Require back end support for firewall rules


#1

Hi All,
I'm in need of help here!

I have a issue with firewall, the rules configured in /etc/config/firewall are not reflecting in the back end, I figured this by listing iptables rules on the console. This is a home gateway that is developed from OpenWRT 18.06.

I'm sure that my firewall script is getting invoked on init and firewall restart and fw3 utility has been provisioned.
I have firewall package version firewall-2018-07-26-aa8846bb and iptables-1.6.2 version.

I ensured that the below configs are enabled other than libuci,libubox and libubus
CONFIG_PACKAGE_libssp=y
CONFIG_PACKAGE_libip4tc=y
CONFIG_PACKAGE_libip6tc=y
CONFIG_PACKAGE_libxtables=y
CONFIG_PACKAGE_kmod-ipt-core=y
CONFIG_PACKAGE_kmod-ipt-conntrack=y
CONFIG_PACKAGE_kmod-ipt-nat=y
CONFIG_PACKAGE_kmod-nf-conntrack6=y
CONFIG_PACKAGE_libc=y

Is there something else I need to do to enable the firewall rule configured in /etc/config/firewall

Thanks in advance!


#2

Please post an example of the not working firewall configuration and the corresponding iptables listing.


#3

Below are the rules configured in /etc/config/firewall

root@OpenWrt:/# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fc00::/6
        option dest_ip          fc00::/6
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user

config rule
        option name 'SSH'
        option src 'wan'
        option dest_port '22'
        option target 'ACCEPT'
        option proto 'tcp'
        option enabled yes

And my iptables list output shows

root@OpenWrt:/# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:telnet
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

These iptables rules are listed from /etc/firewall.user.
I have the following rules configured in /etc/firewall.user

iptables -I INPUT -j ACCEPT
iptables -I OUTPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip6tables -I INPUT -j ACCEPT
ip6tables -I OUTPUT -j ACCEPT
ip6tables -I FORWARD -j ACCEPT
iptables -I INPUT -p tcp --sport 23 -j ACCEPT
iptables-save
ip6tables-save
/etc/init.d/dnsmasq restart


#4

What is reported by fw3 print?


#5

Here is the output of fw3 start

root@OpenWrt:/# fw3 start
Warning: Unable to locate ipset utility, disabling ipset support
 * Populating IPv4 filter table
Warning: fw3_ipt_rule_append(): Can't find target 'REJECT'
Warning: fw3_ipt_rule_append(): Can't find target 'REJECT'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'SSH'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
Warning: iptc_commit(): No chain/target/match by that name
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
Warning: iptc_commit(): No chain/target/match by that name
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
Warning: iptc_commit(): No chain/target/match by that name
 * Populating IPv6 filter table
Warning: fw3_ipt_rule_append(): Can't find target 'REJECT'
Warning: fw3_ipt_rule_append(): Can't find target 'REJECT'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'SSH'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
Warning: ip6tc_commit(): No chain/target/match by that name
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
Warning: ip6tc_commit(): No chain/target/match by that name
 * Flushing conntrack table ...
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
   ! Unable to write value: No such file or directory
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
# Generated by iptables-save v1.6.2 on Fri Dec 21 12:16:37 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Fri Dec 21 12:16:37 2018
# Generated by iptables-save v1.6.2 on Fri Dec 21 12:16:37 2018
*mangle
:PREROUTING ACCEPT [18008:1295245]
:INPUT ACCEPT [17116:1194605]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17031:1186513]
:POSTROUTING ACCEPT [17031:1186513]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
COMMIT
# Completed on Fri Dec 21 12:16:37 2018
# Generated by iptables-save v1.6.2 on Fri Dec 21 12:16:37 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --sport 23 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p tcp -m tcp --sport 23 -j ACCEPT
-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Dec 21 12:16:37 2018
# Generated by ip6tables-save v1.6.2 on Fri Dec 21 12:16:37 2018
*mangle
:PREROUTING ACCEPT [3447:316699]
:INPUT ACCEPT [2677:232738]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2942:276496]
:POSTROUTING ACCEPT [2942:276496]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
COMMIT
# Completed on Fri Dec 21 12:16:37 2018
# Generated by ip6tables-save v1.6.2 on Fri Dec 21 12:16:37 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -j ACCEPT
-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Dec 21 12:16:37 2018
udhcpc: started, v1.28.3
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:/#
root@OpenWrt:/# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:telnet
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:telnet
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

#6

This is causing the ruleset to fail. Apparently your Kernel / netfilter stack was built without support for the REJECT target.


