[solved] Iptables != rules not working

lleachii · January 27, 2020, 5:10pm

So all, some time today, I noticed that does-not-equal firewall rules no longer appear in my running config.

Previous Bug: https://bugs.openwrt.org/index.php?do=details&task_id=806

Fixed with commit: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=6e46f6edc4ee8ad127658c55616bb9d32a8f2d1a

Running: OpenWrt SNAPSHOT r12138-1e3bfbafd3

Rules:

Command Line and in /etc/firewall.user:

iptables -t raw -I PREROUTING ! -s xx.xx.xx.0/24 -i br-xxxnet -j DROP

UCI:

config rule
	option family 'ipv4'
	option proto 'all'
	option src '*'
	option target 'DROP'
	option name 'Drop-xxx_OUT_InvalidSRC'
	option src_ip '!xx.xx.xx.0/24'
	option dest 'xxxwan'

Neither rule works.

lleachii · January 28, 2020, 4:33pm

Not working on OpenWrt 19.07.0 r10860-a3ffeb413b
Working on OpenWrt 18.06.6 r7957-d81a8a3e29

lleachii · January 30, 2020, 6:25pm

I understand service release 19.07.1 is on the way. Did a fix for this bug make it into that firmware?

tmomas · January 30, 2020, 9:49pm

I couldn't spot any obvious related change in the 19.07.1 changelog.

lleachii · February 10, 2020, 7:51pm

Still not working in OpenWrt SNAPSHOT r12211-ceed4638f6

lleachii · February 21, 2020, 3:33pm

OpenWrt SNAPSHOT r12238-dc145de4be
OpenWrt SNAPSHOT r12257-c8f8e59816

jow · February 21, 2020, 10:21pm

Unable to reproduce the issue on x86/64 r12230-5715b21f80 - at least a simple test with iptables -t raw -I PREROUTING ! -s 10.11.12.7/32 -i br-lan -j DROP works as expected here. My desktop still can access the net, traffic from all other devices times out.

Maybe flow offloading is interfering?

lleachii · February 22, 2020, 9:21pm

Disabled.

Correction:

lleachii · February 22, 2020, 9:33pm

Did any commits about text searching on LuCI Firewall pages get signed off?

...or display of the Exclamation Mark (!)?

jow · February 22, 2020, 10:45pm

Well there was a bug in LuCI with displaying certain iptables rules with exclamation marks in them, due to a bad regular expression. Related issue was https://github.com/openwrt/luci/issues/3642.

You stated "no longer appear in my running config" which sounded to me as if
a) the rule itself is not working
b) not appearing in iptables-save

So I suppose this has been a LuCI display issue all along.

lleachii · February 23, 2020, 4:51pm

Yes I think so. I realize the only hint I placed was:

This rule never failed with an error; and
I realized I never looked at the iptables command itself

Thanks.

system · March 4, 2020, 4:51pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.