[solved] rc_firewall = duplicate rules

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 110
Location: SF Bay Area

PostPosted: Wed Jan 19, 2022 20:04    Post subject: [solved] rc_firewall = duplicate rules Reply with quote
Update: fixed in r48141
[MOD -> General if appropriate]

In recent builds iptables rules entered in rc_firewall occur twice, that is, one entry generates two identical rules. Existing svn tickets suggest duplicate calls rather than exuberance, I suspect this also.

Found in 47976 and 48075.

Code:
$ ssh -p 22222 root@192.168.2.251 "nvram get rc_firewall; echo ====; iptables -nvL FORWARD | head -n 10"
DD-WRT v3.0-r48075 mega (c) 2022 NewMedia-NET GmbH
Release: 01/10/22
Board: Asus RT-N66U
iptables -I FORWARD 2 -s 192.168.2.20 -j REJECT
====
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      *       192.168.2.20         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.168.2.20         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 upnp       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 lan2wan    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 logreject  tcp  --  br0    vlan2   0.0.0.0/0            0.0.0.0/0           WEBSTR match content 2
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 logdrop    tcp  --  *      vlan2   0.0.0.0/0            0.0.0.0/0            tcp dpt:1723

Not new:
https://svn.dd-wrt.com/ticket/7135
https://svn.dd-wrt.com/changeset/40375
https://svn.dd-wrt.com/ticket/6718

pedestrian setup: ISP -> bridged DSL -> dd-wrt <gateway, firewall, QoS for wifi, dnsmasq/dhcp>.

Cheers,


Last edited by lazardo on Wed Jan 26, 2022 22:54; edited 4 times in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12406
Location: Texas, USA

PostPosted: Wed Jan 19, 2022 21:30    Post subject: Reply with quote
The funny thing about 6718 is that I had no added rules or firewall script, I was literally posting the defaults from the router I was looking at. Try disabling block anonymous WAN requests (ping), save, reboot and see if it's still duplicated. I have a feeling that some of the options on the firewall page are to blame, perhaps; OR, it's a syntax problem on adding to your firewall script from Administration -> Commands. Anyhow, I've emailed BrainSlayer about this.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 110
Location: SF Bay Area

PostPosted: Thu Jan 20, 2022 6:47    Post subject: Reply with quote
kernel-panic69 wrote:
The funny thing about 6718 is that I had no added rules or firewall script, I was literally posting the defaults from the router I was looking at. Try disabling block anonymous WAN requests (ping), save, reboot and see if it's still duplicated. I have a feeling that some of the options on the firewall page are to blame, perhaps; OR, it's a syntax problem on adding to your firewall script from Administration -> Commands. Anyhow, I've emailed BrainSlayer about this.


Not syntax, not anon ping Sad

Using ssh to push rc_firewall to nvram directly, same result.

During GUI testing I managed to catch it immediately after 'apply' and it worked correctly. 1/2 second later, before reboot, double entries. rc_firewall function is being called twice.

UPDATE: its QoS. selected == two rc_firewall calls, unselect == correct behavior.

Check out the changeset mentioned in orig post.
Cheers,

sanity: same behavior with dd-wrt.v24-48138_NEWD-2_K3.x-big-RT-N66U.trx
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 9568
Location: Netherlands

PostPosted: Thu Jan 20, 2022 15:46    Post subject: Reply with quote
As a rule I always precede my iptables rule by the same rule with -D instead of -I exactly to counter this kind of behaviour.

(But of course solving the root cause is recommended, but not always easy, DDWRT has a habit of multiple stopping/starting of services and it looks like not everything is re-entrant)

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12406
Location: Texas, USA

PostPosted: Thu Jan 20, 2022 16:09    Post subject: Reply with quote
egc wrote:
As a rule I always precede my iptables rule by the same rule with -D instead of -I exactly to counter this kind of behaviour.

I presume this is exactly what this reply meant:
Quote:
commands need to consider that they need to cleanup the own mess before adding new crap

egc wrote:
(But of course solving the root cause is recommended, but not always easy, DDWRT has a habit of multiple stopping/starting of services and it looks like not everything is re-entrant)

And this is probably the crux of the issue. It seems that anything that affects the WAN (QoS, SFE, etc.) likely restarts / recalls the firewall; these should probably be considered before starting the firewall?
lazardo wrote:
UPDATE: its QoS. selected == two rc_firewall calls, unselect == correct behavior.

Check out the changeset mentioned in orig post.

There are *many* commits since then, and part of that changeset does not currently exist in the current firewall code, which is what you should be looking at, anyway. Of course, file locations have changed since that commit as well...

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 110
Location: SF Bay Area

PostPosted: Thu Jan 20, 2022 21:52    Post subject: Reply with quote
Update: fixed in r48141

The following appear in the current firewall.c and qos.c:
Code:
{
                runStartup(".firewall");
                create_rc_file(RC_FIREWALL);
                if (f_exists("/tmp/.rc_firewall")) {
                        setenv("PATH", "/sbin:/bin:/usr/sbin/usr/bin", 1);
                        system("/tmp/.rc_firewall");
                }
}


Straightforward, unless sideloaded elsewhere such that RC_FIREWALL is called twice.

With qos on:
* default generated firewall rules + rc_firewall
then, 1/2 second later
* default generated firewall rules + rc_firewall + rc_firewall

with qos off:
* default generated firewall rules + rc_firewall

Strange magic: I always directly altered /tmp/.ipt at boot not knowing about rc_firewall.

Cheers,
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum