search

ukanth / afwall

AFWall+ (Android Firewall +) - iptables based firewall for Android
GNU General Public License v3.0
2.8k stars 452 forks source link

[ISSUE] AFWall+ v3.6.0 Very large Custom Scripts Cause an Error Applying Iptables Rules #1367

Closed coldspring67 closed 11 months ago

coldspring67 commented 11 months ago

Background I use a very large custom script to block ipv4 of large companies (Google, Facebook, Oracle, ...) based on ASN information (https://notabug.org/maloe/ASN_IPFire_Script). At the moment, this results in about 1,700 iptables rules.

Issue Very large custom scripts cause an error applying iptables rules.

Tests

  1. Instead of using the custum script in AFWall+, after enabling the other rules of AFWall+ I tested to start the script in a shell. It complemented iptables without an error.
  2. I tested shorter variants of the custom script in AFWall+. Around (!) the limit of 400 rules the custom script caused the error only sometimes. Hence, the error could caused by a timeout. My device is very old (2014) and slow; with newer and faster devices the limit may be higher.

Steps to reproduce the problem

  1. Write a very large custom script with hundreds or (better) thousands of iptables rules.
  2. Include the script in AFWall+ (e.g. ". /data/local/rules.sh")
  3. Press "ok" -> error applying iptables rules

Expected behaviour Applying iptables rules with large custom scripts without an error. At least an option to use very large custom scripts. If the problem is caused by a timeout: option to set a custom timeout.

Workaround Start the custom script in AFWall+ in background with "/data/local/rules.sh &" (no point "." at the beginning, but an ampersand "&" at the end). Make sure, that the custom script waits with iptable commands until the other rules of AFWall+ are enabled. I do this with the command "sleep 10s" (waits 10 seconds) at the beginning of the custom script.

Hard- and software Device: Samsung Galaxy S5 SM-G900F Android OS: LineageOS v18.1 (Android 11) AFWall+: v3.6.0 from F-Droid (profile mode: whitelist) Superuser: Magisk v24.3

Please let me know, if further information is needed.

Thank you, ukanth for great work!

Fry-kun commented 11 months ago

Perspective: Afwall uses iptables command sequentially loading the rules. It would work a lot faster for large rulesets with iptables-restore command (proposed & rejected in #749)

ref: https://www.frozentux.net/iptables-tutorial/chunkyhtml/c1798.html

coldspring67 commented 11 months ago

Thank you Fry-kun for your comment. It has led me to the following solution:

Solution Do not use a custom script with many iptables rules. Use instead a custom script in AFWall+ with this command:

iptables-restore -c -n < /data/local/iptabels-save.txt

It works faster (reason: https://www.frozentux.net/iptables-tutorial/chunkyhtml/c1798.html) and (hence) without an error applying iptables rules when used as custom script in AFWall+. The file iptables-save.txt contains the iptables rules without the command iptables and one additional line at the beginning (*filter) and one additional line at the end (COMMIT):

*filter
-A afwall -d 22.22.22.0/21 -j REJECT
...
<more rules>
...
COMMIT
Fry-kun commented 11 months ago

I would argue this is a workaround and that Afwall+ should support iptables-save/iptables-restore natively. Note also that the current iteration of Afwall doesn't provide these binaries! This means you're relying on external dependency (maybe Magisk?) - at least find what it is so you don't get left without it