Please help with PROCD instance

stangri · November 24, 2016, 6:27am

I've looked at the igmpproxy init script and came up with the following, but the firewall redirect doesn't seem to be added (I'm checking with iptables-save | grep PROCD).

procd_open_instance
procd_set_param command /usr/sbin/uhttpd -f -h /www_fakeinternet -r fakeinternet -x /cgi-bin -t 60 -T 30 -k 20 -A 1 -E /cgi-bin/error.cgi -n 3 -N 100 -R -p 0.0.0.0:65530 -p [::]:65530 -i .cgi=/bin/ash
procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
procd_set_param stdout 1
procd_set_param stderr 1
procd_open_data
json_add_array firewall
json_add_object ""
json_add_string type redirect
json_add_string target 'DNAT'
json_add_string src 'lan'
json_add_string proto 'tcp'
json_add_string src_dport '80'
json_add_string src_dip '!192.168.221.0/24'
json_add_string dest_ip '192.168.221.1'
json_add_string dest_port '65530'
json_add_string name 'PROCD_rule'
json_add_string reflection '0'
json_close_object
json_close_array
procd_close_data
procd_close_instance

The uhttpd instance starts, but I'm guessing I'm declaring/describing the firewall array incorrectly. Any help would be appreciated.

stangri · December 2, 2016, 10:16pm

Anyone? Pretty please?

bobafetthotmail · December 3, 2016, 12:03pm

try asking in the mailing list too. https://lists.infradead.org/mailman/listinfo/lede-dev

stangri · March 16, 2018, 3:09am

Last try before I look into posting to the list.

jow · March 16, 2018, 10:11am

Whoa... a year old already? Sorry so much that this got overlooked...

Can you provide the output of ubus call service list ?

lleachii · March 16, 2018, 3:18pm

If you are referring to the ACCEPT UDP to destination 224.0.0.0/4, you have to add it.

stangri · March 16, 2018, 4:03pm

@jow, thank you for your prompt reply!

It's been a while since I've tested this, so just tried again and apparently that PROCD firewall redirect definition works (and results in a zone_lan_prerouting rule). However I then edited the init script and added 3 more redirects in a similar fashion and stopped/started the service, however only the first rule would come up in the iptables-save | grep fake while ubus call service list had all 4 rules listed there. Was only helped by the reboot -- upon boot all 4 rules were found with iptables-save | grep fake. What's more troubling, after I stopped the service, same rules stayed:

root:~# /etc/init.d/fakeinternet start
root:~# iptables-save | grep fake
-A zone_lan_prerouting ! -d 192.168.226.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: ubus:fakeinternet[instance1] redirect 0" -j DNAT --to-destination 192.168.226.1:65530
-A zone_lan_prerouting ! -d 192.168.226.0/24 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: ubus:fakeinternet[instance1] redirect 1" -j DNAT --to-destination 192.168.226.1:65530
-A zone_lan_prerouting -d 192.18.1.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: ubus:fakeinternet[instance1] redirect 2" -j DNAT --to-destination 192.168.226.1:65530
-A zone_lan_prerouting -d 192.18.1.1/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: ubus:fakeinternet[instance1] redirect 3" -j DNAT --to-destination 192.168.226.1:65530
root:~# /etc/init.d/fakeinternet stop
root:~# iptables-save | grep fake
-A zone_lan_prerouting ! -d 192.168.226.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: ubus:fakeinternet[instance1] redirect 0" -j DNAT --to-destination 192.168.226.1:65530
-A zone_lan_prerouting ! -d 192.168.226.0/24 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: ubus:fakeinternet[instance1] redirect 1" -j DNAT --to-destination 192.168.226.1:65530
-A zone_lan_prerouting -d 192.18.1.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: ubus:fakeinternet[instance1] redirect 2" -j DNAT --to-destination 192.168.226.1:65530
-A zone_lan_prerouting -d 192.18.1.1/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: ubus:fakeinternet[instance1] redirect 3" -j DNAT --to-destination 192.168.226.1:65530

I thought that PROCD will take care of removing these for me upon service stop -- isn't it how it's supposed to work?

stangri · March 16, 2018, 4:23pm

Uhm, after firewall restart, everything is in order. How can I automatically restart firewall when my service is started/stopped? I assume it has to do with ucitrack? Should I do something like this there?

config fakeinternet
	option init 'fakeinternet'
	list affects 'firewall'

Finally, how do I convert these to the firewall-syntax rules?

iptables -A forwarding_rule -d $wwwIP -p tcp -j REJECT --reject-with tcp-reset
iptables -A forwarding_rule -d $wwwIP -j REJECT --reject-with icmp-host-unreachable
iptables -A output_rule -d $wwwIP -p tcp -j REJECT --reject-with tcp-reset
iptables -A output_rule -d $wwwIP -j REJECT --reject-with icmp-host-unreachable

PS. Just tried those ucitrack entries and they do not help. How can I get firewall to be reloaded automatically on my service start/stop?

stangri · March 17, 2018, 3:29am

Should I just invoke /etc/init.d/firewall reload within service_start and service_stop?

stangri · March 17, 2018, 10:55pm

While looking at the sources, I saw this:

service_started() {
	procd_set_config_changed firewall
}

Hopefully that would address my issue with reloading firewall. @jow, I'd still appreciate help converting iptables REJECT rules above to the firewall-compatible entries.