[SOLVED] Firewall status: active with no instances

NC1 · October 12, 2025, 10:09pm

This may have been asked before, so apologies if that’s the case.

The situation:

BusyBox v1.36.1 (2025-09-25 20:55:15 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.3, r28872-daca7c049b
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.104",
        "hostname": "OpenWrt",
        "system": "Intel(R) Pentium(R) CPU  J3710  @ 1.60GHz",
        "model": "LENOVO 10G9001UUS",
        "board_name": "lenovo-10g9001uus",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.3",
                "revision": "r28872-daca7c049b",
                "target": "x86/64",
                "description": "OpenWrt 24.10.3 r28872-daca7c049b",
                "builddate": "1758316778"
        }
}
root@OpenWrt:~# service firewall status
active with no instances

The firewall is operational (I know this because the device is behaving as it’s supposed to based on the firewall rules, including those I have put in). So I am wondering, what is the meaning of “active with no instances” in this context?

efahl · October 12, 2025, 10:22pm

Looking in /lib/functions/procd.sh, it appears that the "no instances" means there's not a running process specifically for the firewall. If you run a trace of that code comparing, say service dnsmasq status with the firewall command, you can see that it finds a dnsmasq process and reports "running", i.e., "an instance", for that.

stangri · October 13, 2025, 1:17am

Not to contradict @efahl but to complement their response.

Most often the procd-based init scripts are used to launch daemons which do stay in memory, like, abovementioned dnsmasq or, for example, https-dns-proxy, which starts an instance per each upstream resolver you configure.

There are services however which run once and do not stay in memory, like the firewall service, which on 24.10 translates the entries from your /etc/config/firewall into the nft rules and then exits.

The procd status command, as per the file @efahl so kindly named, looks if the service has created the procd object (which you can inspect with service firewall info) and if it exists, but there is no data/instances inside of it, ir produces the message you saw.

Hope it was helpful.

NC1 · October 14, 2025, 4:26am

Thank you! Marking the question solved now…

brada4 · October 14, 2025, 7:30am

It is possible to show some arbitrary boilerplate status text, like that table fw4 exists. Go figure balance between volume and ressence.

efahl · October 14, 2025, 5:45pm

Oh, that would be nice. Something like what adblock does:

$ service adblock status
::: adblock runtime information
  + adblock_status  : enabled
  + adblock_version : 4.4.2-r3
  + blocked_domains : 296 679
  + active_feeds    : adaway, adguard, adguard_tracking, android_tracking, disconnect, doh_blocklist, firetv_tracking, oisd_big, smarttv_tracking, winspy, yoyo
  + dns_backend     : dnsmasq (2.90-r4), /tmp/dnsmasq.d, 28.34 MB
  + run_ifaces      : trigger: wan , report: br-lan
  + run_directories : base: /tmp, dns: /tmp/dnsmasq.d, backup: /tmp/adblock-backup, report: /tmp/adblock-report, jail: /tmp
  + run_flags       : shift: ✘, custom feed: ✘, force: ✘, flush: ✘, tld: ✔, search: ✘, report: ✔, mail: ✘, jail: ✘
  + last_run        : mode: reload, 2025-10-14T04:07:25-07:00, duration: 0m 25s, 3707.07 MB available
  + system_info     : cores: 4, fetch: curl, PC Engines apu2, x86/64, OpenWrt 24.10.3 r28872-daca7c049b

system · October 24, 2025, 5:46pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.