I've noticed that the NAT6 script here: https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6 doesn't seem to working entirely as it should. It works, but I was recently looking at the masq6_privacy option and realised it wasn't working fully. Part of the script is failing.
It would seem:
config_list_foreach "${config}" network masq6_network line
Returns nothing and hence the masq6_network function never gets called, as the temporarily IPv6 address and RA settings don't ever get set.
I enabled xtrace and this what is happening with the config_list_foreach call:
+ local 'DONE_NETWORK_DEVICES='
+ config_list_foreach cfg03dc81 network masq6_network
+ '[' 3 -ge 3 ]
+ local 'section=cfg03dc81'
+ shift
+ local 'option=network'
+ shift
+ local 'function=masq6_network'
+ shift
+ local val
+ local len
+ local 'c=1'
+ config_get len cfg03dc81 network_LENGTH
+ eval export -n -- 'len=${CONFIG_cfg03dc81_network_LENGTH:-${4}}'
+ export -n -- 'len='
+ '[' -z ]
+ return 0
The log output shows this:
Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg02dc81" zone="lan" zone_masq6="0".
Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg03dc81" zone="wan" zone_masq6="1".
Sun Nov 22 12:33:15 2020 user.notice nat6: Found firewall zone_name="wan" with zone_masq6="1" zone_masq6_privacy="1".
Sun Nov 22 12:33:15 2020 user.notice nat6: Setting up masquerading nat6 for zone_name="wan" with zone_masq6_privacy="1"
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wan_postrouting" contains our MASQUERADE.
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wan_input" contains our permissive DNAT rule.
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wan_forward" contains our permissive DNAT rule.
Sun Nov 22 12:33:15 2020 user.notice nat6: Done setting up nat6 for zone="wan" on devices:
Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg05dc81" zone="guest" zone_masq6="0".
Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg07dc81" zone="vpn" zone_masq6="0".
Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg09dc81" zone="wireguard" zone_masq6="1".
Sun Nov 22 12:33:15 2020 user.notice nat6: Found firewall zone_name="wireguard" with zone_masq6="1" zone_masq6_privacy="0".
Sun Nov 22 12:33:15 2020 user.notice nat6: Setting up masquerading nat6 for zone_name="wireguard" with zone_masq6_privacy="0"
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wireguard_postrouting" contains our MASQUERADE.
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wireguard_input" contains our permissive DNAT rule.
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wireguard_forward" contains our permissive DNAT rule.
Sun Nov 22 12:33:15 2020 user.notice nat6: Done setting up nat6 for zone="wireguard" on devices:
Notice the done setting up part, is blank, no reference to the network interfaces.
Each item within network needs to be quoted and separated as an individual item for the loop function to work then. That seems to be the change performed.
LuCI seems to have created the single line format at some point.