#7

Thanks Jow.
I'm using kernel version 4.1.51. Is there any way to bring in this support ??


#8

Make sure the target is enabled in the kernel configuration and that the appropriate iptables extensions are packaged.


#9

Thanks Jow, I'll check that.

To add on , there are few generic patches in Openwrt/target/linux/generic/patches-xx which is not included as part of build so far.
Does these patches have a potential changes that would create this issue in firewall (iptc_commit)?
I suspect this because I could see some changes related to netfilter here.


#10

Very unlikely.


#11

Thanks! . I'll check all iptables extensions are packaged.


#12

Did a little more digging in the code and found the following observations:

Compared the /etc/init.d/firewall restart command output from a reference working openwrt device with that of our openwrt device

Observed the following difference in the output


Working

* Populating IPv4 filter table

* Zone 'lan'

* Zone 'wan'

* Rule 'Allow-DHCP-Renew'

* Rule 'Allow-Ping'

* Rule 'Allow-IGMP'

………….

Non Working

Populating IPv4 filter table

Warning: fw3_ipt_rule_append(): Can't find target 'REJECT'

Warning: fw3_ipt_rule_append(): Can't find target 'REJECT'

* Rule 'Allow-DHCP-Renew'

* Rule 'Allow-Ping'

* Rule 'Allow-IGMP'

* Rule 'Allow-IPSec-ESP'

* Rule 'Allow-ISAKMP'

* Forward 'lan' -> 'wan'

* Zone 'lan'

* Zone 'wan'

Warning: iptc_commit(): No chain/target/match by that name

……………….
```

On code walkthrough identified the flow is as follows in userspace for firewall package command fw3(called in firewall init script) and iptables package command iptables:


```
fw3: /etc/init.d/firewall start - triggers API in openwrt firewall package - start() - fw3_ipt_commit - triggers API in iptables package - iptc_commit
- TC_COMMIT

