Fw4: reject forward doesn't work

I have defined the following zone:

config zone
	option name 'wg_confined'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	list network 'wg_confined'

and expect that OpenWrt would not forward anything coming from it, unless enabled by a firewall rule. Surprisingly, this does not work - forwarding is allowed. As a workaround I have defined

config rule
	option name 'wg_confined - reject all'
	option src 'wg_confined'
	option target 'REJECT'
	list proto 'all'
	option dest '*'

however I would like to get to the bottom of this. In nft list ruleset I see:

	chain forward_wg_confined {
[...]
		jump reject_to_wg_confined
	}

	chain reject_to_wg_confined {
		oifname "wg_confined" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wg_confined IPv4/IPv6 traffic"
	}

This does not seem right, since I don't think it should check oifname here. This is coming from here: https://github.com/openwrt/firewall4/blob/18fc0ead19faf06b8ce7ec5be84957278e942dfa/root/usr/share/firewall4/templates/ruleset.uc#L243

So I wonder if it's a bug in the firewall4 package, or if I'm configuring it wrong, or there is no way to do what I want (zone with default reject all)?

Since accept and reject are terminal immediates (unlike goto and jump) the first matching rule exited ruleset.

What's the full firewall config?

Zone forward rule control traffic between interfaces inside a single zone. Not forward between zones.

Forward between zones are controlled in general with firewall forwards or more precise with individual rules.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.