[FS#3977] fw3: ipset timeout option ignored when set to zero

OpenWrt Bugs openwrt-bugs at lists.openwrt.org
Thu Aug 12 08:30:48 PDT 2021


A new Flyspray task has been opened.  Details are below. 

User who did this - Jorne Anders (jorne-tremani) 

Attached to Project - OpenWrt/LEDE Project
Summary - fw3: ipset timeout option ignored when set to zero
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Low
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - When I define a timeout of 0 in a firewall config ipset rule, the ipset is created without timeout support. The fw3 code checks for "timeout > 0" and therefor ignores the timeout option while a timeout value of zero is actually valid for ipsets and stands for "indefinite". 

making an ipset firewall rule with //option timeout 0// creates an ipset with timeout support.

device: all (tested on NanoPi R4S)
openwrt version: 21.02-rc4 (custom build), current trunk is also affected

example snippet from /etc/config/firewall
config ipset
        option name 'ssh-access'
        option match 'src_net'
        option family 'ipv6'
        option storage 'hash'
        option timeout '0'
        option loadfile '/etc/ipset/ssh-access.list'

config rule
        option src 'wan'
        option ipset 'ssh-access'
        option dest_port '22'
        option proto 'tcp'
        option target 'ACCEPT'
        option name 'Allow-External-SSH-ipset'
        option family 'ipv6'

Current workaround:

  * set the timeout to any value > 0
  * append " timeout 0" to all entries in the file loaded by loadfile

More information can be found at the following URL:

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the openwrt-bugs mailing list