Port forward: ipset not updated when editing source IP list in port forward #896

gsanchietti · 2024-11-11T08:48:27Z

Title:
Steps to reproduce

Manually enter a list of allowed source IPs in a port forward (without using host set or host domain).
Remove an IP from the list or modify an existing one.

Expected behavior

The IP set should be updated, reflecting the change in the firewall rules.

Actual behavior

The IP set is not updated: the port forward still works for the removed IP.
The IP is removed from UCI, but the change does not reflect in nft.

Workaround

Execute:

fw4 restart

Please note that a reload is not enough

Components
NethSecurity version: 8-23.05.5-ns.1.3.0

The text was updated successfully, but these errors were encountered:

Tbaile · 2024-11-12T17:05:23Z

QA:

install the image 23.05.5-ns.1.3.0-33-gef914db
create a port forward with a list of source ips
commit changes
open terminal and with nft find the ipset (nft list set inet fw4 <setname>)
edit the port forward and commit changes
from the terminal, check again with nft that the record is changed.

francio87 · 2024-11-13T08:11:42Z

Confirm fixed ✅

root@NethSec:~# nft list set inet fw4 ns_cd1c7c25_ipset
table inet fw4 {
        set ns_cd1c7c25_ipset {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 8.8.8.8, 80.17.99.73-80.17.99.75 }
        }
}

removed the ip 80.17.99.74 and save:

root@NethSec:~# uci changes
-firewall.ns_cd1c7c25_ipset
firewall.ns_cd1c7c25_ipset='ipset'
firewall.ns_cd1c7c25_ipset.name='ns_cd1c7c25_ipset'
firewall.ns_cd1c7c25_ipset.match='src_net'
firewall.ns_cd1c7c25_ipset.enabled='1'
firewall.ns_cd1c7c25_ipset.ns_link='firewall/ns_cd1c7c25'
firewall.ns_cd1c7c25_ipset.entry+='80.17.99.73'
firewall.ns_cd1c7c25_ipset.entry+='80.17.99.75'
firewall.ns_cd1c7c25_ipset.entry+='8.8.8.8/32'
-firewall.ns_cd1c7c25.proto
firewall.ns_cd1c7c25.proto+='tcp'
firewall.ns_cd1c7c25.proto+='udp'

the ipset has been updated correctly.

root@NethSec:~# nft list set inet fw4 ns_cd1c7c25_ipset
table inet fw4 {
        set ns_cd1c7c25_ipset {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 8.8.8.8, 80.17.99.73,
                             80.17.99.75 }
        }
}

gsanchietti added this to the NethSecurity 8.4 milestone Nov 11, 2024

gsanchietti added this to NethSecurity Nov 11, 2024

Tbaile mentioned this issue Nov 12, 2024

fix(ns-api): restarting fw4 when ipset changes #909

Merged

Tbaile self-assigned this Nov 12, 2024

Tbaile moved this from ToDo 🕐 to In Progress 🛠 in NethSecurity Nov 12, 2024

Tbaile moved this from In Progress 🛠 to Testing in NethSecurity Nov 12, 2024

Tbaile added the testing Packages are available from testing repositories label Nov 12, 2024

Tbaile assigned cotosso, francio87 and mamengoni and unassigned Tbaile Nov 12, 2024

francio87 unassigned cotosso and mamengoni Nov 13, 2024

francio87 added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Nov 13, 2024

francio87 removed their assignment Nov 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Port forward: ipset not updated when editing source IP list in port forward #896

Port forward: ipset not updated when editing source IP list in port forward #896

gsanchietti commented Nov 11, 2024

Tbaile commented Nov 12, 2024

francio87 commented Nov 13, 2024

Port forward: ipset not updated when editing source IP list in port forward #896

Port forward: ipset not updated when editing source IP list in port forward #896

Comments

gsanchietti commented Nov 11, 2024

Tbaile commented Nov 12, 2024

francio87 commented Nov 13, 2024