NAT6 firewall.nat6 script broken

I've noticed that the NAT6 script here: https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6 doesn't seem to working entirely as it should. It works, but I was recently looking at the masq6_privacy option and realised it wasn't working fully. Part of the script is failing.

It would seem:

config_list_foreach "${config}" network masq6_network line

Returns nothing and hence the masq6_network function never gets called, as the temporarily IPv6 address and RA settings don't ever get set.

I enabled xtrace and this what is happening with the config_list_foreach call:

+ local 'DONE_NETWORK_DEVICES='
+ config_list_foreach cfg03dc81 network masq6_network
+ '[' 3 -ge 3 ]
+ local 'section=cfg03dc81'
+ shift
+ local 'option=network'
+ shift
+ local 'function=masq6_network'
+ shift
+ local val
+ local len
+ local 'c=1'
+ config_get len cfg03dc81 network_LENGTH
+ eval export -n -- 'len=${CONFIG_cfg03dc81_network_LENGTH:-${4}}'
+ export -n -- 'len='
+ '[' -z  ]
+ return 0

The log output shows this:

Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg02dc81" zone="lan" zone_masq6="0".
Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg03dc81" zone="wan" zone_masq6="1".
Sun Nov 22 12:33:15 2020 user.notice nat6: Found firewall zone_name="wan" with zone_masq6="1" zone_masq6_privacy="1".
Sun Nov 22 12:33:15 2020 user.notice nat6: Setting up masquerading nat6 for zone_name="wan" with zone_masq6_privacy="1"
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wan_postrouting" contains our MASQUERADE.
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wan_input" contains our permissive DNAT rule.
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wan_forward" contains our permissive DNAT rule.
Sun Nov 22 12:33:15 2020 user.notice nat6: Done setting up nat6 for zone="wan" on devices:
Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg05dc81" zone="guest" zone_masq6="0".
Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg07dc81" zone="vpn" zone_masq6="0".
Sun Nov 22 12:33:15 2020 user.notice nat6: Firewall config="cfg09dc81" zone="wireguard" zone_masq6="1".
Sun Nov 22 12:33:15 2020 user.notice nat6: Found firewall zone_name="wireguard" with zone_masq6="1" zone_masq6_privacy="0".
Sun Nov 22 12:33:15 2020 user.notice nat6: Setting up masquerading nat6 for zone_name="wireguard" with zone_masq6_privacy="0"
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wireguard_postrouting" contains our MASQUERADE.
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wireguard_input" contains our permissive DNAT rule.
Sun Nov 22 12:33:15 2020 user.notice nat6: Ensuring ip6tables chain="zone_wireguard_forward" contains our permissive DNAT rule.
Sun Nov 22 12:33:15 2020 user.notice nat6: Done setting up nat6 for zone="wireguard" on devices:

Notice the done setting up part, is blank, no reference to the network interfaces.

Why is the config_list_foreach failing for me?

Post the output:

uci show firewall

This is the output.

