Fw3 ipset config to procd objects

Hello (@jow),

I'm trying to replicate this inside the PROCD definitions:

				procd_open_data
				json_add_array firewall
				json_add_object ""
				json_add_string type ipset
				json_add_string name simple_adblock_ipset
				json_add_string match dest_net
				json_add_string family ipv4
				json_add_string storage hash
				json_add_string enabled 1
				json_close_object
				json_add_object ""
				json_add_string type rule
				json_add_string name simple_adblock_drop_ipset
				json_add_string ipset simple_adblock_ipset
				json_add_string src lan
				json_add_string dest wan
				json_add_string target DROP
				json_add_string enabled 1
				json_close_object
				json_close_array
				procd_close_data

On service restart I can see these entries in data/firewall when I call ubus call service list for my service, however:

  1. ipset doesn't get created (checked with ipset save and when trying to add an entry to the ipset)
  2. I don't see the fw3 rule in iptables (iptables-save | grep test_drop_ipset). This is probably caused by the ipset not existing, however even if I create an ipset manually, this rule doesn't cause any actual iptables entries to be created.

On /etc/init.d/firewall restart I get:

Warning: Warning: ubus rule (ubus:simple-adblock[main] rule 2) refers to unknown ipset 'simple_adblock_ipset'
Warning: Warning: ubus rule (ubus:simple-adblock[main] rule 2) refers to unknown ipset 'simple_adblock_ipset'
 * Deleting ipset ubus:simple-adblock[main] ipset 1
 * Deleting ipset ubus:simple-adblock[main] ipset 1
 * Flushing conntrack table ...
 * Creating ipset ubus:simple-adblock[main] ipset 1
ipset v6.38: Unknown argument ipset
Try `ipset help' for more information.
ipset v6.38: Unknown argument ipset
Try `ipset help' for more information.
ipset v6.38: Unknown argument ipset
Try `ipset help' for more information.
ipset v6.38: Unknown argument ipset
Try `ipset help' for more information.
ipset v6.38: Syntax error: typename 'ipset' is unknown

AFAIK ipset is pretty strict on names (not even dashes are allowed), so if fw3 tries to create an ipset with the name of ubus:simple-adblock[main] ipset 1 that would certainly be a problem. Is there a way to override it?

Anyone? @hnyman who else may I tag who would know?

I'm not sure if I have skills to go thru fw3 source.

It does, of course work if I just create the regular firewall entries:

			uci -q add firewall ipset 
			uci -q set firewall.@ipset[-1].name=simple_adblock_ipset
			uci -q set firewall.@ipset[-1].match=dest_net
			uci -q set firewall.@ipset[-1].storage=hash
			uci -q set firewall.@ipset[-1].enabled=1
			uci -q add firewall rule 
			uci -q set firewall.@rule[-1].name=simple_adblock_ipset_reject
			uci -q set firewall.@rule[-1].ipset=simple_adblock_ipset
			uci -q set firewall.@rule[-1].src='*'
			uci -q set firewall.@rule[-1].dest='*'
			uci -q set firewall.@rule[-1].proto=tcp
			uci -q set firewall.@rule[-1].target=REJECT
			uci -q set firewall.@rule[-1].enabled=1

But I'd really like to move it into PROCD objects so I wouldn't have to deal with uci.

Anyone? Pretty please?

This seems to be a bug in fw3, will look at it later.

Edit: Fixed with https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=5ef9e4f107a94c502908403fdf56cf6bcdc08dd2

1 Like

Thank you! How can I verify that installed fw3 has this fix so I can fall back to the uci if it doesn't?

Hmm, try this:

if opkg compare-versions "$(sed -ne 's/^Version: //p' /usr/lib/opkg/info/firewall.control)" "<" "2019-09-18"; then
    echo "Firewall is too old"
fi
1 Like

@jow Fixed this, but got a new bug

iptables -t nat -A set_output -m set --match-set $vt_np_ipset dst -j RETURN
[Another app is currently holding the xtables lock. Perhaps you want to use the -w option?]

https://git.openwrt.org/?p=project/firewall3.git;a=blobdiff;f=ubus.c;h=cf5c8b103d72a9b9f59d764d29e8c09ad64e35a5;hp=bea91665c828f408eb655315140471e15cfdf4e9;hb=383eb58f1750b3b96a82558b5dcb806a8a2528bc;hpb=c26f8907d1d2921018240774b75cf9cfda352fa7

Duplicate: FW3[BUG]: overwrite ipset name error Openwrt r11105-e39d1cf

That led to some issues when package was being ran by opkg during upgrade, so I've used this:

compare_versions() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; }