firewall3: custom ip6tables rules fail with "No chain/target/match by that name."

openwrt / openwrt

This repository is a mirror of https://git.openwrt.org/openwrt/openwrt.git It is for reference only and is not active for check-ins. We will continue to accept Pull Requests here. They will be merged via staging trees then into openwrt.git.

Other

19.79k stars 10.31k forks source link

firewall3: custom ip6tables rules fail with "No chain/target/match by that name." #10246

Open PolynomialDivision opened 2 years ago

PolynomialDivision commented 2 years ago

Include custom rules in /etc/firewall.user:

ip6tables -A forwarding_rule -o wg_+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1352
ip6tables -A forwarding_rule -i wg_+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1352
iptables -A forwarding_rule -o wg_+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1372
iptables -A forwarding_rule -i wg_+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1372

Now the ip6tables will fail with following on a restart of the firewall:

ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.

The normal iptables work flawlessly. To fix it, install ip6ables-legacy and use

ip6tables-legacy -A forwarding_rule -o wg_+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1352
ip6tables-legacy -A forwarding_rule -i wg_+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1352

ping @jow-

PolynomialDivision commented 2 years ago

Firewall 3 is not intalling the correct ip6tables-legacy variant, see:

root@openwrt~# opkg list | grep iptables
iptables-mod-ipopt - 1.8.7-7
iptables-zz-legacy - 1.8.7-7
root@openwrt:~# opkg list | grep ip6tables
ip6tables-nft - 1.8.7-7
kmod-ip6tables - 5.10.127-1

PolynomialDivision commented 2 years ago

Ping @champtar

champtar commented 2 years ago

What step did you follow to get in this situation ? Are you sure ip6tables-nft was not already selected/installed?

PolynomialDivision commented 2 years ago

You can compile an image using

git clone https://github.com/freifunk-berlin/bbb-configs

and then

ansible-playbook play.yml --limit ak36-core --tags image

Short story, I compile an image with imagebuilder using -firewall4 and firewall. Interesting olsr seems to depend on ip6tables-nft:

opkg remove ip6tables-nft
No packages removed.
Collected errors:
 * print_dependents_warning: Package ip6tables-nft is depended upon by packages:
 * print_dependents_warning:    olsrd
 * print_dependents_warning: These might cease to work if package ip6tables-nft is removed.

champtar commented 2 years ago

olsrd need to depend on ip6tables again (now that my hack is merged), and in your images conf you need to explicitly depend on iptables-legacy / ip6tables-legacy

champtar commented 2 years ago

I'm not sure you need custom rules just for mss clamping btw

PolynomialDivision commented 2 years ago

olsrd need to depend on ip6tables again (now that my hack is merged)

It already does? https://github.com/openwrt/routing/blob/9abed610185f60c7e2054f5466e0ba2c225154e7/olsrd/Makefile#L37

and in your images conf you need to explicitly depend on iptables-legacy / ip6tables-legacy

Shouldn't firewall3 automatically use ip(6)tables-legacy? Why is that needed?

I'm not sure you need custom rules just for mss clamping btw

Can you give me an example how to do it without custom rule?