How to make a firewall include script fault-tolerant?

antonk · February 27, 2024, 3:08pm

Hi folks

For those who don't know yet, I'm developing a project which does geoip blocking via firewall rules.

The way it integrates with OpenWrt is this. At installation time, the following actions are taken:

My scripts are copied into the system and config is set.
The mk-fw-include script is added and run, which makes sure that the firewall include exists and if not then adds it.
The firewall include calls my -run script. The -run script then checks whether required nftables or iptables rules and sets exist and if not then loads them from backup (if backup doesn't exist then the the -run script initiates download of ip lists and creation of new firewall rules and sets).
An init script is added which triggers on system reboot and on firewall reload and calls the mk-fw-include script.
A cron job is added which periodically calls the -run script to check for ip list updates.

All this works fine, as long as nothing went wrong. The problem I'm currently facing is that if something goes wrong in the -run script and it errors out then the system gets stuck at boot for a long time.

Presumably it tries to load the firewall include for a long time before it gives up. Yesterday, while testing on my router, I accidentally removed some essential variables assignment, and after rebooting the router, I thought it got bricked because it wouldn't complete the bootup (the router still uses a fw3+iptables OpenWrt if that matters). Eventually it recovered.

Anyway, the question is: how should I go about preventing a simple error in the script called by the firewall include from almost-bricking the system? Should I make it always exit with status 0, regardless of the actual state, or is there a more elegant solution?

Sorry about the recent questions spam. I'm new to developing for OpenWrt, and while I do RTFM, the documentation is not always clear.

fkl7834456 · February 27, 2024, 3:23pm

That is, as I understand it, your project will block users based on geolocation? It would be better if it were the other way around, unblocking users, it would be much more useful

antonk · February 27, 2024, 3:28pm

It works either in blacklist mode (blocking specific countries) or in whitelist mode (allowing specific countries). And it supports blocking (or allowing) certain ports on each TCP and UDP. So there is a lot of flexibility, and the user decides how to use it (via a user-friendly interface).

fkl7834456 · February 27, 2024, 4:06pm

All this is cool, of course, but your creativity, as always, falls into the wrong hands and ordinary users will be left without normal Internet.
Three people will thank you for this project, but if you do the opposite so that you can bypass the ban, then millions of thanks to you

egc · February 27, 2024, 5:06pm

Maybe run your script in the background so that it does not block further execution?
A script can be run in the background by adding a "&" to the end of the script.

You might want to look at adblock scripts like adblock lean they also download long lists and manipulate those

antonk · February 27, 2024, 5:14pm

dear @fkl7834456

You think my little project will make a big difference to the Internet? Haha
Commercial firewall products have geoip blocking capabilities, these run on an actually large scale.
OpenWrt deserves a proper geoip blocker not less for people who need it.
OpenWrt already has some tools which essentially perform similar tasks, just not in the same way (I won't go into comparison here).
Your replies are off-topic. I understand your concern but it's unfounded, and you are not helping me here.

Lynx · February 27, 2024, 5:14pm

In addition to @egc's suggestion above, please also consider how I handle exactly this situation in cake-qos-simple:

github.com

lynxthecat/cake-qos-simple/blob/3e22ba6f8c7fd2da94f66bef37af3438f0b37116/cake-qos-simple#L137


      
          	then
          		printf "WARNING: config file ${PREFIX}/config already exists.\n"
          		printf "Saving new config file as: '${PREFIX}/config.new'.\n"
          		mv "${PREFIX}/config.tmp" "${PREFIX}/config.new"
          	else
          		printf "Saving new config file as: '${PREFIX}/config'.\n"
          		mv "${PREFIX}/config.tmp" "${PREFIX}/config"
          	fi
          }
          
          gen_nft_rules()
          {
          	load_config
          
          	printf "Generating new default nft.rules file for cake-qos-simple.\n"
          
          	mkdir -p "${PREFIX}"
          
          	cat > "${PREFIX}/nft.rules.tmp" <<-EOT
          	# cake-qos-simple nftables rules

github.com

lynxthecat/cake-qos-simple/blob/3e22ba6f8c7fd2da94f66bef37af3438f0b37116/cake-qos-simple#L61


      
          	if [[ -f "${PREFIX}/config" ]]
          	then
          		. "${PREFIX}/config"
          	else
          		printf "ERROR: no config file identified at: ${PREFIX}/config.\n"
          		printf "Generate default config using 'service cake-qos-simple gen_config'.\n"
          		exit
          	fi
          }
          
          check_nft_rules_file()
          {
          	if ! [[ -f "${PREFIX}/nft.rules" ]]
          	then
          		printf "ERROR: No nft.rules file setup at: ${PREFIX}/nft.rules.\n"
          		printf "Generate default nft.rules file using 'service cake-qos-simple gen_nft_rules'.\n"
          		exit
          	fi
          	printf "Checking validity of nft.rules file.\n"
          
          	if nft -c -f "${PREFIX}/nft.rules"

github.com

lynxthecat/cake-qos-simple/blob/3e22ba6f8c7fd2da94f66bef37af3438f0b37116/cake-qos-simple#L241


      
          }
          
          start()
          {
          	check_nft_rules_file
          
          	# call silenced stop() to remove any conflicting elements
          	stop 1
          
          	printf "\nSetting up nftables rules for cake-qos-simple using: ${PREFIX}/nft.rules.\n"
          	nft -f "${PREFIX}/nft.rules"
          	
          	printf "\nSetting up ingress handle for interface: '${ul_if}'.\n"
          	tc qdisc add dev "${ul_if}" handle ffff: ingress
          
          	# if no dl_if specified, then create appropriate IFB and redirect ingress on $ul_if thereto
          	if [[ -z "${dl_if}" ]]
          	then
          
          		printf "\nNo dl_if specified, so setting up appropriate IFB.\n"
          		dl_if="ifb-${ul_if}"

That is:

generate nft.rules file (using a here document);
check its validity before doing anything using nft -c; and
if all is well, load in the file using nft -f, else error out.

antonk · February 27, 2024, 5:14pm

Thanks, I'll take a look.

antonk · February 27, 2024, 5:26pm

Thanks, I'll take a look into your solution.

antonk · February 28, 2024, 4:21am

Eventually I went with @egc 's suggestion to run the script in background. I don't really want to convert my code into generating nft rules which then would be loaded via an include, for several reasons, including that this adds complexity, and that currently loading a large ruleset with multiple ip lists into nftables at once requires more memory than loading sets one by one, and so is less suitable for memory-constrained devices. Otherwise I think that my script's internal ip lists validation is adequate, and the generated nftables rules are very unlikely to have any issues in them.

system · March 9, 2024, 4:21am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.