Bug 12301

Summary: Iptables “host/network ‘none’ not found”
Product: IPFire Reporter: Terry <service>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: Major Usability    
Priority: - Unknown - CC: arne.fitzenreiter, jon.murphy, michael.tremer, peter.mueller, stefan.schantl
Version: 2   
Hardware: all   
OS: All   
Bug Depends on:    
Bug Blocks: 12278    
Attachments: firewall config
attachment-19917-0.html
attachment-20564-0.html

Description Terry 2020-02-19 21:05:51 UTC
I can't find any log entries, but I see the error messages at every startup.

https://community.ipfire.org/t/iptables-host-network-none-not-found/1249

It's related to any rule with custom defined targets groups.
Comment 1 Michael Tremer 2020-02-20 14:00:48 UTC
Could you please attach your firewall configuration files?
Comment 2 Terry 2020-02-20 18:22:29 UTC
Created attachment 736 [details]
firewall config
Comment 3 Terry 2020-02-20 18:23:00 UTC
(In reply to Michael Tremer from comment #1)
> Could you please attach your firewall configuration files?

There it is.
Comment 4 Alexander Marx 2021-03-27 12:53:19 UTC
Silly me....

I was sure there is a check for a mac-address in the target group.
unfortunately, there is a wrong hashparameter used.

line 609 of firewall.cgi has to be

if ($customgrp{$grpkey}[2] eq $customhost{$hostkey}[0] && $customgrp{$grpkey}[0] eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $customhost{$hostkey}[1] eq 'mac'){
Comment 5 Michael Tremer 2021-04-01 10:13:09 UTC
Alex, can you please send a patch for this?

Does any configuration need to be migrated or is the simply change everything we need?
Comment 6 Alexander Marx 2021-04-01 12:32:44 UTC
Created attachment 870 [details]
attachment-19917-0.html

Depends....

when having mac addresses in the hostgroupgroup there will be a HINT 
that those addresses will be skipped.
But the rule will be accepted and the firewall will create rules for all 
hosts with ip-addresses.


Otherwise i will have to make an errormessage and block saving the rules.

which of these options should be implemented?



Am 01.04.21 um 12:13 schrieb IPFire Bugzilla:
>
> *Comment # 5 <https://bugzilla.ipfire.org/show_bug.cgi?id=12301#c5> on 
> bug 12301 <https://bugzilla.ipfire.org/show_bug.cgi?id=12301> from 
> Michael Tremer <mailto:michael.tremer@ipfire.org> *
> Alex, can you please send a patch for this?
>
> Does any configuration need to be migrated or is the simply change everything
> we need?
> ------------------------------------------------------------------------
> You are receiving this mail because:
>
>   * You are the assignee for the bug.
>
Comment 7 Michael Tremer 2021-04-01 12:39:50 UTC
(In reply to Alexander Marx from comment #6)
> when having mac addresses in the hostgroupgroup there will be a HINT 
> that those addresses will be skipped.

Where is this hint currently shown?

> But the rule will be accepted and the firewall will create rules for all 
> hosts with ip-addresses.

I suppose this is what we should do.

> Otherwise i will have to make an errormessage and block saving the rules.

No, this would limit the capabilities and make MAC address rules even more useless.
Comment 8 Alexander Marx 2021-04-01 12:44:55 UTC
Created attachment 871 [details]
attachment-20564-0.html

Am 01.04.21 um 14:39 schrieb IPFire Bugzilla:
>
> *Comment # 7 <https://bugzilla.ipfire.org/show_bug.cgi?id=12301#c7> on 
> bug 12301 <https://bugzilla.ipfire.org/show_bug.cgi?id=12301> from 
> Michael Tremer <mailto:michael.tremer@ipfire.org> *
> (In reply to Alexander Marx fromcomment #6  <show_bug.cgi?id=12301#c6>)
> > when having mac addresses in the hostgroupgroup there will be a HINT > that those addresses will be skipped.
>
> Where is this hint currently shown?
This hint is shown when i committed the patch.... give me 10 minutes
>
> > But the rule will be accepted and the firewall will create rules for all > hosts with ip-addresses.
>
> I suppose this is what we should do.
>
> > Otherwise i will have to make an errormessage and block saving the rules.
>
> No, this would limit the capabilities and make MAC address rules even more
> useless.
> ------------------------------------------------------------------------
> You are receiving this mail because:
>
>   * You are the assignee for the bug.
>
Comment 9 Michael Tremer 2021-04-01 12:46:06 UTC
I would recommend removing the entire previous content when replying because Bugzilla is not very good at stripping this away.
Comment 10 Alexander Marx 2021-04-01 12:51:54 UTC
Please test if this works.

https://patchwork.ipfire.org/patch/4011/
Comment 11 Alexander Marx 2021-04-01 13:57:44 UTC
The rules are not skipped, they can't be created because target will be "none".

If someone really ignores the hint and saves the rule, i think the bootmessages are a good "reminder". Else there's the possibillity to forget that there are rules that are not applied.

To completely skip those rules, we have to edit the rules.pl.
Comment 12 Michael Tremer 2021-04-07 20:54:08 UTC
We cannot try to insert rules with this. iptables will try to resolve "none" using DNS and if someone controls this, they can return any IP address which will be inserted into the firewall ruleset. This is a security risk.
Comment 13 Alexander Marx 2021-04-12 07:03:58 UTC
Try this one:
https://patchwork.ipfire.org/patch/4146/

The Bug is fixed, Hint is shown and the rules are skipped with mac-addresses as target.
Comment 14 Stefan Schantl 2021-07-16 14:58:18 UTC
@Arne, Michael,

please merge the second patch.

Thanks in advance,

-Stefan
Comment 15 Michael Tremer 2021-07-17 13:05:05 UTC
I would recommend CC'ing Arne if you want your message to reach him :)
Comment 16 Peter Müller 2021-09-04 10:11:37 UTC
This patch is not merged yet, resetting this bug back to ASSIGNED.
Comment 17 Jon 2021-10-03 23:39:31 UTC
I just got bit by this one also!

My IPFire box has always been headless.  So the boot errors were never noticed.

To debug I would change a Firewall Rules (firewall.cgi), Apply Changes, then reboot. Lots of reboots.

Is it possible that these IPTable errors end up in the messages Log?

Is saw a possible patch in "Comment 13".  Did that get approved?
Comment 18 Peter Müller 2022-02-06 17:23:49 UTC
https://git.ipfire.org/?p=people/pmueller/ipfire-2.x.git;a=commit;h=feef6aca68a3b7953c09e3abc9e5a18e9fa3a4eb

Not setting to MODIFIED since this is my personal temporary branch for Core Update 165. However, I expect this patch to land there as soon C165 is officially worked on.