Question about firewall rules

Hi all

Tell me what this is connected with. Previously, it was possible to enter addresses like 1.0.0.0-10.0.0.0 into the rules, but now there is only one address and a mask, the required range cannot be entered

Why was this removed? This is very inconvenient and you won’t be able to enter the required range of IP addresses even if you wanted to.
version openwrt-23.05.2 I enter via Luci

You can use ranges by the use of subnets. For example, to use a rule that affects 192.168.7.1-254, I can use 192.168.7.0/24.

Alternatively, look at the ipsets functionality.

1 Like

So what I’m talking about is that only this option 192.168.7.0/24 works, and before there was also this option 192.168.7.4-192.168.97.7 which is more preferable and which does not work now. But I need to specifically block certain addresses and subnets, option 192.168.7.0/24 is not suitable

Looks like an oversight in porting fw3 to nftables. Nftables itself has builtin range support (in contrast to iptables where the iprange extensions was required).

Will take a look.

4 Likes

Turned out that firewall4 supports ranges just fine, the LuCI input validation was overly strict.

Fixed in

and

Backport to the stable 22.03 branch will happen soon.

1 Like

I re-upload the firmware, nothing changed
addresses still via Luci like 10.0.0.0-10.1.22.12 cannot be entered in the firewall

It only works if you use Main/Snapshot builds and it can take a few days until those are compiled for you.

It is possible to backport/cherry pick those commits and jow reported that it will happen but that can take some time, so patience is your friend :slight_smile:

understood thanks