Firewall4 zone limit

Is there a hard limit on the number of zones for vlans that openwrt x86 22.03.0 can handle? I have the zones for lan, wan and 63 vlans but if I try to add any more vlan firewall zones I get an error on firewall restart. Error below

/etc/init.d/firewall restart
Runtime error: Unable to open source file /usr/share/firewall4/templates/zone-masq.uc: No file descriptors available
In main(), file /usr/share/firewall4/templates/ruleset.uc, line 326, byte 71:
called from function include ([C])
called from function render_ruleset (/usr/share/firewall4/main.uc:56:72)
called from anonymous function (/usr/share/firewall4/main.uc:141:29)

{%+ include("zone-masq.uc", { fw4, zone, family: 4, saddrs, daddrs }) %}
Near here ------------------------------------------------------------------^

/dev/stdin:2408:3-3: Error: syntax error, unexpected end of file

            ^

The rendered ruleset contains errors, not doing firewall restart.

I can then delete any zone in the list and the error goes away. Seems to be a hard limit of 65 zones. Zones are configured like this

config zone
option name 'vlan500'
option input 'DROP'
option output 'ACCEPT'
option network 'vlan500'

config forwarding
option src 'vlan500'
option dest 'wan'

All the interfaces come up and appear in ifconfig so it appears to just be the firewall stopping it.

FWIW, you're missing the forward zone rule.

I forward them in a different rule and have tried adding them in to see if it helps. It doesn't.

No, I mean the intra-zone rule called forward.

Does this have anything to do with the number of zone I can create?

I don't know, in truth. But the reason I bring it up is that I don't know if the zones are expected to have the forward rule... it is standard to have input, output, and forward. I don't know if it will fail if the forward rule is missing.

My point is that you should probably have it defined in every zone.

config zone
    option name 'vlan500'
    option input 'DROP'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'vlan500'

Notice the added forward rule... you can change that to drop or reject if you want, but it won't actually matter if there is only one network in the zone.

The other thing you can do is group networks into a set of common zones. For example, if you have let's say 10 different networks that should all be isolated from each other and should not have access to the router itself, but should be able to reach the internet, you might construct a zone that looks like this:

config zone
    option name 'isolated-internet-only'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    list network 'vlan500'
    list network 'vlan501'
    list network 'vlan502'
    ...
    list network 'vlan509'

By using zones for multiple networks that all have the same general firewall requirements, you can drastically reduce the number of zones you need to setup. You can put in special rules of whatever granularity is required for your needs if certain networks need to be treated slightly differently.

EDIT: fixed a typo in the code block -- changed option network to list network

1 Like

I thought by placing all the vlans in one zone it would allow communications between the vlans. I'll give it a go thank you.

That is the purpose of the forward rule. ACCEPT will allow the different networks to connect to each other, REJECT or DROP will prevent it.

There‘s definitely some kind of bug here, „no file descriptor available“ hints at resource exhaustion, maybe there’s a leak somewhere, either in firewall4 itself (unlikely, unless you do have a lot if includes?) or the system as a whole runs out of descriptors because there‘s so many open files

Note that you must use the list keyword here:

config zone
    option name 'isolated-internet-only'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    list network 'vlan500'
    list network 'vlan501'
    list network 'vlan502'
    ...
    list network 'vlan509'
1 Like

Ah... .thanks. I just copied/pasted the option network bits... but yes, you're absolutely right!

Yes I discovered that and probably should have replied about that but was busy testing

1 Like