Do you know if this was made in 22.03.2?
I think I may have an issue with reboots loading some sets/firewall reloads on a Netgear WAX202.
Do you know if this was made in 22.03.2?
I think I may have an issue with reboots loading some sets/firewall reloads on a Netgear WAX202.
Yes, the firewall4 bump was the last commit to 22.03 before 22.03.2 was tagged.
I'm now attempting to load an IPset running fw4 reload-sets
with one pre-loaded entry:
config ipset
option name 'test'
option match 'src_net'
list entry 'xxx.xxx.xxx.xxx'
option loadfile '/tmp/test.txt'
I receive:
Skipping invalid entry 'null' in file '/tmp/test.txt' for set 'test'
Skipping invalid entry 'null' in file '/tmp/test.txt' for set 'test'
...
...
For 600 lines of IPs, this error is still appearing after 5 minutes (i.e. the console is hung giving these responses). No IPs are added to the set.
I now have to login to another SSH session and reboot the router. When I removed the entry.
config ipset
option name 'test'
option match 'src_net'
option loadfile '/tmp/test.txt'
I added then entry to the script to. So now, I don't see the error; but the CLI freezes. Looking at top
from another SSH session - a process is running at high CPU/memory (and it appears to just be slowly leaking memory):
utpl -S /usr/share/firewall4/main.uc
Any ideas?
Known regression. opkg update; opkg upgrade firewall4
After running these commands, I lost connectivity to my router except for the existing SSH connection.
Also:
A firewall reload and reboot did nothing. I had to revert by using the Reset Button and then reloading the config.
@jow , @dave14305 -
No, in fact I just tried in a qemu x86/64 VM using the 22.03.2 release image. I could reproduce your original problem (Skipping invalid entry 'null' in file '/tmp/test.txt' for set 'test'
) and confirm that opkg update; opkg upgrade firewall4
fixes it.
Did you try simply powercycling your device? Maybe it was still stuck with the fw4 process causing reboot
to not work.
Maybe I upgraded while it was still running.
Otherwise, I can't be sure. In any case, I just tried again and rebooted and changed the script from:
nft add element inet fw4 test { $foo }
Into:
do
echo $foo >> /tmp/test.txt
done
fw4 reload-sets
exit 0
I believe now the issue of counters resetting on a reload - might be fixed. I'll monitor.
Does this still work?
option family 'ipv4'
Edit - For the larger lists, I still get:
Failed to allocate uclient context
netlink: Error: Could not process rule: No buffer space available
I always disable the default "Allow-Ping" rule, so I'm not sure if it works or not. What specifically are you asking about? It's hard to tell from the cropped screenshots.
So do I - which is how I noticed this issue (bug).
Here's an important rule:
config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv4' # <---
option proto 'icmp'
list icmp_type 'echo-request'
option src_ip 'xxx.xxx.xxx.xxx'
option name 'Allow-HE_IPv6_Tunnel_Check'
Results in:
I'm not sure how I can better screenshot the issue - of an IPv4 rule improperly creating an IPv6 entry in the firewall.
It’s a display quirk for which the fix has not yet been back ported:
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.