Firewall reload doesn't work for IP Set

z4e · March 27, 2023, 12:32am

I have the following rule and IP Set in my /etc/config/firewall

config ipset
	option name 'f2bset-v6'
	option family 'ipv6'
	option match 'src_ip'
	option enabled '1'
	list entry '2a01:xxx:xxx:623e::1'

config rule
	option name 'fail2ban-v6'
	option src 'wan'
	option target 'REJECT'
	option proto 'all'
	option family 'ipv6'
	option ipset 'f2bset-v6'

All works well, but when I remove 2a01:xxx:xxx:623e::1 from the list and save /etc/config/firewall the changes are not applied, I still cannot access owrt from 2a01::

I know the firewall is supposed to auto reload on changes to /etc/config/firewall but I tried running /etc/init.d/firewall reload as well as fw4 reload neither of which seems to make it work, the only thing that does work is /etc/init.d/firewall restart I intent to run a script that runs every 10 minutes appending/removing firewall rules so restarting shouldn't be a good way to go about things ?

Any pointers in the right direction would be appreciated.

dave14305 · March 27, 2023, 12:34am

Did you try fw4 reload-sets

z4e · March 27, 2023, 12:47am

Yes just tried it out now, same result. The moment I run fw4 restart the ip set rule works as expected again

pavelgl · March 27, 2023, 8:46am

The problem only seems to occur when elements need to be removed from the set.

Using an external file to populate the set in combination with fw4 reload-sets (not fw4 reload) worked for me.

config ipset
	option name 'f2bset-v6'
	option family 'ipv6'
	option match 'src_ip'
	option enabled '1'
	option loadfile '/etc/fail2banv6.txt'
	
# /etc/fail2banv6.txt
2a01:xxx:xxx:623e::1

system · April 6, 2023, 8:47am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.