Modify

Opened 8 years ago

Closed 5 years ago

#4544 closed defect (fixed)

QoS scripts are overriding custom mangle rules

Reported by: blbu Owned by: jow
Priority: normal Milestone: Backfire 10.03.1
Component: base system Version: Trunk
Keywords: firewall, qos Cc:

Description

I've got those two rules in the firewall.user:

iptables -t mangle -A POSTROUTING -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -j TTL --ttl-inc 1

QoS script seems to be flushing mangle chain so my custom rules are flushed as well. I'm not sure if there's some workaround available other then adding those rules to the /etc/init.d/qos script...

Attachments (2)

0001-Add-qos_-iptables-chain-namespace-for-QoS.patch (4.0 KB) - added by kevin@… 6 years ago.
Patch to add qos_* iptables chain namespace for QoS
0002-Add-QoS-firewall-stop-script-generation.patch (1.6 KB) - added by kevin@… 6 years ago.
Patch to add QoS firewall stop script generation

Download all attachments as: .zip

Change History (8)

comment:1 Changed 8 years ago by blbu

Err.. Not /etc/init.d/qos but to /usr/lib/qos/generate.sh, start_cg part.

comment:2 Changed 7 years ago by stijn@…

This problem still exists in Kamikaze 8.09 branch, r17662.

I worked around this by creating a /etc/firewall.mangle file and adding ". /etc/firewall.mangle" at the end of start_firewall() in /usr/lib/qos/generate.sh.

Changed 6 years ago by kevin@…

Patch to add qos_* iptables chain namespace for QoS

Changed 6 years ago by kevin@…

Patch to add QoS firewall stop script generation

comment:3 Changed 6 years ago by kevin@…

One possible solution to this problem is to namespace the QoS chains so that they can be identified for removal based on namespace. The attached patches use "qos_" as a prefix for this namespace and implement cleanup without affecting other chains. This may cause breakage for user scripts currently depending on the chain names, but since anything in firewall.user in the mangle table is currently erased, such dependencies would require additional script hacking and shouldn't be expected to be preserved without extra user effort.

comment:4 Changed 6 years ago by jow

  • Owner changed from developers to jow
  • Status changed from new to accepted
  • Version set to Trunk

comment:5 Changed 6 years ago by jow

  • Milestone changed from Attitude Adjustment (trunk) to Backfire 10.03.1

comment:6 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from accepted to closed

Applied with r28622, r28623 - thanks!

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.