Help testing - Different firewall zone but same interface or alias


I noticed an odd effect (I won't call it a bug) in fw3 firewall parsing...

As I can best word it:

Creating 2 OpenWrt-enumerated interfaces and addressing the second as:

  • the same PHY as the first; or
  • an alias of the first

...then placing them in different firewall zones - may cause undesired effects.

It seems that the real (or the first, I donno :confused: ) interface is placed first in the iptables chains - then the second. This could cause for example:

  • a 1st interface that allows INPUT traffic to a specific port on the interface - but had a DROP/REJECT rule on the 2nd (e.g. using for SNAT only)
  • A default ALLOW rule on the 1st that is DROP or REJECT on the 2nd interface

  • Also, I'm almost sure the final default rule for the traffic is handled anyways, so the loop to the 2nd chain is never hit.
  • This would not affect [Port] Forwards for traffic received on those interfaces

Can anyone confirm this behavior is consistent - for example if your /etc/config/network lists the alias first?

I assume most people wouldn't make such a config anyway...

EDIT: this seems to have nothing nothing to do with UCI, fw3 or OpenWrt to be honest - since it seems it's valid iptables syntax. It could be a basic n00b error averted by a warning somewhere?

You should not be assigning an IP alias interface to a different zone. It is expected that only the first hit in iptables will have effect.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.