LuCI firewall port forwards missing family

efahl · December 13, 2022, 9:09pm

I'm redirecting a port to the router (NTP) and want to grab both IPv4 and IPv6. If I create a rule using "Port Forward", it defaults to IPv4 only (confirmed by both fw4 print and nft list ruleset | grep NTP). If I set the family on the command line and reload, it works as expected

$ uci set firewall.@redirect[0].family=any

$ uci show firewall.@redirect[0]
firewall.cfg0f3837=redirect
firewall.cfg0f3837.target='DNAT'
firewall.cfg0f3837.proto='udp'
firewall.cfg0f3837.src='lan'
firewall.cfg0f3837.src_dport='123'
firewall.cfg0f3837.reflection='0'
firewall.cfg0f3837.name='NTP-on-router'
firewall.cfg0f3837.family='any'

$ fw4 reload
$ nft list ruleset | grep NTP -B1 -A1
        chain dstnat_lan {
                udp dport 123 counter packets 0 bytes 0 redirect to :123 comment "!fw4: NTP-on-router"
        }

But even then, the LuCI page erroneously describes it as an IPv4 rule, which looks like it's hard-coded somewhere:

(The System -> Firewall description is correct, as it's a separate piece of code altogether.)

Am I missing some package that would add address family to port forwards (and I think it's also missing from NAT, too)? If not, where is the source code of record for LuCI? Github or somewhere in https://git.openwrt.org/?a=project_list;pf=project or somewhere else? What's the workflow for creating patches, tests, PRs and submitting them?

dave14305 · December 14, 2022, 12:25am

It is.

github.com

openwrt/luci/blob/master/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/forwards.js#L38


      
          		inv:  m[1],
          		name: (ctHelpers.filter(function(ctH) { return ctH.name.toLowerCase() == m[2].toLowerCase() })[0] || {}).description
          	} : null;
          
          	m = String(uci.get('firewall', s, 'mark')).match(/^(!\s*)?(0x[0-9a-f]{1,8}|[0-9]{1,10})(?:\/(0x[0-9a-f]{1,8}|[0-9]{1,10}))?$/i);
          	var f = m ? {
          		val:  m[0].toUpperCase().replace(/X/g, 'x'),
          		inv:  m[1],
          		num:  '0x%02X'.format(+m[2]),
          		mask: m[3] ? '0x%02X'.format(+m[3]) : null
          	} : null;
          
          	return fwtool.fmt(_('Incoming %{ipv6?%{ipv4?<var>IPv4</var> and <var>IPv6</var>:<var>IPv6</var>}:<var>IPv4</var>}%{proto?, protocol %{proto#%{next?, }%{item.types?<var class="cbi-tooltip-container">%{item.name}<span class="cbi-tooltip">ICMP with types %{item.types#%{next?, }<var>%{item}</var>}</span></var>:<var>%{item.name}</var>}}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}%{helper?, helper %{helper.inv?<var data-tooltip="Match any helper except &quot;%{helper.name}&quot;">%{helper.val}</var>:<var data-tooltip="%{helper.name}">%{helper.val}</var>}}'), {
          		ipv4: ((!family && dip.indexOf(':') == -1) || family == 'any' || (!family && !dip) || family == 'ipv4'),
          		ipv6: ((!family && dip.indexOf(':') != -1) || family == 'any' || family == 'ipv6'),
          		proto: proto,
          		helper: h,
          		mark:   f
          	});
          }

No, but port forwarding is generally an IPv4 thing where NAT was a must-have. The GUI hasn’t caught up with the expanded capabilities of nftables and Kernel 5.10 to easily support IPv6 NAT features.

dave14305 · December 14, 2022, 1:01am

There is a pull request already to add more IPv6 awareness to the GUI.

efahl · December 14, 2022, 1:41am

Aha, that's exactly what I was looking for, I'll grab the changes and try them out.

efahl · December 14, 2022, 3:07am

Well, maybe not... Looks like that PR only has the updates done on the NAT rules construction and validation, the forwards are still lacking support for the "any" address family.