Initialization of firewall and rule chain

The following information appeared in the system log:

Tue Sep  1 11:25:50 2020 daemon.notice procd: /etc/rc.d/S95done:  * Populating IPv6 nat table
Tue Sep  1 11:25:50 2020 daemon.notice procd: /etc/rc.d/S95done: Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Tue Sep  1 11:25:50 2020 daemon.notice procd: /etc/rc.d/S95done: Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Tue Sep  1 11:25:50 2020 daemon.notice procd: /etc/rc.d/S95done: Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Tue Sep  1 11:25:50 2020 daemon.notice procd: /etc/rc.d/S95done: Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Tue Sep  1 11:25:50 2020 daemon.notice procd: /etc/rc.d/S95done: Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Tue Sep  1 11:25:50 2020 daemon.notice procd: /etc/rc.d/S95done: Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
Tue Sep  1 11:25:50 2020 daemon.notice procd: /etc/rc.d/S95done:    * Zone 'lan'
Tue Sep  1 11:25:50 2020 daemon.notice procd: /etc/rc.d/S95done:    * Zone 'wan'

I think it should be caused by the newly installed IPV6 NAT module. Excuse me, is the initialization of the firewall and rule chain solidified when the module is compiled, or is it realized through other scripts?

The firewall3 package has no support for IPv6 NAT at all.

3 Likes

It's just not supported by default, it is supported after installing the kmod-ipt-nat6 package. Whether or not to support IPv6 NAT is not the key to where the initialization of the firewall and rule chain is completed. It is solidified in fw3 or a module or is implemented by other scripts.

fw3 does not support managing nat6 rules, nor does it offer any kind of configuration in /etc/config/firewall for it. There are no officially packaged scripts either.

If you want IPv6 MASQUERADE, DNAT or SNAT you need to rely on custom scripting. It will not solve the error you reported though, that one is a bug in fw3 when the IPv6 NAT kmod is installed.

2 Likes

The point of the question is not whether it supports NAT6. By default, iptables only has rule chains such as INPUT FORWARD OUTPUT, and there are many custom rule chains in the system, such as input_rule zone_tincV_input zone_lan_input zone_lan_output. I want to know where these custom rule chains are defined and initialized.

https://git.openwrt.org/?p=project/firewall3.git;a=blob;f=zones.c;h=51a8fdf6af58bb51a7ab39d7f04c50145cb9a725;hb=refs/heads/master#l27

1 Like

The chains should be initialized by the fw3 binary itself.
There's no easy way to avoid those warnings, unless you plan to recompile it.
As a simple workaround, you can filter or suppress the output.
Or just safely ignore the warnings until the fw4 release.

Understood!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.