Closed coldspring67 closed 11 months ago
Perspective:
Afwall uses iptables
command sequentially loading the rules.
It would work a lot faster for large rulesets with iptables-restore
command (proposed & rejected in #749)
ref: https://www.frozentux.net/iptables-tutorial/chunkyhtml/c1798.html
Thank you Fry-kun for your comment. It has led me to the following solution:
Solution Do not use a custom script with many iptables rules. Use instead a custom script in AFWall+ with this command:
iptables-restore -c -n < /data/local/iptabels-save.txt
It works faster (reason: https://www.frozentux.net/iptables-tutorial/chunkyhtml/c1798.html) and (hence) without an error applying iptables rules when used as custom script in AFWall+. The file iptables-save.txt contains the iptables rules without the command iptables
and one additional line at the beginning (*filter
) and one additional line at the end (COMMIT
):
*filter
-A afwall -d 22.22.22.0/21 -j REJECT
...
<more rules>
...
COMMIT
I would argue this is a workaround and that Afwall+ should support iptables-save
/iptables-restore
natively.
Note also that the current iteration of Afwall doesn't provide these binaries! This means you're relying on external dependency (maybe Magisk?) - at least find what it is so you don't get left without it
Background I use a very large custom script to block ipv4 of large companies (Google, Facebook, Oracle, ...) based on ASN information (https://notabug.org/maloe/ASN_IPFire_Script). At the moment, this results in about 1,700 iptables rules.
Issue Very large custom scripts cause an error applying iptables rules.
Tests
Steps to reproduce the problem
Expected behaviour Applying iptables rules with large custom scripts without an error. At least an option to use very large custom scripts. If the problem is caused by a timeout: option to set a custom timeout.
Workaround Start the custom script in AFWall+ in background with "/data/local/rules.sh &" (no point "." at the beginning, but an ampersand "&" at the end). Make sure, that the custom script waits with iptable commands until the other rules of AFWall+ are enabled. I do this with the command "sleep 10s" (waits 10 seconds) at the beginning of the custom script.
Hard- and software Device: Samsung Galaxy S5 SM-G900F Android OS: LineageOS v18.1 (Android 11) AFWall+: v3.6.0 from F-Droid (profile mode: whitelist) Superuser: Magisk v24.3
Please let me know, if further information is needed.
Thank you, ukanth for great work!