iptables: triggers API in iptables package - iptc_commit - TC_COMMIT
```

On adding debugs identified that the setsockopt call to netfilter module in function TC_COMMIT is failing when called via fw3 but is successful while doing via iptables

Failing code snippet in iptables package below:

> ret = setsockopt(handle->sockfd, TC_IPPROTO, SO_SET_REPLACE, repl, sizeof(*repl) + repl->size);

Please share your thoughts on the same

#13

As I already wrote, this is due to fw3 failing to find the userspace netfilter parts. The userspace match/target parsers are either provided by the various /usr/lib/iptables/libipt_*.so and /usr/lib/iptables/libxt_*.so libraries or by the OpenWrt specific /usr/lib/libiptext.so, /usr/lib/libiptext4.so and /usr/lib/libiptext6.so libraries.

Whether libiptext*.so is linked by fw3 depends on the DISABLE_STATIC_EXTENSIONS cmake option.

The libiptext*.so libraries itself are compiled and staged by the OpenWrt iptables package, its contained match parsers depend on kernel and userland configuration and are indirectly assembled in include/netfilter.mk of the buildroot.

I assume you're using a modified OpenWrt tree and/or an external kernel tree which somehow affect the way iptables extensions are built and staged.

You should first figure out where the REJECT userspace parser is installed on your system (grep -ls REJECT_init /usr/lib/libiptext*.so /usr/lib/iptables/*.so).

If it is part of libiptext*.so then make sure that ldd /sbin/fw3 shows something along the lines of:

libiptext.so => /usr/lib/libiptext.so (0x7fb314dd3000)
libiptext4.so => /usr/lib/libiptext4.so (0x7fb314bcb000)
libiptext6.so => /usr/lib/libiptext6.so (0x7fb3149c3000)

If it is contained as standalone library in /usr/lib/iptables/, then invoke /sbin/fw3 under strace to see whether this library is opened by dlopen().


#14

Thankyou jow for taking the time and replying. Really appreciate it.

As you said, I have verified all the libraries are compiled and installed.
Also, the REJECT userspace parser is installed on the system as part of libiptc.so
and it is present. Also verified the libiptext*.so is used by firewall.

In the output of strace, I could see for some libraries the utility is looking at incorrect locations and not the location where it is actually installed and returning error but finally finds the right location of the library( scenario of the output is given below). The error seems a little bit strange as in a reference working device I do not see this issue.

strace output for firewall binary

strace fw3

execve("/sbin/fw3", ["fw3"], 0xff8278f0 /* 6 vars */) = 0
brk(NULL)                               = 0x5c3000
uname({sysname="Linux", nodename="OpenWrt", ...}) = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/v8l/neon/vfp/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/v8l/neon/vfp", 0xffaac9a8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/v8l/neon/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/v8l/neon", 0xffaac9a8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/v8l/vfp/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/v8l/vfp", 0xffaac9a8)  = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/v8l/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/v8l", 0xffaac9a8)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/neon/vfp/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/neon/vfp", 0xffaac9a8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/neon/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/neon", 0xffaac9a8)     = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/vfp/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/vfp", 0xffaac9a8)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/tls/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/tls", 0xffaac9a8)          = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/v8l/neon/vfp/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/v8l/neon/vfp", 0xffaac9a8) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/v8l/neon/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/v8l/neon", 0xffaac9a8)     = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/v8l/vfp/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/v8l/vfp", 0xffaac9a8)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/v8l/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/v8l", 0xffaac9a8)          = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/neon/vfp/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/neon/vfp", 0xffaac9a8)     = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/neon/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/neon", 0xffaac9a8)         = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/vfp/libuci.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/lib/vfp", 0xffaac9a8)          = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/libuci.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\254\26\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=34128, ...}) = 0
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf71b5000
mmap2(NULL, 98484, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf716f000
mprotect(0xf7177000, 61440, PROT_NONE)  = 0
mmap2(0xf7186000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0xf7186000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libubox.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0<%\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=38232, ...}) = 0
mmap2(NULL, 103232, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7155000
mprotect(0xf715d000, 65536, PROT_NONE)  = 0
mmap2(0xf716d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8000) = 0xf716d000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libubus.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\230\23\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=21900, ...}) = 0
