NAT leakage on 22.03 [fw4]

UCI Firewall option masq_allow_invalid seems to be ignored by fw4.
The nft ruleset doesn't change when the option is enabled and packets are leaked, regardless of the setting.

OpenWrt 22.03.0 r19685-512e76967f / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd
firewall4 - 2022-10-14-4fbf6d75-1

I used tcpdump on wan to see packets leaving to the internet (tcpdump -nnpi eth1 src net

To stop the leakage I added a rule:

nft insert rule inet fw4 accept_to_wan ct state invalid drop

I can move this thread to a github issue and provide more details.

If possible, please try the following patch:

AFAIK, nft accepts "ct state" (with a space), not "ctstate".

root@OpenWrt:~# service firewall restart
/dev/stdin:120:36-42: Error: No symbol type information
		meta nfproto ipv4 oifname "eth1" ctstate invalid counter drop comment "!fw4: Prevent NAT leakage"
The rendered ruleset contains errors, not doing firewall restart.

Fixing accordingly zone-drop-invalid.uc the leakage disappears.
Thank you.


Thank you for the test feedback. I fixed the spelling and pushed the change to firewall4.git, the next package bump will include this fix then.

1 Like