#17772: firewall zone extra* options suppress rule creation
-------------------------+------------------------
Reporter: i@… | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone:
Component: base system | Version: Trunk
Keywords: |
-------------------------+------------------------
I have a firewall zone configured thus:
{{{
config zone 'internet'
option name 'internet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option device '+'
option extra_src '-s !10.0.0.0/8'
option extra_dest '-d !10.0.0.0/8'
}}}
However, no rules get generated:
{{{
root@hg:~# fw3 -4 print|grep internet
iptables -t filter -N zone_internet_input
iptables -t filter -N zone_internet_output
iptables -t filter -N zone_internet_forward
iptables -t filter -N zone_internet_src_ACCEPT
iptables -t filter -N zone_internet_dest_ACCEPT
iptables -t filter -N input_internet_rule
iptables -t filter -N output_internet_rule
iptables -t filter -N forwarding_internet_rule
iptables -t filter -A zone_internet_input -m comment --comment "user chain
for input" -j input_internet_rule
iptables -t filter -A zone_internet_output -m comment --comment "user
chain for output" -j output_internet_rule
iptables -t filter -A zone_internet_forward -m comment --comment "user
chain for forwarding" -j forwarding_internet_rule
iptables -t filter -A zone_internet_input -m conntrack --ctstate DNAT -m
comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_internet_forward -m conntrack --ctstate DNAT -m
comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_internet_input -j zone_internet_src_ACCEPT
iptables -t filter -A zone_internet_forward -j zone_internet_dest_ACCEPT
iptables -t filter -A zone_internet_output -j zone_internet_dest_ACCEPT
iptables -t nat -N zone_internet_postrouting
iptables -t nat -N zone_internet_prerouting
iptables -t nat -N prerouting_internet_rule
iptables -t nat -N postrouting_internet_rule
iptables -t nat -A zone_internet_prerouting -m comment --comment "user
chain for prerouting" -j prerouting_internet_rule
iptables -t nat -A zone_internet_postrouting -m comment --comment "user
chain for postrouting" -j postrouting_internet_rule
iptables -t raw -N zone_internet_notrack
iptables -t raw -A zone_internet_notrack -j CT --notrack
}}}
Compared to,
{{{
config zone 'internet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'internet'
option device '+'
}}}
which yields
{{{
iptables -t filter -N zone_internet_input
iptables -t filter -N zone_internet_output
iptables -t filter -N zone_internet_forward
iptables -t filter -N zone_internet_src_ACCEPT
iptables -t filter -N zone_internet_dest_ACCEPT
iptables -t filter -N input_internet_rule
iptables -t filter -N output_internet_rule
iptables -t filter -N forwarding_internet_rule
iptables -t filter -A zone_internet_input -m comment --comment "user chain
for input" -j input_internet_rule
iptables -t filter -A zone_internet_output -m comment --comment "user
chain for output" -j output_internet_rule
iptables -t filter -A zone_internet_forward -m comment --comment "user
chain for forwarding" -j forwarding_internet_rule
iptables -t filter -A zone_internet_input -m conntrack --ctstate DNAT -m
comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_internet_forward -m conntrack --ctstate DNAT -m
comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_internet_input -j zone_internet_src_ACCEPT
iptables -t filter -A zone_internet_forward -j zone_internet_dest_ACCEPT
iptables -t filter -A zone_internet_output -j zone_internet_dest_ACCEPT
iptables -t filter -A zone_internet_src_ACCEPT -i + -j ACCEPT
iptables -t filter -A zone_internet_dest_ACCEPT -o + -j ACCEPT
iptables -t filter -A delegate_input -i + -j zone_internet_input
iptables -t filter -A delegate_output -o + -j zone_internet_output
iptables -t filter -A delegate_forward -i + -j zone_internet_forward
iptables -t nat -N zone_internet_postrouting
iptables -t nat -N zone_internet_prerouting
iptables -t nat -N prerouting_internet_rule
iptables -t nat -N postrouting_internet_rule
iptables -t nat -A zone_internet_prerouting -m comment --comment "user
chain for prerouting" -j prerouting_internet_rule
iptables -t nat -A zone_internet_postrouting -m comment --comment "user
chain for postrouting" -j postrouting_internet_rule
iptables -t nat -A delegate_prerouting -i + -j zone_internet_prerouting
iptables -t nat -A delegate_postrouting -o + -j zone_internet_postrouting
iptables -t raw -N zone_internet_notrack
iptables -t raw -A zone_internet_notrack -j CT --notrack
iptables -t raw -A delegate_notrack -i + -j zone_internet_notrack
}}}
--
Ticket URL: <https://dev.openwrt.org/ticket/17772>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
