Firewall rules not applied during boot

BigNerd95 · February 7, 2025, 10:50am

Hi everyone,

I am using a GL.iNet Mango MT300N-v2 with OpenWrt 23.05.5, r24106-10cc5fcd00.

I need to block all UDP traffic to port 10000 from passing between switch ports on my GL.iNet. I have successfully configured firewall rules, and everything works perfectly once the system is fully up and running.

Current Configuration

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option bridge_vlan_filtering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	list ports 'eth0.2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Block-UDP-10000-LAN'
	option proto 'udp'
	option src 'lan'
	option dest '*'
	option dest_port '10000'
	option target 'DROP'
	option log '1'

/etc/nftables.conf

table inet filter {
    chain forward {
        type filter hook forward priority 0;  
        meta l4proto udp th dport 10000 drop
    }
}

/etc/sysctl.conf

net.bridge.bridge-nf-call-iptables=1

The Problem

Even though the firewall rules correctly block UDP traffic between switch ports after boot, I've noticed that for about 1.5 seconds during boot, UDP packets on port 10000 are allowed to pass between switch ports. Checking logread, I see:

4.5 seconds after power on → The switch is activated:

Sat Feb  1 09:22:47 2025 kern.info kernel: [    4.575060] rt3050-esw 10110000.esw: port 1 link up

6.2 seconds after power on → The switch is deactivated:

Sat Feb  1 09:22:47 2025 kern.info kernel: [    6.247007] rt3050-esw 10110000.esw: port 1 link down

10.4 seconds after power on → The switch is activated:

Sat Feb  1 09:22:47 2025 kern.info kernel: [   10.436324] rt3050-esw 10110000.esw: port 1 link up

18 seconds after previous messages → The firewall is loaded:

Sat Feb  1 09:23:05 2025 user.notice firewall: Reloading firewall due to ifup of lan (br-lan)

It seems that somewhere within this interval, before the firewall is fully loaded, packets are able to pass between ports.

Question

Since the firewall already blocks this traffic perfectly after boot, is there a way to prevent the switch from being activated until the firewall is fully ready?

Has anyone encountered this issue before or found a way to delay switch activation?

Thanks!

brada4 · May 5, 2025, 8:35pm

id bet on item E ?

psherman · May 5, 2025, 10:26pm

Can you identify exactly which interval? I ask because sometimes this is a bootloader issue, not the main firmware/OS that runs later. While this applies to only certain devices, this might be one of those situations. In that case, in the very early boot stages, before the OS even begins to boot, the switch will come up as a basic unmanaged switch with all ports in a single bridge. There are some units that have a 5-port switch that come up this way, where the wan port is actually part of the switch and that is briefly bridged with the other lan ports (the practical consequence here is that the lan is directly exposed to the wan, and in some cases a lan device might actually grab the IP address issued by the ISP before OpenWrt even loads).