Joined: 17 Apr 2014 Posts: 135 Location: SF Bay Area
Posted: Wed Jan 19, 2022 20:04 Post subject: [solved] rc_firewall = duplicate rules
Update: fixed in r48141
[MOD -> General if appropriate]
In recent builds iptables rules entered in rc_firewall occur twice, that is, one entry generates two identical rules. Existing svn tickets suggest duplicate calls rather than exuberance, I suspect this also.
Found in 47976 and 48075.
Code:
$ ssh -p 22222 root@192.168.2.251 "nvram get rc_firewall; echo ====; iptables -nvL FORWARD | head -n 10"
DD-WRT v3.0-r48075 mega (c) 2022 NewMedia-NET GmbH
Release: 01/10/22
Board: Asus RT-N66U
iptables -I FORWARD 2 -s 192.168.2.20 -j REJECT
====
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT all -- * * 192.168.2.20 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.168.2.20 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 upnp all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 logreject tcp -- br0 vlan2 0.0.0.0/0 0.0.0.0/0 WEBSTR match content 2
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop tcp -- * vlan2 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
Joined: 08 May 2018 Posts: 14222 Location: Texas, USA
Posted: Wed Jan 19, 2022 21:30 Post subject:
The funny thing about 6718 is that I had no added rules or firewall script, I was literally posting the defaults from the router I was looking at. Try disabling block anonymous WAN requests (ping), save, reboot and see if it's still duplicated. I have a feeling that some of the options on the firewall page are to blame, perhaps; OR, it's a syntax problem on adding to your firewall script from Administration -> Commands. Anyhow, I've emailed BrainSlayer about this. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 17 Apr 2014 Posts: 135 Location: SF Bay Area
Posted: Thu Jan 20, 2022 6:47 Post subject:
kernel-panic69 wrote:
The funny thing about 6718 is that I had no added rules or firewall script, I was literally posting the defaults from the router I was looking at. Try disabling block anonymous WAN requests (ping), save, reboot and see if it's still duplicated. I have a feeling that some of the options on the firewall page are to blame, perhaps; OR, it's a syntax problem on adding to your firewall script from Administration -> Commands. Anyhow, I've emailed BrainSlayer about this.
Not syntax, not anon ping
Using ssh to push rc_firewall to nvram directly, same result.
During GUI testing I managed to catch it immediately after 'apply' and it worked correctly. 1/2 second later, before reboot, double entries. rc_firewall function is being called twice.
UPDATE: its QoS. selected == two rc_firewall calls, unselect == correct behavior.
Check out the changeset mentioned in orig post.
Cheers,
sanity: same behavior with dd-wrt.v24-48138_NEWD-2_K3.x-big-RT-N66U.trx
Joined: 08 May 2018 Posts: 14222 Location: Texas, USA
Posted: Thu Jan 20, 2022 16:09 Post subject:
egc wrote:
As a rule I always precede my iptables rule by the same rule with -D instead of -I exactly to counter this kind of behaviour.
I presume this is exactly what this reply meant:
Quote:
commands need to consider that they need to cleanup the own mess before adding new crap
egc wrote:
(But of course solving the root cause is recommended, but not always easy, DDWRT has a habit of multiple stopping/starting of services and it looks like not everything is re-entrant)
And this is probably the crux of the issue. It seems that anything that affects the WAN (QoS, SFE, etc.) likely restarts / recalls the firewall; these should probably be considered before starting the firewall?
lazardo wrote:
UPDATE: its QoS. selected == two rc_firewall calls, unselect == correct behavior.
Check out the changeset mentioned in orig post.
There are *many* commits since then, and part of that changeset does not currently exist in the current firewall code, which is what you should be looking at, anyway. Of course, file locations have changed since that commit as well... _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net