-restore -T raw
ip6tables-restore v1.8.4 (legacy): ip6tables-restore: unable to initialize table 'raw'

Error occurred at line: 2
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

amteza · August 9, 2020, 3:32am

Two things:

Make sure you do not have your ipset china created before executing these commands.
opkg install kmod-ipt-raw6

Let me know how it goes, these commands are installed in my OpenWrt since long ago.

vgaetera · August 9, 2020, 9:59am

The code posted by @amteza is an outdated version that doesn't support IPv6 sets.
Use the code from the wiki which supports IPv6 sets:
https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6#nat6_simplified
And make sure to create the set china6 along with the china.

system · August 19, 2020, 9:59am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.