LuCI's Status>Firewall is blank on latest build from master

Running the latest commit from master plus reverted 08d9f6e on RPi4B. The image boots and seems to work without regressions but my firewall status page shows no data relating to my chains/rules.

If I restore my build from one commits from 02-Feb, (again having reverted 08d9f6e), the status page is full of data. Is this to be expected?

see PR5652 FW4 WIP

1 Like

Did you check the LuCI commits for pointers?

@anomeome - I was aware of that, but since I reverted the fw4 commit, my image in fact did build with itpables.

@Borromini - I did not browse the commits against luci components.

There is more than a single commit to have come in the pipe.

Maybe I am being crazy trying to retain fw3. If I pull in PR5652 and do not revert the fw4, this is what my .config looks like. It contains both iptables and nftables. I thought that was asking for trouble?

% grep table .config | grep -v '#'
CONFIG_DEFAULT_nftables=y
CONFIG_PACKAGE_libxtables=y
CONFIG_PACKAGE_libxtables-nft=y
CONFIG_PACKAGE_iptables=y
CONFIG_PACKAGE_iptables-mod-ipopt=y
CONFIG_PACKAGE_iptables-nft=y
CONFIG_PACKAGE_nftables-json=y
CONFIG_PACKAGE_tc-mod-iptables=y

@hnyman - Any perspective? Good to use the image from the above config wherein both are selected?

Two things:

with firewall4:
Even with the new firewall4, there will still be an iptables binary in the background in case you (your packages) are using any iptables-mod-xxxx packages (like e.g. SQM does now). However, running "iptables" should actually lead you to "iptables-nft" showing version as "iptables (nftables)".

See the discussion at the end of

trying to revert fw4 and just use fw3
If you revert fw4, you will likely also need to revert all the fw4 oriented changes in packages... or at least investigate them.
E.g. SQM has been modified to pull in iptables-nft since

3 Likes

Thanks @hnyman for the info. I tried using the image I flashed and setup a simple firewall rule to deny a specific IP address access to the WAN. Although it shows active, I can still ping and connect from that device to the WAN so the firewall is not working properly on the latest build from master for me.

Reverting to the image I build from 02-Feb wherein fw4 was reverted does work.

I created this thread to discuss the issue rather than hijacking the original topic which was about the status page. Thanks all!

1 Like

@darksky @hnyman I can confirm this behavior with a build from roughly 2 hours ago (from time of this post)

I have a firewall rule within traffice rules which blocks an range specific to IoTs to be blocked from Internet. After updating to a post FW4 build, devices in that range are able to access the Internet. Flipping back to build just prior to the FW4 becoming default (i.e. FW3 build), and Internet is again blocked for those IPs.

Setup:
Protocol: TCP/UDP
Source Zone: lan
Source Addresses: 192.168.1.208/28 and 192.168.1.224/28
Destination Zone: wan
Action: reject

All other fields are default.

1 Like

@Edrikk - Thanks for confirming. You might want to edit and move your reply to this thread which is specific to the fw4 issue. I edited my post just above yours.

@jow It seems that the latest LuCI head is not yet merged with the main branch, therefore, the snapshot builds still don't have the update you have merged recently.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.