This morning I did a clean install of a fresh build of trunk for the bthh5a, a Lantiq xrx200 Soc. I changed only the network WAN zone definition to an NCM wireless internet setup for a huawei usb lte modem. Then I enable wireless and reboot, ssh in and I have internet. LAN clients too.
When I run query iptables I see this:
1 83 zone_wan_input all -- wwan0 any anywhere anywhere /* !fw3 */
Chain zone_wan_input (1 references)
root@OpenWrt:~#
Nothing unusual. As devices connect to the device, the number of chains, and the count increases, All fine.
Most of time when I boot, zone_wan_input shows zeros. When it does not, as described above, it soon reverts to zero. Any ifup of wan, or network restart zeros zone_wan_input and it stays that way. The highest number of chains I have seen is 3 and count 160.
If I use eth.02 as WAN device, zone_wan_input is much more heavily populated even directly after boot, dozens of chains and the count in the thousands.
This behaviour prohits applying a blocklist to the WAN NCM device using iptables, the excellent banip ap for OpenWRT, and thus represents a serious security threat to those of us in rural communities that get their internet wirelessly.
Is this behaviour a feature of an NCM network or is it a bug? I'm hoping it is the later.
In any case it is easy to reproduce. All thoughts or insights are most welcome.
I have flushed iptables before reboot with
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
but I do not see consistent behaviour when it comes back up, sometime it's zero, sometimes not.