[solved] Iptables != rules not working

So all, some time today, I noticed that does-not-equal firewall rules no longer appear in my running config.

Previous Bug: https://bugs.openwrt.org/index.php?do=details&task_id=806

Fixed with commit: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=6e46f6edc4ee8ad127658c55616bb9d32a8f2d1a

Running: OpenWrt SNAPSHOT r12138-1e3bfbafd3


  • Command Line and in /etc/firewall.user:

iptables -t raw -I PREROUTING ! -s xx.xx.xx.0/24 -i br-xxxnet -j DROP

  • UCI:
config rule
	option family 'ipv4'
	option proto 'all'
	option src '*'
	option target 'DROP'
	option name 'Drop-xxx_OUT_InvalidSRC'
	option src_ip '!xx.xx.xx.0/24'
	option dest 'xxxwan'

Neither rule works.

  • Not working on OpenWrt 19.07.0 r10860-a3ffeb413b :x:
  • Working on OpenWrt 18.06.6 r7957-d81a8a3e29 :white_check_mark:

I understand service release 19.07.1 is on the way. Did a fix for this bug make it into that firmware?

I couldn't spot any obvious related change in the 19.07.1 changelog.

1 Like

Still not working in OpenWrt SNAPSHOT r12211-ceed4638f6 :x:

  • OpenWrt SNAPSHOT r12238-dc145de4be :x:
  • OpenWrt SNAPSHOT r12257-c8f8e59816 :white_check_mark:

Unable to reproduce the issue on x86/64 r12230-5715b21f80 - at least a simple test with iptables -t raw -I PREROUTING ! -s -i br-lan -j DROP works as expected here. My desktop still can access the net, traffic from all other devices times out.

Maybe flow offloading is interfering?



Screenshot from 2020-02-22 16-21-07

Did any commits about text searching on LuCI Firewall pages get signed off?

...or display of the Exclamation Mark (!)?

Well there was a bug in LuCI with displaying certain iptables rules with exclamation marks in them, due to a bad regular expression. Related issue was https://github.com/openwrt/luci/issues/3642.

You stated "no longer appear in my running config" which sounded to me as if
a) the rule itself is not working
b) not appearing in iptables-save

So I suppose this has been a LuCI display issue all along.

1 Like

Yes I think so. I realize the only hint I placed was:

  • This rule never failed with an error; and
  • I realized I never looked at the iptables command itself


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.