HELLO_wORLD
Very Senior Member
Hi all,
I try to understand the logic of net-wall (the DNI binary version renamed net-wall-bin in @Voxel ’s firmware.
We know its function is to start, restart or stop internal firewall, that it is opaque (not open source).
It also build the default rules (with the rule argument).
With -6 argument, it starts, stop, or restarts the IPv6 firewall.
In effect, it does wipe out iptables (or ip6tables) chains and rebuild them according to router settings. It might do other things, but since it is opaque...
I am not talking here about the net-wall wrapper script that @Voxel provides in his firmware. The wrapper set some extra rules and calls custom firewall-start.sh or firewall6-start.sh if they exist.
I noticed this:
Calling net-wall restart does reset iptables (IPv4) with all expected rules,
However it also does reset ip6tables (IPv6) with some rules (dropping some tcp ports from WAN) but not all (IPv6-CONE is missing for example, or localhost icmp dropping rules).
Calling net-wall -6 restart does reset ip6tables (IPv6) with this time all expected rules (IPv6-CONE is here as well as icmp rules).
It leaves iptables alone (not being reset), meaning anything IPv4 is untouched.
I believe that net-wall restart (or start) should not reset ip6tables at all and only work on IPv4, the same way net-wall -6 restart does only work on IPv6.
In the past, for a while, I had the expected behavior (net-wall restart would not touch ip6tables), but I don’t know what changed since; it is not firmware related.
Anyway, it seems to be a bug in DNI net-wall (net-wall-bin), and unfortunately we cannot access it (code not available to public).
With @Voxel we decided to not change anything to the wrapper for now.
In my case, I use a quick fix by adding a call to net-wall -6 restart in firewall-start.sh to make sure ip6tables is properly rebuilt and not missing some internal rules when net-wall restart (without -6) is called (since it messes up ip6tables).
Do you experience the same problem? If it is general, this could be fixed by simply calling net-wall -6 restart in the wrapper when net-wall restart is called. This is ugly, but since we cannot fix the binary, that is all I can think of.
There might be a nvram setting or other conf data that could make the binary to behave as it should (since it did it for me at some point), but without sources, it is difficult to find...
For info, here is a previous discussion related to this: https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-72sf.59894/page-5
I try to understand the logic of net-wall (the DNI binary version renamed net-wall-bin in @Voxel ’s firmware.
We know its function is to start, restart or stop internal firewall, that it is opaque (not open source).
It also build the default rules (with the rule argument).
With -6 argument, it starts, stop, or restarts the IPv6 firewall.
In effect, it does wipe out iptables (or ip6tables) chains and rebuild them according to router settings. It might do other things, but since it is opaque...
I am not talking here about the net-wall wrapper script that @Voxel provides in his firmware. The wrapper set some extra rules and calls custom firewall-start.sh or firewall6-start.sh if they exist.
I noticed this:
Calling net-wall restart does reset iptables (IPv4) with all expected rules,
However it also does reset ip6tables (IPv6) with some rules (dropping some tcp ports from WAN) but not all (IPv6-CONE is missing for example, or localhost icmp dropping rules).
Calling net-wall -6 restart does reset ip6tables (IPv6) with this time all expected rules (IPv6-CONE is here as well as icmp rules).
It leaves iptables alone (not being reset), meaning anything IPv4 is untouched.
I believe that net-wall restart (or start) should not reset ip6tables at all and only work on IPv4, the same way net-wall -6 restart does only work on IPv6.
In the past, for a while, I had the expected behavior (net-wall restart would not touch ip6tables), but I don’t know what changed since; it is not firmware related.
Anyway, it seems to be a bug in DNI net-wall (net-wall-bin), and unfortunately we cannot access it (code not available to public).
With @Voxel we decided to not change anything to the wrapper for now.
In my case, I use a quick fix by adding a call to net-wall -6 restart in firewall-start.sh to make sure ip6tables is properly rebuilt and not missing some internal rules when net-wall restart (without -6) is called (since it messes up ip6tables).
Do you experience the same problem? If it is general, this could be fixed by simply calling net-wall -6 restart in the wrapper when net-wall restart is called. This is ugly, but since we cannot fix the binary, that is all I can think of.
There might be a nvram setting or other conf data that could make the binary to behave as it should (since it did it for me at some point), but without sources, it is difficult to find...
For info, here is a previous discussion related to this: https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-72sf.59894/page-5
