Joined: 17 Apr 2014 Posts: 110 Location: SF Bay Area
Posted: Wed Jan 19, 2022 20:04 Post subject: [solved] rc_firewall = duplicate rules
Update: fixed in r48141
[MOD -> General if appropriate]
In recent builds iptables rules entered in rc_firewall occur twice, that is, one entry generates two identical rules. Existing svn tickets suggest duplicate calls rather than exuberance, I suspect this also.
Found in 47976 and 48075.
Code:
$ ssh -p 22222 root@192.168.2.251 "nvram get rc_firewall; echo ====; iptables -nvL FORWARD | head -n 10"
DD-WRT v3.0-r48075 mega (c) 2022 NewMedia-NET GmbH
Release: 01/10/22
Board: Asus RT-N66U
iptables -I FORWARD 2 -s 192.168.2.20 -j REJECT
====
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT all -- * * 192.168.2.20 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.168.2.20 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 upnp all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 logreject tcp -- br0 vlan2 0.0.0.0/0 0.0.0.0/0 WEBSTR match content 2
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop tcp -- * vlan2 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
Joined: 08 May 2018 Posts: 12446 Location: Texas, USA
Posted: Wed Jan 19, 2022 21:30 Post subject:
The funny thing about 6718 is that I had no added rules or firewall script, I was literally posting the defaults from the router I was looking at. Try disabling block anonymous WAN requests (ping), save, reboot and see if it's still duplicated. I have a feeling that some of the options on the firewall page are to blame, perhaps; OR, it's a syntax problem on adding to your firewall script from Administration -> Commands. Anyhow, I've emailed BrainSlayer about this. _________________ • Official Forum Rules, Guidelines & Helpful Information • Firmware FAQ • Installation Wiki • Where Do I Download Firmware‽
• DON'T use Chromium-based browsers • RTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽ Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Joined: 17 Apr 2014 Posts: 110 Location: SF Bay Area
Posted: Thu Jan 20, 2022 6:47 Post subject:
kernel-panic69 wrote:
The funny thing about 6718 is that I had no added rules or firewall script, I was literally posting the defaults from the router I was looking at. Try disabling block anonymous WAN requests (ping), save, reboot and see if it's still duplicated. I have a feeling that some of the options on the firewall page are to blame, perhaps; OR, it's a syntax problem on adding to your firewall script from Administration -> Commands. Anyhow, I've emailed BrainSlayer about this.
Not syntax, not anon ping
Using ssh to push rc_firewall to nvram directly, same result.
During GUI testing I managed to catch it immediately after 'apply' and it worked correctly. 1/2 second later, before reboot, double entries. rc_firewall function is being called twice.
UPDATE: its QoS. selected == two rc_firewall calls, unselect == correct behavior.
Check out the changeset mentioned in orig post.
Cheers,
sanity: same behavior with dd-wrt.v24-48138_NEWD-2_K3.x-big-RT-N66U.trx
Joined: 08 May 2018 Posts: 12446 Location: Texas, USA
Posted: Thu Jan 20, 2022 16:09 Post subject:
egc wrote:
As a rule I always precede my iptables rule by the same rule with -D instead of -I exactly to counter this kind of behaviour.
I presume this is exactly what this reply meant:
Quote:
commands need to consider that they need to cleanup the own mess before adding new crap
egc wrote:
(But of course solving the root cause is recommended, but not always easy, DDWRT has a habit of multiple stopping/starting of services and it looks like not everything is re-entrant)
And this is probably the crux of the issue. It seems that anything that affects the WAN (QoS, SFE, etc.) likely restarts / recalls the firewall; these should probably be considered before starting the firewall?
lazardo wrote:
UPDATE: its QoS. selected == two rc_firewall calls, unselect == correct behavior.