firewall.@defaults[0]=defaults
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].masq6='1'
firewall.@zone[1].masq6_privacy='1'
firewall.@zone[1].forward='DROP'
firewall.@zone[1].input='DROP'
firewall.@zone[1].network='wan wan6 wanb wanb6 wanc wanc6 aaisp aaisp6 henet docsismodem vigormodem'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
firewall.@zone[2]=zone
firewall.@zone[2].name='guest'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='guest'
firewall.@zone[2].input='REJECT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='guest'
firewall.@zone[3]=zone
firewall.@zone[3].name='vpn'
firewall.@zone[3].network='vpn'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].masq='1'
firewall.@zone[3].input='REJECT'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='vpn'
firewall.@forwarding[2].src='lan'
firewall.@zone[4]=zone
firewall.@zone[4].output='ACCEPT'
firewall.@zone[4].forward='REJECT'
firewall.@zone[4].input='REJECT'
firewall.@zone[4].masq='1'
firewall.@zone[4].name='wireguard'
firewall.@zone[4].mtu_fix='1'
firewall.@zone[4].masq6='1'
firewall.@zone[4].network='wg wgb wg6 wgb6'
firewall.@zone[4].masq6_privacy='0'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='wireguard'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[2]=rule
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[3]=rule
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[4]=rule
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[8]=rule
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[9]=rule
firewall.@rule[9].src='guest'
firewall.@rule[9].dest='wan'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].proto='all'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].name='Reject-Modem-Access-Guest'
firewall.@rule[9].dest_ip='192.168.100.1' '192.168.2.1' '192.168.3.1'
firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].proto='tcp udp'
firewall.@rule[10].dest_port='53'
firewall.@rule[10].src='guest'
firewall.@rule[10].name='Allow-Guest-WiFi-DNS'
firewall.@rule[11]=rule
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].family='ipv6'
firewall.@rule[11].proto='icmp'
firewall.@rule[11].src='guest'
firewall.@rule[11].name='Allow-Guest-WiFi-ping'
firewall.@rule[11].icmp_type='echo-request'
firewall.@rule[12]=rule
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].proto='udp'
firewall.@rule[12].dest_port='67-68'
firewall.@rule[12].src='guest'
firewall.@rule[12].name='Allow-Guest-WiFi-DHCP'
firewall.@rule[13]=rule
firewall.@rule[13].target='ACCEPT'
firewall.@rule[13].proto='udp'
firewall.@rule[13].name='Allow-Guest-WiFi-DHCPv6'
firewall.@rule[13].family='ipv6'
firewall.@rule[13].src='guest'
firewall.@rule[13].src_port='546'
firewall.@rule[13].dest_port='547'
firewall.@rule[14]=rule
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].name='Allow-Guest-WiFi-SLAAC'
firewall.@rule[14].family='ipv6'
firewall.@rule[14].src='guest'
firewall.@rule[14].proto='icmp'
firewall.@rule[14].icmp_type='router-solicitation' 'router-advertisement' 'neighbour-solicitation' 'neighbour-advertisement' '141' '142' '148' '149'
firewall.@rule[15]=rule
firewall.@rule[15].name='Allow-Guest-WiFi-MLD'
firewall.@rule[15].src='guest'
firewall.@rule[15].proto='icmp'
firewall.@rule[15].src_ip='fe80::/10'
firewall.@rule[15].icmp_type='130/0' '131/0' '132/0' '143/0' '151/0' '152/0' '153/0'
firewall.@rule[15].family='ipv6'
firewall.@rule[15].target='ACCEPT'
firewall.@ipset[0]=ipset
firewall.@ipset[0].external='cloudflare_v4'
firewall.@ipset[0].match='src_net'
firewall.@ipset[0].family='ipv4'
firewall.@ipset[0].storage='hash'
firewall.@ipset[1]=ipset
firewall.@ipset[1].external='cloudflare_v6'
firewall.@ipset[1].match='src_net'
firewall.@ipset[1].family='ipv6'
firewall.@ipset[1].storage='hash'
firewall.@rule[16]=rule
firewall.@rule[16].proto='tcp'
firewall.@rule[16].dest='lan'
firewall.@rule[16].target='ACCEPT'
firewall.@rule[16].dest_port='80 443'
firewall.@rule[16].family='ipv6'
firewall.@rule[16].ipset='cloudflare_v6'
firewall.@rule[16].src='wan'
firewall.@rule[16].name='Allow-Apache-IPv6'
firewall.@rule[16].dest_ip='xxxx:xxx:xxxx::x'
firewall.@rule[17]=rule
firewall.@rule[17].src='lan'
firewall.@rule[17].dest='wan'
firewall.@rule[17].proto='all'
firewall.@rule[17].family='ipv4'
firewall.@rule[17].target='REJECT'
firewall.@rule[17].name='Reject-VPN-Clients-WAN-Access'
firewall.@rule[17].src_ip='192.168.1.7'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_port='80'
firewall.@redirect[0].ipset='cloudflare_v4'
firewall.@redirect[0].dest_ip='192.168.1.4'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].name='Allow-Apache-HTTP'
firewall.@redirect[0].src_dip='xx.xx.xx.xx'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src_dport='443'
firewall.@redirect[1].dest_ip='192.168.1.4'
firewall.@redirect[1].ipset='cloudflare_v4'
firewall.@redirect[1].dest_port='443'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].name='Allow-Apache-HTTPS'
firewall.@redirect[1].src_dip='xx.xx.xx.xx'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'

FW_NETS="$(uci get firewall.@zone[1].network)"
uci -q delete firewall.@zone[1].network
for FW_NET in ${FW_NETS}
do uci add_list firewall.@zone[1].network="${FW_NET}"
done
uci commit firewall
/etc/init.d/firewall restart

Thank you. That has resolved it!

Each item within network needs to be quoted and separated as an individual item for the loop function to work then. That seems to be the change performed.

LuCI seems to have created the single line format at some point.

Apparently it should use list instead of option for multiple network entries, see:

uci export firewall

Thank you for spotting, make sense why the config_list_foreach was failing when it wasn't able to loop any values to begin with.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.