#20249: firewall.user is not read on reload from LuCI
---------------------------------------------+-----------------------------
Reporter: Jérôme Poulin <jeromepoulin@…> | Owner: developers
Type: defect | Status: new
Priority: highest | Milestone: Chaos Calmer
Component: packages | (trunk)
Resolution: | Version: Trunk
| Keywords:
---------------------------------------------+-----------------------------
Comment (by anonymous):
Replying to [comment:3 Jérôme Poulin <jeromepoulin@…>]:
> I must admit that I'm surprised. I've never been bitten by this before
because I was always using *_rule chains for my rules in firewall.user and
assumed it was executed on every restart/reload.
>
> However, since I needed to block connections after they had gone through
the firewall, it stopped working on reload since I was inserting stuff on
top of zone_*_dest_ACCEPT and the reload was flushing this rule (the whole
chain in fact).
You must be restoring your settings, or else you would have noticed these
lines in `/etc/firewall.user` as of CC 15.05-rc3:
{{{
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
}}}
Firewall rules inside the user chains (*_rule) are never flushed and
recreated on `reload`, that's why it tells you to put them into these user
chains. They are flushed and recreated on `restart` however.
This is also the reason why you thought that `/etc/firewall.user` is
always executed, because the firewall rules you put there (assuming you
put them into those user chains) are never touched during `reload`.
Notice the description for `option reload`:
Specifies whether the include should be called on reload - this
is only needed if the include injects rules into internal chains
So if you are injecting rules into the internal chains and you want them
recreated every time the firewall is reloaded, then you should modify the
include section in `/etc/config/firewall` as follows:
{{{
config include
option path '/etc/firewall.user'
option reload '1'
}}}
And here comes a subtle caveat that you might not be aware of...
You should probably compile your custom rules that inject inside internal
chains, and those that are put in the user chains into separate includes.
This is because if you set `option reload 1` for an include and you are
putting custom rules inside user chains, then you will find that you will
have redundant rules in those chains (remember that user chains are never
touched during `reload`).
This is how I setup my firewall includes, to give you an idea:
{{{
config include
option path '/etc/firewall.user'
option reload '0'
config include
option path '/etc/firewall.reload'
option reload '1'
}}}
I hope that clears this ticket up.
/ianp ;)
--
Ticket URL: <https://dev.openwrt.org/ticket/20249#comment:4>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