mmap2(NULL, 86360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf713f000
mprotect(0xf7143000, 65536, PROT_NONE)  = 0
mmap2(0xf7153000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0xf7153000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/v8l/neon/vfp/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/v8l/neon/vfp", 0xffaac960) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/v8l/neon/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/v8l/neon", 0xffaac960) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/v8l/vfp/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/v8l/vfp", 0xffaac960) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/v8l/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/v8l", 0xffaac960)  = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/neon/vfp/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/neon/vfp", 0xffaac960) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/neon/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/neon", 0xffaac960) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/vfp/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/vfp", 0xffaac960)  = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls", 0xffaac960)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/v8l/neon/vfp/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/v8l/neon/vfp", 0xffaac960) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/v8l/neon/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/v8l/neon", 0xffaac960) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/v8l/vfp/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/v8l/vfp", 0xffaac960)  = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/v8l/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/v8l", 0xffaac960)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/neon/vfp/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/neon/vfp", 0xffaac960) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/neon/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/neon", 0xffaac960)     = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/vfp/libxtables.so.12", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/vfp", 0xffaac960)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libxtables.so.12", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\250&\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=38184, ...}) = 0
mmap2(NULL, 105112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7125000
mprotect(0xf712e000, 61440, PROT_NONE)  = 0
mmap2(0xf713d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8000) = 0xf713d000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0|E\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=714184, ...}) = 0
mmap2(NULL, 778356, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7066000
mprotect(0xf7114000, 61440, PROT_NONE)  = 0
mmap2(0xf7123000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xad000) = 0xf7123000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\374\10\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=9692, ...}) = 0
mmap2(NULL, 73908, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7053000
mprotect(0xf7055000, 61440, PROT_NONE)  = 0
mmap2(0xf7064000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0xf7064000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0L\20\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=22060, ...}) = 0
mmap2(NULL, 86292, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf703d000
mprotect(0xf7042000, 61440, PROT_NONE)  = 0
mmap2(0xf7051000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0xf7051000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\374\20\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=22060, ...}) = 0
mmap2(NULL, 86292, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7027000
mprotect(0xf702c000, 61440, PROT_NONE)  = 0
mmap2(0xf703b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0xf703b000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libiptext.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libiptext.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\370\33\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=57204, ...}) = 0
mmap2(NULL, 121432, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7009000
mprotect(0xf7015000, 65536, PROT_NONE)  = 0
mmap2(0xf7025000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0xf7025000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libiptext4.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libiptext4.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0$\17\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=22416, ...}) = 0
mmap2(NULL, 86644, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf6ff3000
mprotect(0xf6ff7000, 65536, PROT_NONE)  = 0
mmap2(0xf7007000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0xf7007000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libiptext6.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libiptext6.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0X\16\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=22416, ...}) = 0
mmap2(NULL, 86644, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf6fdd000
mprotect(0xf6fe1000, 65536, PROT_NONE)  = 0
mmap2(0xf6ff1000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0xf6ff1000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\4G\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=50856, ...}) = 0
mmap2(NULL, 115084, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf6fc0000
mprotect(0xf6fcc000, 61440, PROT_NONE)  = 0
mmap2(0xf6fdb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0xf6fdb000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\274k\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1218324, ...}) = 0
