[firewall3 PATCH] firewall3: support async table init in 5.15+ kernel

Rui Salvaterra rsalvaterra at gmail.com
Fri Jan 7 09:48:44 PST 2022


Hi, Ansuel,

On Fri, 7 Jan 2022 at 17:26, Ansuel Smith <ansuelsmth at gmail.com> wrote:
>
> With 5.15+ tables are init in an async way. Firewall3 use the proc entry
> ip_tables_names to check if a table exist. With this new implemenation,
> the proc entry can contain wrong data in the case where a table is
> present but never used/init and firewall3 would uncorrectly think that
> the table is not available. This cause some connection problem as from a
> normal boot the proc entry contains only the "filter" table and
> lacks "raw","mangle" and "nat".
>
> To fix this "poke" the tables to init them by simply open and closing
> them without doing any operation. This simple operation is sufficient to
> make the missing tables appear in the proc entry.
>
> Signed-off-by: Ansuel Smith <ansuelsmth at gmail.com>
> ---
>  main.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/main.c b/main.c
> index 7ad00b4..796ae80 100644
> --- a/main.c
> +++ b/main.c
> @@ -266,6 +266,21 @@ start(void)
>                         continue;
>                 }
>
> +               /* From 5.15+ tables are created async as soon as the first rule
> +                * is created or any operation is requested. This cause the
> +                * *_tables_names to report wrong data / missing tables.
> +                * Poke ipt to init the tables so fw3_has_table correctly detects
> +                * them with the proc entires.
> +                */
> +               for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
> +               {
> +
> +                       if (!(handle = fw3_ipt_open(family, table)))
> +                               continue;
> +
> +                       fw3_ipt_close(handle);
> +               }
> +
>                 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
>                 {
>                         if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
> --
> 2.33.1
>

Groan. Still, it does seem the less insane solution, so…

Reviewed-by: Rui Salvaterra <rsalvaterra at gmail.com>

Thanks,
Rui



More information about the openwrt-devel mailing list