Where are the iptables/fw3 "zone chains" created? (18.06)

I am trying to figure out a firewall configuration for a device running 18.06.1. I realise 18.06 is old, but I need to understand some of this before I can migrate to a more recent version.

The device (MT7628 based) is not being used as a home router, so I've named the firewall (firewall3) zones differently — they're no longer called 'lan' and 'wan' but are split up and named differently eg. the closest thing to 'wan' is currently called 'internet'. I have completely replaced the default /etc/config/firewall so I'm not appending to it or anything.

When I run service firewall reload over serial, I see (I'm only posting the warnings here):

Warning: fw3_ipt_rule_append(): Can't find target 'input_internet_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_internet_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_internet_rule'

It seems that iptables has some custom chains defined to match the zones in /etc/config/firewall eg. iptables -L contains these chains (again, not posting whole output):

Chain zone_lan_forward (0 references)
target     prot opt source               destination         

Chain zone_lan_input (0 references)
target     prot opt source               destination         

Chain zone_lan_output (0 references)
target     prot opt source               destination         

Chain zone_wan_forward (0 references)
target     prot opt source               destination         

Chain zone_wan_input (0 references)
target     prot opt source               destination         

Chain zone_wan_output (0 references)
target     prot opt source               destination         

I can see that in the firewall3 source code, in zones.c, there is indeed a list of chains to create eg.

C(ANY, FILTER, CUSTOM_CHAINS, "input_?_rule"),
C(ANY, FILTER, CUSTOM_CHAINS, "output_?_rule"),
C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_?_rule"),

What I can't figure out is why my own aren't being created? If I replace the zones in /etc/config/firewall with eg.

config zone 'internet'
    option name         internet
    list   network      'modem0'
    list   network      'modem1'
    option input        REJECT
    option output       ACCEPT
    option forward      REJECT
    option masq         1
    option mtu_fix      1

...and reload or restart the firewall service, iptables has none of these chains (neither the previous lan/wan ones or my own). Even if I reboot. But if I put the old /etc/firewall/config back (from /rom) and reboot, the lan/wan chains show up!

What is the step or service that causes these to be created? I'm struggling to debug it because I don't even know when or where I should start looking for the issue beyond what I've found.

Turns out this was a bit of a red herring, if I do fw3 -d reload with the default config I get the warnings too:

 * Populating IPv4 filter table
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
Warning: fw3_ipt_rule_append(): Can't find target 'input_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_lan_rule'
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
Warning: fw3_ipt_rule_append(): Can't find target 'input_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_wan_rule'

And yet, at the end of this, iptables -L shows a fully populated set of rules. Whereas with my config, I just see this after a fw3 reload:

Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         

Chain reject (0 references)
target     prot opt source               destination         

Chain zone_lan_forward (0 references)
target     prot opt source               destination         

Chain zone_lan_input (0 references)
target     prot opt source               destination         

Chain zone_lan_output (0 references)
target     prot opt source               destination         

Chain zone_wan_forward (0 references)
target     prot opt source               destination         

Chain zone_wan_input (0 references)
target     prot opt source               destination         

Chain zone_wan_output (0 references)
target     prot opt source               destination         

Okay. I figured it out.

There is a relatively short maximum length of a chain name you can give to iptables. By default it's set in include/linux/netfilter/x_tables.h with:

#define XT_TABLE_MAXNAMELEN 32

In theory, I could change this value, but it's also hard coded in the firewall3 source so, I won't. The longest chain name template is 18 characters long, minus the ? placeholder gives 17 chars. Difference from 32 is 15, less one more for \0 is 14. For some reason there's two extra characters cut off I can't account for, because really the longest I can have is 12 before the names get truncated.

Alongside my internet zone name I had another one that was exactly 14 chars long. I thought I removed it for debugging, but of course I edited one file and then loaded a totally different one, so I didn't even post the offending entry in my question above. Oops.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.