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf71b3000
mmap2(NULL, 1287532, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf6e85000
mprotect(0xf6fab000, 61440, PROT_NONE)  = 0
mmap2(0xf6fba000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x125000) = 0xf6fba000
mmap2(0xf6fbd000, 9580, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xf6fbd000
close(3)                                = 0
set_tls(0xf71b41f0, 0xf71b48e8, 0xf71b8058, 0xf71b41f0, 0xf71b8058) = 0
mprotect(0xf6fba000, 8192, PROT_READ)   = 0
mprotect(0xf6fdb000, 4096, PROT_READ)   = 0
mprotect(0xf7123000, 4096, PROT_READ)   = 0
mprotect(0xf7064000, 4096, PROT_READ)   = 0
mprotect(0xf713d000, 4096, PROT_READ)   = 0
mprotect(0xf6ff1000, 4096, PROT_READ)   = 0
mprotect(0xf7007000, 4096, PROT_READ)   = 0
mprotect(0xf7025000, 4096, PROT_READ)   = 0
mprotect(0xf703b000, 4096, PROT_READ)   = 0
mprotect(0xf7051000, 4096, PROT_READ)   = 0
mprotect(0xf716d000, 4096, PROT_READ)   = 0
mprotect(0xf7153000, 4096, PROT_READ)   = 0
mprotect(0xf7186000, 4096, PROT_READ)   = 0
mprotect(0x36000, 4096, PROT_READ)      = 0
mprotect(0xf71b7000, 4096, PROT_READ)   = 0
brk(NULL)                               = 0x5c3000
brk(0x5e4000)                           = 0x5e4000
epoll_create(32)                        = 3
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
pipe([4, 5])                            = 0
fcntl64(4, F_GETFD)                     = 0
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
fcntl64(4, F_GETFL)                     = 0 (flags O_RDONLY)
fcntl64(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
fcntl64(5, F_GETFD)                     = 0
fcntl64(5, F_SETFD, FD_CLOEXEC)         = 0
fcntl64(5, F_GETFL)                     = 0x1 (flags O_WRONLY)
fcntl64(5, F_SETFL, O_WRONLY|O_NONBLOCK) = 0
fcntl64(4, F_GETFL)                     = 0x800 (flags O_RDONLY|O_NONBLOCK)
fcntl64(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
epoll_ctl(3, EPOLL_CTL_ADD, 4, {EPOLLIN|EPOLLRDHUP, {u32=4145471520, u64=4145471520}}) = 0
rt_sigaction(SIGINT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=0xf7158e4c, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0xf6eb09f0}, NULL, 8) = 0
rt_sigaction(SIGTERM, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=0xf7158e4c, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0xf6eb09f0}, NULL, 8) = 0
rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=0xf7158e34, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0xf6eb09f0}, NULL, 8) = 0
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, 8) = 0
socket(AF_UNIX, SOCK_STREAM, 0)         = 6
fcntl64(6, F_GETFD)                     = 0
fcntl64(6, F_SETFD, FD_CLOEXEC)         = 0
connect(6, {sa_family=AF_UNIX, sun_path="/var/run/ubus.sock"}, 110) = 0
read(6, "\0\0\0\0J\6\225\330\0\0\0\4", 12) = 12
read(6, "", 0)                          = 0
fcntl64(6, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK|O_CLOEXEC) = 0
sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\4\0\1\0\0\0\0", iov_len=8}, {iov_base="\0\0\0\34\2\0\0\26network.interface\0\0\0", iov_len=28}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, 0) = 36
poll([{fd=6, events=POLLIN|POLLERR}], 1, -1) = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\2\0\1\0\0\0\0\0\0\1$", iov_len=12}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 12
poll([{fd=6, events=POLLIN}], 1, -1)    = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\2\0\0\26network.interface\0\0\0\3\0\0\10\30\201z\10"..., iov_len=288}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 288
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\1\0\1\0\0\0\0\0\0\0\f", iov_len=12}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 12
poll([{fd=6, events=POLLIN}], 1, -1)    = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\1\0\0\10\0\0\0\0", iov_len=8}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 8
sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\5\0\2\30\201z\10", iov_len=8}, {iov_base="\0\0\0\34\3\0\0\10\30\201z\10\4\0\0\tdump\0\0\0\0\7\0\0\4", iov_len=28}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, 0) = 36
clock_gettime(CLOCK_MONOTONIC, {tv_sec=114, tv_nsec=886993680}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=114, tv_nsec=887036580}) = 0
poll([{fd=6, events=POLLIN|POLLERR}], 1, 1999) = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\2\0\2\30\201z\10\0\0\7\0", iov_len=12}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 12
poll([{fd=6, events=POLLIN}], 1, -1)    = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\3\0\0\10\30\201z\10\7\0\6\364\201\0\6\360\0\tinterface\0\202\0\2\374"..., iov_len=1788}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 1788
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\1\0\2\30\201z\10\0\0\0\24", iov_len=12}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 12
poll([{fd=6, events=POLLIN}], 1, -1)    = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\1\0\0\10\0\0\0\0\3\0\0\10\30\201z\10", iov_len=16}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 16
sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\4\0\3\0\0\0\0", iov_len=8}, {iov_base="\0\0\0\20\2\0\0\fservice\0", iov_len=16}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, 0) = 24
poll([{fd=6, events=POLLIN|POLLERR}], 1, -1) = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\2\0\3\0\0\0\0\0\0\3 ", iov_len=12}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 12
poll([{fd=6, events=POLLIN}], 1, -1)    = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\2\0\0\fservice\0\3\0\0\10\260v\270\6\5\0\0\10\265\221\364\257\6\0\3\0"..., iov_len=796}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 796
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\1\0\3\0\0\0\0\0\0\0\f", iov_len=12}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 12
