#20542: fw3 locks down iptables rules if ipv6 modules are missing
----------------------+------------------------
Reporter: wenzhuo | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone:
Component: packages | Version: Trunk
Keywords: |
----------------------+------------------------
I am trying to squeeze strongswan-minimal and openvpn-polarssl into the 4M
flash of TL-WR720N v3. To make room for them, I have to remove some
features I don't need, namely, luci, ppp, ipv6, and usb. Here is the
command I used to create the test image:
{{{
wenzhuo@ubuntu:~/openwrt/OpenWrt-ImageBuilder-15.05-ar71xx-generic.Linux-
x86_64$ make image PROFILE=TLWR720 PACKAGES="-luci -ppp -ppp-mod-pppoe
-ip6tables -odhcp6c -kmod-usb2 -kmod-usb-core"
}}}
The resulting image for TL-WR720N v3 is 2752516 bytes in size. It flashed
fine in the unit. But network interfaces would fail if the WAN port is
connected. After unplugging the WAN cable and power-cycling the unit, I
was able to login and obtain a system log.
At 20:59:32, I plugged the WAN cable back in. The last message I saw on
the console was "Reloading firewall due to ifup of wan6 (eth0)" before it
froze up. Apparently, fw3 can srew up the firewall rules if ipv6 modules
are missing. At 21:01:40, I unplugged the WAN cable for a reboot.
Disabling ipv6 in /etc/config/system and commenting out ipv6 network
interfaces in /etc/config/network do not help the situation.
I dumped iptables rules after plugging the WAN cable and confirmed that
the default policy of all the three chains in the filter table was changed
to DROP.
{{{
# (sleep 30 && iptables-save > /overlay/iptables-save)
}}}
--
Ticket URL: <https://dev.openwrt.org/ticket/20542>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
