#20380: firewall zone name length of 12 characters or more breaks all networking
-------------------------+-----------------------------------
Reporter: tim@… | Owner: developers
Type: defect | Status: new
Priority: high | Milestone:
Component: base system | Version: Barrier Breaker 14.07
Keywords: |
-------------------------+-----------------------------------
Hi, I'm testing with OpenWrt 14.07 BB.
If one creates a firewall zone name that is 12 characters in
length or more, this results in non-working iptables rules that
breaks networking entirely on the device.
Booting in safe mode and shortening the name is the fix.
The issue is that iptables allows rules that are a maximum of 28
characters. The zone name is part of the iptables rules so if
the name is too long, the rule name has truncation at the end
and the whole table doesn't work as expected.
A simple fix is to limit the zone name length in LuCi to
a maximum of 11 characters.
Regards,
Tim Miller Dyck
==
Testing data:
using BARRIER BREAKER (14.07, r42625)
Check the generated rule names:
forwarding_ZONENAME_rule (1 references)
input_ZONENAME_rule (1 references)
output_ZONENAME_rule (1 references)
zone_ZONENAME_dest_ACCEPT (1 references) this is the longest one
zone_ZONENAME_dest_REJECT (1 references) this is the longest one
zone_ZONENAME_forward (0 references)
zone_ZONENAME_input (0 references)
zone_ZONENAME_output (0 references)
zone_ZONENAME_src_ACCEPT (1 references)
root@OpenWrt:~# iptables --version
iptables v1.4.21
Find the maximum iptables chain name length:
root@OpenWrt:~# iptables -N testchain01
root@OpenWrt:~# iptables -N testchain012
root@OpenWrt:~# iptables -N testchain0123
root@OpenWrt:~# iptables -N testchain01234
root@OpenWrt:~# iptables -N testchain012345
root@OpenWrt:~# iptables -N testchain0123456
root@OpenWrt:~# iptables -N testchain01234567
root@OpenWrt:~# iptables -N testchain012345678
root@OpenWrt:~# iptables -N testchain0123456789
root@OpenWrt:~# iptables -N testchain01234567890
root@OpenWrt:~# iptables -N testchain012345678901
root@OpenWrt:~# iptables -N testchain0123456789012
root@OpenWrt:~# iptables -N testchain01234567890123
root@OpenWrt:~# iptables -N testchain012345678901234
root@OpenWrt:~# iptables -N testchain0123456789012345
root@OpenWrt:~# iptables -N testchain01234567890123456
root@OpenWrt:~# iptables -N testchain012345678901234567
root@OpenWrt:~# iptables -N testchain0123456789012345678
so a 28 character length is OK
root@OpenWrt:~# iptables -N testchain01234567890123456789
iptables v1.4.21: chain name `testchain01234567890123456789' too long
(must be under 29 chars)
Try `iptables -h' or 'iptables --help' for more information.
but 29 characters is too long
So, considering the longest generated rule name:
zone_ZONENAME_dest_ACCEPT
There are 17 characters not including the zone name.
So 11 characters is the maximum working firewall zone name length.
--
Ticket URL: <https://dev.openwrt.org/ticket/20380>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
