Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewall: port forward with ipset #7486

Open
1 task done
vargalex opened this issue Dec 19, 2024 · 9 comments
Open
1 task done

firewall: port forward with ipset #7486

vargalex opened this issue Dec 19, 2024 · 9 comments

Comments

@vargalex
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

screenshots or captures

No response

Actual behaviour

Hi!

I have defined an ipset with match type src_ip. I added some entries (source IP-s) to it. I defined a port forward for my local server using the previously defined ipset. I click Save & Apply and all works as expected.
When I add a new IP to the ipset and click Save & Apply, than I can reach the server from the new IP too. But, when I delete some IP-s (even just one) from the ipset and click Save & Apply, the server can be reached from the deleted source IPs until I manually restart the firewall. The main problem with this for me, that I need (automatically by a script) to modify this ipset over JSON RPC.

Expected behaviour

When I modify my ipset entries and click Save & Apply, than from the deleted source IPs should not reach the server.

Steps to reproduce

  1. Go to Network->Firewall->IP Sets
  2. Click Add
  3. Set a Name for it, change the Packet Field Match to src_ip: Source IP, add some IPs to the ipset
  4. Save it
  5. Go to Network->Firewall->Port Forwards
  6. Click Add
  7. Set a Name for it, set the External port, set the Internal IP address, the Internal port and on the Advanced settings tab set the previously saved ipset
  8. Click Save & Apply
  9. Now you can reach on the External port your internal device from the defined IP addresses
  10. Go to Network->Firewall->IP Sets
  11. Click edit at the previously defined IP set
  12. Delete some IP from it, and when you want, you can add a new one to it
  13. Click Save & Apply
  14. You can still reach the internal device on the external port from the deleted IP address

Additional Information

NAME="OpenWrt"
VERSION="23.05.5"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 23.05.5"
VERSION_ID="23.05.5"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r24106-10cc5fcd00"
OPENWRT_BOARD="ramips/mt7621"
OPENWRT_ARCH="mipsel_24kc"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 23.05.5 r24106-10cc5fcd00"


But the same happens on 24.10.0-rc2.

What browsers do you see the problem on?

No response

Relevant log output

No response
@jow-
Copy link
Contributor

jow- commented Dec 19, 2024

Try echo f > /proc/net/nf_conntrack to flush conntrack. It's likely lingering conntrack entries allowing those deleted IPs to continue working.

@vargalex
Copy link
Author

vargalex commented Dec 19, 2024
edited
Loading

Try echo f > /proc/net/nf_conntrack to flush conntrack. It's likely lingering conntrack entries allowing those deleted IPs to continue working.

Hi Jow!

Run this conmand is not a problem on the router itself (or as I wrote, restarting the firewall). But what can I do over JSON-RPC API?

@jow-
Copy link
Contributor

jow- commented Dec 19, 2024

You could issue a restart call using object "rc", method "init" and arguments { "name": "firewall", "action": "restart" }

@vargalex
Copy link
Author

I have now tested to flush the conntrack table with your command. The status not changed after that, I can connect from the deleted source IP.

@jow-
Copy link
Contributor

jow- commented Dec 19, 2024

Ah, then its not conntrack related but due to the fact that the firewall does not repopulate ipsets on reload, which is intentional. You will need to issue an explicit service restart call

@vargalex
Copy link
Author

As I wrote, when I add a new IP to the ipset, than I can reach the service from the newly added source IP but from the deleted IP too. So, I think the reload somehow partially repopulate the ipset...

@jow-
Copy link
Contributor

jow- commented Dec 19, 2024

Yes, iirc only new entries from configuration are added but existing ones are not purged since the firewall program cannot determine whether those entries have been purged from config or whether they have been added by external programs.

@vargalex
Copy link
Author

vargalex commented Dec 19, 2024
edited
Loading

OK. Thanks for the explanation. Can I run nft command over JSON RPC API?

@vargalex
Copy link
Author

vargalex commented Dec 19, 2024
edited
Loading

According to the JSON RPC API documentation I can directly run nft commands with system.call method. With this, I can directly remove an IP address from an ip set and add an another IP address to the set. When my IP set name is test and the removable IP address is 1.2.3.4, the I must run the nft delete element inet fw4 test { 1.2.3.4 }. And with nft add... I can add an another IP to the set. With this the changes happen immediately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jow- @vargalex