Understanding "list" vs. "option" in firewall

Can someone please explain to me the difference between the "list" and "option" in the firewall config? Maybe I am just to dumb to understand the documentation...

The wiki says: "Match incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all"

However it does not quite work that way.

For example the default rule "Allow-MLD"

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

Why doesn't it use list icmp_type '130/0 131/0 132/0 133/0'?

I tried it with my own rule using list proto 'tcp udp' but for some reason restarting the firewall gives me very akward logs.

root@ROUTER:~# service firewall restart
Warning: Option @redirect[9].proto has invalid value 'tcp udp'
Warning: Option @redirect[9].src_dport has invalid value '53'
Warning: Option @redirect[9].dest_port has invalid value '53'
Warning: Section @redirect[9] (Portforward_NAME) skipped due to invalid options
... and so on
Warning: Option @helper[0].port has invalid value '10080'
Warning: Section @helper[0] (amanda) has invalid options
Warning: Option @helper[1].port has invalid value '21'
Warning: Section @helper[1] (ftp) has invalid options
... and so on

Using option proto 'tcp udp' works just fine , which makes no sense to me at all given the documentation...
When manually creating a new redirect within luci which uses tcp and icmp or something else, luci creates a dedicated list entry for each protocol. Which also makes no sense to me.

    list proto 'tcp'
    list proto 'icmp'
shouldn't it be
    list proto 'tcp icmp'
????

The way I see it, when you have a list, there will be one value on each line of the list. In option you can have multiple values in the same line, but it doesn't always work, e.g firewall source addresses can be multiple in a list but cannot be multiple in an option.

3 Likes

Repeating the same "option" is an error, repeating the same "list" adds values to the parameter.

Using a single "list" with a list of values is the same as using "option", and may not work with some parameters, when the values are parsed.

2 Likes

So basically what you are saying is...

If you only have one value for an option/list then use the "option" syntax.
If you have more than one value then use the list syntax, with multiple list entries for each value.

Could'nt I then simply use the "list" syntax everytime even if I only have one value for a setting?
Or are there also some scenarios where this isn't allowed?

You can try it yourself and see if it works, but that is not how you are supposed to do it.

2 Likes

I'm really confused here.

  • You quote the instructions for proto
  • But your example uses icmp_type

It should be list option 'tcp udp' as you noted.

I didn't know TCP had ICMP types; nor that ICMP had ports (I hope my facetiousness doesn't overpower the point here)...because I'm sure such a setting would give even more errors.

Perhaps what you desire is to look at the portion of the UCI that parses/writes /etc/config/firewall - that'll help you understand the syntax better. Since I simply trust the instructions (absent any reason not to, i.e. they don't work), I haven't reviewed it enough to even recall where to find a link at this time.

It was just ment as a general example for when to use "list or option".... :smile:

This was again just an example... :smile:

I was attempting highlight how the icmp_type options are a subset for the listed proto icmp.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.