Firewall4 issues with multi-protocol port forwards

Continuing the discussion from Firewall4 / NFtables Tips and Tricks:

Now I know what I'm looking for I can reliably reproduce the issue simply by adding a port forward with both TCP and UDP selected.

Luci seems too default to not specifying a protocol if TCP and UDP are selected, but the UDP rule is always added incorrectly. If I add TCP then later add UDP, then tcp and udp get added via list proto 'xxx' statements whereas previously they were in a single line using option proto.

It looks like it's always the 2nd protocol that's added wrong though, if I reverse the order the UDP entry is added first and correctly and the TCP entry is wrong. If no dest_ip is specified then both seem to be added correct

I'm using ipq806x on an R7800, although it's custom build with the patches to enable the NSS cores. I'm pretty sure the patches are unrelated to the issue and had thought this was working previously, but now I think about it, it's entirely possible that TCP was by the slave name server when I fixed a sync issue with a build based on last weeks code...

Can reproduce it on an er-x but not on the local development system using a test case. Will investigate

1 Like

It turned out to be a subtle bug in the ucode interpreter. Should be fixed with

Upstream fix:


I've just updated and it's creating rules as expected now, many thanks

Works here too, thanks!

@jow, it seems like firewall4 doesn't reload properly from LuCi, the rules stay intact.

Can you please elaborate on your test process? So far I quickly tested creating and deleting as well as enabling and disabling rules from LuCI which worked.

Seems to work now for me, might be because of the ucode commit, I just saw another user mentioning it and I had (apparently) the same issue before.
So all good I guess...

1 Like