poll([{fd=6, events=POLLIN}], 1, -1)    = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\1\0\0\10\0\0\0\0", iov_len=8}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 8
sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\5\0\4\260v\270\6", iov_len=8}, {iov_base="\0\0\0008\3\0\0\10\260v\270\6\4\0\0\rget_data\0\0\0\0\7\0\0\34"..., iov_len=56}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, 0) = 64
clock_gettime(CLOCK_MONOTONIC, {tv_sec=115, tv_nsec=231769200}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=115, tv_nsec=231801140}) = 0
poll([{fd=6, events=POLLIN|POLLERR}], 1, 2000) = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\2\0\4\260v\270\6\0\0\0\20", iov_len=12}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 12
poll([{fd=6, events=POLLIN}], 1, -1)    = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\3\0\0\10\260v\270\6\7\0\0\4", iov_len=12}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 12
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\1\0\4\260v\270\6\0\0\0\24", iov_len=12}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 12
poll([{fd=6, events=POLLIN}], 1, -1)    = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\1\0\0\10\0\0\0\0\3\0\0\10\260v\270\6", iov_len=16}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 16
close(6)                                = 0
stat64("/etc/config/firewall", {st_mode=S_IFREG|0644, st_size=4377, ...}) = 0
openat(AT_FDCWD, "/etc/config/firewall", O_RDONLY) = 6
flock(6, LOCK_SH)                       = 0
_llseek(6, 0, [0], SEEK_SET)            = 0
fcntl64(6, F_GETFL)                     = 0 (flags O_RDONLY)
fstat64(6, {st_mode=S_IFREG|0644, st_size=4377, ...}) = 0
read(6, "config defaults\n\toption syn_floo"..., 4096) = 4096
read(6, "src_port\t\t1024\n#\toption src_dpor"..., 4096) = 281
read(6, "", 4096)                       = 0
stat64("/tmp/.uci/firewall", 0xffaac938) = -1 ENOENT (No such file or directory)
stat64("/tmp/.uci/firewall", 0xffaacae8) = -1 ENOENT (No such file or directory)
flock(6, LOCK_UN)                       = 0
close(6)                                = 0
stat64("ipset", 0xffaace80)             = -1 ENOENT (No such file or directory)
stat64("/usr/sbin/ipset", 0xffaace80)   = -1 ENOENT (No such file or directory)
stat64("/usr/bin/ipset", 0xffaace80)    = -1 ENOENT (No such file or directory)
stat64("/sbin/ipset", 0xffaace80)       = -1 ENOENT (No such file or directory)
stat64("/bin/ipset", 0xffaace80)        = -1 ENOENT (No such file or directory)
write(2, "Warning: ", 9Warning: )                = 9
write(2, "Unable to locate ipset utility, "..., 55Unable to locate ipset utility, disabling ipset support) = 55
write(2, "\n", 1
)                       = 1
openat(AT_FDCWD, "/usr/share/fw3/helpers.conf", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=2198, ...}) = 0
read(6, "config helper\n\toption name 'aman"..., 1024) = 1024
read(6, "track_netbios_ns'\n\toption family"..., 1024) = 1024
read(6, "'rtsp'\n\toption description 'RTSP"..., 1024) = 150
read(6, "", 1024)                       = 0
close(6)                                = 0
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=185, ...}) = 0
read(6, "passwd:files\nshadow:files\ngroup:"..., 1024) = 185
read(6, "", 1024)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 6
read(6, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\320\31\0\0004\0\0\0"..., 512) = 512
fstat64(6, {st_mode=S_IFREG|0755, st_size=38456, ...}) = 0
mmap2(NULL, 127744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0xf6e65000
mprotect(0xf6e6e000, 61440, PROT_NONE)  = 0
mmap2(0xf6e7d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x8000) = 0xf6e7d000
mmap2(0xf6e7f000, 21248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xf6e7f000
close(6)                                = 0
mprotect(0xf6e7d000, 4096, PROT_READ)   = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
read(6, "\t33\tDCCP\t\t# Datagram Congestion "..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
open("/etc/protocols", O_RDONLY|O_CLOEXEC) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=2541, ...}) = 0
read(6, "# Internet (IP) protocols\n#\n# Up"..., 1024) = 1024
close(6)                                = 0
write(2, "fw3 [-4] [-6] [-q] print\n", 25fw3 [-4] [-6] [-q] print
) = 25
write(2, "fw3 [-q] {start|stop|flush|reloa"..., 43fw3 [-q] {start|stop|flush|reload|restart}
) = 43
write(2, "fw3 [-q] network {net}\n", 23fw3 [-q] network {net}
) = 23
write(2, "fw3 [-q] device {dev}\n", 22fw3 [-q] device {dev}
) = 22
write(2, "fw3 [-q] zone {zone} [dev]\n", 27fw3 [-q] zone {zone} [dev]
) = 27
exit_group(1)                           = ?
+++ exited with 1 +++

#15

Hi guys,

Was able to resolve one of the warnings on firewall start by adding the below kernel configs.
Warning

Warning: fw3_ipt_rule_append(): Can't find target 'REJECT'

Configs used to fix

CONFIG_NF_REJECT_IPV4
CONFIG_IP_NF_TARGET_REJECT
CONFIG_NF_REJECT_IPV6
CONFIG_IP6_NF_TARGET_REJECT

But still the issue persists of rules not getting reflected in iptables:

root@OpenWrt:/# fw3 start
Warning: Unable to locate ipset utility, disabling ipset support
 * Populating IPv4 filter table
Warning: iptc_commit(): No chain/target/match by that name
 * Populating IPv4 nat table
Warning: iptc_commit(): No chain/target/match by that name
 * Populating IPv4 mangle table
 * Populating IPv6 filter table
Warning: ip6tc_commit(): No chain/target/match by that name
 * Populating IPv6 mangle table
 * Flushing conntrack table ...
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
   ! Unable to write value: No such file or directory
 * Set tcp_window_scaling to on

Suspects Warning: ip6tc_commit(): No chain/target/match by that name might be the reson.
Currently researching if any missing netfilter modules is causing the issue.
Please share what you guys think