RE: [22.03] Translate extra/raw firewall rules

@jow @dave14305

Do you know if this was made in 22.03.2?

I think I may have an issue with reboots loading some sets/firewall reloads on a Netgear WAX202.

Yes, the firewall4 bump was the last commit to 22.03 before 22.03.2 was tagged.

1 Like

I'm now attempting to load an IPset running fw4 reload-sets with one pre-loaded entry:

config ipset
        option name 'test'
        option match 'src_net'
        list entry 'xxx.xxx.xxx.xxx'
        option loadfile '/tmp/test.txt'

I receive:

Skipping invalid entry 'null' in file '/tmp/test.txt' for set 'test'
Skipping invalid entry 'null' in file '/tmp/test.txt' for set 'test'
...
...

For 600 lines of IPs, this error is still appearing after 5 minutes (i.e. the console is hung giving these responses). No IPs are added to the set.

I now have to login to another SSH session and reboot the router. When I removed the entry.

config ipset
        option name 'test'        
        option match 'src_net'
        option loadfile '/tmp/test.txt'

I added then entry to the script to. So now, I don't see the error; but the CLI freezes. Looking at top from another SSH session - a process is running at high CPU/memory (and it appears to just be slowly leaking memory):

utpl -S /usr/share/firewall4/main.uc

Any ideas?

Known regression. opkg update; opkg upgrade firewall4

1 Like

After running these commands, I lost connectivity to my router except for the existing SSH connection.

Also:

  • WiFI clients won't connect
  • Users on other subnets lost Internet (except for already established traffic)

A firewall reload and reboot did nothing. I had to revert by using the Reset Button and then reloading the config.

@jow , @dave14305 -

  • Is there any other step(s) I need to preform?
  • Or is this something that would only be working in SNAPSHOT?

No, in fact I just tried in a qemu x86/64 VM using the 22.03.2 release image. I could reproduce your original problem (Skipping invalid entry 'null' in file '/tmp/test.txt' for set 'test') and confirm that opkg update; opkg upgrade firewall4 fixes it.

Did you try simply powercycling your device? Maybe it was still stuck with the fw4 process causing reboot to not work.

Maybe I upgraded while it was still running.

Otherwise, I can't be sure. In any case, I just tried again and rebooted and changed the script from:

nft add element inet fw4 test { $foo }

Into:

do
        echo $foo >> /tmp/test.txt
done

fw4 reload-sets

exit 0

I believe now the issue of counters resetting on a reload - might be fixed. I'll monitor.

screen417

screen418

Does this still work?
option family 'ipv4'

Edit - For the larger lists, I still get:

Failed to allocate uclient context
netlink: Error: Could not process rule: No buffer space available

@dave14305 @jow

Are you able to verify that ICMPv4 [Echo-Request] rules work properly?

I always disable the default "Allow-Ping" rule, so I'm not sure if it works or not. What specifically are you asking about? It's hard to tell from the cropped screenshots.

So do I - which is how I noticed this issue (bug).

Here's an important rule:

config rule                           
        option target 'ACCEPT'
        option src 'wan'
        option family 'ipv4' # <---
        option proto 'icmp'
        list icmp_type 'echo-request'
        option src_ip 'xxx.xxx.xxx.xxx'
        option name 'Allow-HE_IPv6_Tunnel_Check'

Results in:

screen209

I'm not sure how I can better screenshot the issue - of an IPv4 rule improperly creating an IPv6 entry in the firewall.

It’s a display quirk for which the fix has not yet been back ported: