Dear All,
Below the freifunk p2pblock script, which used to work like a charm, however, works no longer as expected in backfire. I read on http://wiki.openwrt.org/doc/uci/qos?s[]=qos <http://wiki.openwrt.org/doc/uci/qos?s%5b%5d=qos> that 'As of r25641 <https://dev.openwrt.org/changeset/25641/trunk> qos-scripts dropped the use of IMQ (package iptables-mod-imq - Intermediate Queueing Device). It's successor is IFB (Intermediate Functional Block device) <http://www.linuxfoundation.org/collaborate/workgroups/networking/ifb> , (needed packages kmod-ifb and act_connmark).' These packages do not exist on backfire and act_connmark does not exist in trunk either. Odd. Still, the changelog would seem to indicate this affects trunk only, but can someone confirm this is irrelevant for backfire? I also understand from ' <https://dev.openwrt.org/changeset/25352> [25352]: [backfire] drop firewall v1' and ' <https://dev.openwrt.org/changeset/25353> [25353]: [backfire] merge dual stack firewall' that the firewall userland programmes have been changed. Could this affect the ipp2p based iptbales rules? Be it as it may, the script that used to work great now cannot establish the ipp2p firewall rules anymore on either atheros or ar71xx. The two lines: ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK" ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" lead to a 'iptables: No chain/target/match by that name.' errors like so: root@Router0023133:~# /etc/init.d/freifunk-p2pblock enable root@Router0023133:~# /etc/init.d/freifunk-p2pblock start freifunk-p2pblock: starting p2pblock... iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. freifunk-p2pblock: Done. Given the recent significant changes in the firewall scripts my best guess is the changes have rendered the iptable commands in the p2p scripts unworkable. My iptables skills are not sufficient to analyse this further, so I turn to this group for review and council - and ideally for a suggestion for a fix. Cheers Hanno Auckland, New Zealand Appendix Here the freifunk-p2pblock script for reference: #!/bin/sh /etc/rc.common START=82 ME="freifunk-p2pblock" LOCK='/var/run/p2pblock.lock' # helper-scripts ipt_add() { logger -t "$ME" "set 'iptables -I $1'" iptables -I $1 echo "iptables -D $1" >> $LOCK } start() { /etc/init.d/freifunk-p2pblock enabled || return if [ ! -s "$LOCK" ]; then logger -s -t "$ME" 'starting p2pblock...' config_load network config_get wan wan ifname if [ -n "$wan" ]; then config_load freifunk_p2pblock config_get layer7 p2pblock layer7 config_get ipp2p p2pblock ipp2p config_get portrange p2pblock portrange config_get blocktime p2pblock blocktime # load modules insmod ipt_ipp2p 2>&- insmod ipt_layer7 2>&- insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&- # create new p2p-chain iptables -N p2pblock # pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock" ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock" # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535) ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP" ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:" # create layer7-rules for proto in $layer7; do ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK" ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" done # create ipp2p-rules for proto in $ipp2p; do ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK" ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" done # insert whitelisted ips for ip in $WHITELIST; do ipt_add "p2pblock -d $ip -j RETURN" done logger -s -t "$ME" 'Done.'; return 0 else logger -s -t "$ME" 'No wan interface present.'; return 0 fi else logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2 fi }
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
