Fw3 ipset config to procd objects

Hello (@jow),

I'm trying to replicate this inside the PROCD definitions:

				procd_open_data
				json_add_array firewall
				json_add_object ""
				json_add_string type ipset
				json_add_string name simple_adblock_ipset
				json_add_string match dest_net
				json_add_string family ipv4
				json_add_string storage hash
				json_add_string enabled 1
				json_close_object
				json_add_object ""
				json_add_string type rule
				json_add_string name simple_adblock_drop_ipset
				json_add_string ipset simple_adblock_ipset
				json_add_string src lan
				json_add_string dest wan
				json_add_string target DROP
				json_add_string enabled 1
				json_close_object
				json_close_array
				procd_close_data

On service restart I can see these entries in data/firewall when I call ubus call service list for my service, however:

  1. ipset doesn't get created (checked with ipset save and when trying to add an entry to the ipset)
  2. I don't see the fw3 rule in iptables (iptables-save | grep test_drop_ipset). This is probably caused by the ipset not existing, however even if I create an ipset manually, this rule doesn't cause any actual iptables entries to be created.

On /etc/init.d/firewall restart I get:

Warning: Warning: ubus rule (ubus:simple-adblock[main] rule 2) refers to unknown ipset 'simple_adblock_ipset'
Warning: Warning: ubus rule (ubus:simple-adblock[main] rule 2) refers to unknown ipset 'simple_adblock_ipset'
 * Deleting ipset ubus:simple-adblock[main] ipset 1
 * Deleting ipset ubus:simple-adblock[main] ipset 1
 * Flushing conntrack table ...
 * Creating ipset ubus:simple-adblock[main] ipset 1
ipset v6.38: Unknown argument ipset
Try `ipset help' for more information.
ipset v6.38: Unknown argument ipset
Try `ipset help' for more information.
ipset v6.38: Unknown argument ipset
Try `ipset help' for more information.
ipset v6.38: Unknown argument ipset
Try `ipset help' for more information.
ipset v6.38: Syntax error: typename 'ipset' is unknown

AFAIK ipset is pretty strict on names (not even dashes are allowed), so if fw3 tries to create an ipset with the name of ubus:simple-adblock[main] ipset 1 that would certainly be a problem. Is there a way to override it?

Anyone? @hnyman who else may I tag who would know?

I'm not sure if I have skills to go thru fw3 source.

It does, of course work if I just create the regular firewall entries:

			uci -q add firewall ipset 
			uci -q set firewall.@ipset[-1].name=simple_adblock_ipset
			uci -q set firewall.@ipset[-1].match=dest_net
			uci -q set firewall.@ipset[-1].storage=hash
			uci -q set firewall.@ipset[-1].enabled=1
			uci -q add firewall rule 
			uci -q set firewall.@rule[-1].name=simple_adblock_ipset_reject
			uci -q set firewall.@rule[-1].ipset=simple_adblock_ipset
			uci -q set firewall.@rule[-1].src='*'
			uci -q set firewall.@rule[-1].dest='*'
			uci -q set firewall.@rule[-1].proto=tcp
			uci -q set firewall.@rule[-1].target=REJECT
			uci -q set firewall.@rule[-1].enabled=1

But I'd really like to move it into PROCD objects so I wouldn't have to deal with uci.