Stop existing forwarding connections when disabling forwarding

Hi.
I have an openwrt 22.03 device which is connected to two networks.
when I created a forwarding rule it's able to forward traffic from network1 to network2.
but when I set the enable of the forwarding to '0', it does stop the new connections from being forwarded. however, the existing TCP connection and the ping from network1 to network2 keep working.
How can I set the rules so it doesn't allow existing connection to work when disabling the forwarding.
Here is my firewall config:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'router'
	option src 'network1'
	option dest 'network2'
	option enabled '0'
	#option enabled '1'
 

config zone 'network1'
	option name 'network1'
	option network 'network1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option leasetime '12h'

config zone 'network2'
	option name 'network2'
	option network 'network2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option leasetime '12h'

when I set the enabled to 0 and do service firewall reload (or restart), it doesn't block the ping but a service network restart does.
This issue didn't exist in openwrt 21. a service firewall restart would stop the forward completely.
TIA.

1 Like

If firewall doesn't work, restart network interface.

Interesting.

Flush the conntrack table with:

echo f >/proc/net/nf_conntrack

Or you can selectively flush just connections for the IP you want by using:

echo '192.168.1.123' >/proc/net/nf_conntrack

(replace the IP with the desired one).

Firewall3 in OpenWrt 21.x had the ability to flush the table. Doesn’t exist in firewall4 best I can tell.

2 Likes

Thanks @lleachii . Restarting the network service does stop the ping(I haven't tried just one interface yet). but, it doesn't look like the best way to do it in openwrt.

1 Like

Thank you @dave14305 . echo f >/proc/net/nf_conntrack did the job. I mean, it stopped the ping and the existing connection.
Probably, I'll add it to reload and restart functions of /etc/config/firewall. so when the rule is changed in luci, it works automatically.
However, one problem is that if there are other unchanged rules and other ongoing forwarded connections, they will be flushed, too.

2 Likes

That's why I also suggested you can limit the flushing to the relevant IP (internal or external) that is involved in the port forward. Or you can look into the possibilities available with conntrack-tools package to delete individual entries.

1 Like

That's right. it also works by just targeting a particular connection state in conntrack table.
However from a user perspective, it should be network specific rather than IP or interface specific.
Maybe there's a UCI firewall rule that automatically tells conntrack to drop existing connection states related to the changed network forwarding rule on firewall reload.
I mean, if we want to interact directly with nf_conntrack or using conntrack-tools, user ( or a script) needs to go through deleting individual entries.

1 Like

This was an interesting feature of fw3. Not sure of the history or why there was no need to replicate it in firewall4. Hopefully, someone smarter comes along with more info for you. :smiley:

1 Like

Thanks Dave,
good finding. if that's the changes that handles the intelligent specific flushes, maybe it's worth doing a similar job in fw4.
It just requires a brave person to stop forward. :smile:

1 Like

Hi @jow,
I found your name in firewall4 package. I thought you might have some thought or comments about this.
Thank you in advance.