I noticed an odd effect (I won't call it a bug) in fw3 firewall parsing...
As I can best word it:
Creating 2 OpenWrt-enumerated interfaces and addressing the second as:
- the same PHY as the first; or
- an alias of the first
...then placing them in different firewall zones - may cause undesired effects.
It seems that the real (or the first, I donno ) interface is placed first in the iptables chains - then the second. This could cause for example:
- a 1st interface that allows INPUT traffic to a specific port on the interface - but had a DROP/REJECT rule on the 2nd (e.g. using for SNAT only)
- A default ALLOW rule on the 1st that is DROP or REJECT on the 2nd interface
- Also, I'm almost sure the final default rule for the traffic is handled anyways, so the loop to the 2nd chain is never hit.
- This would not affect [Port] Forwards for traffic received on those interfaces
Can anyone confirm this behavior is consistent - for example if your
/etc/config/network lists the alias first?
I assume most people wouldn't make such a config anyway...
EDIT: this seems to have nothing nothing to do with UCI, fw3 or OpenWrt to be honest - since it seems it's valid iptables syntax. It could be a basic n00b error averted by a warning somewhere?