I can't find any log entries, but I see the error messages at every startup. https://community.ipfire.org/t/iptables-host-network-none-not-found/1249 It's related to any rule with custom defined targets groups.
Could you please attach your firewall configuration files?
Created attachment 736 [details] firewall config
(In reply to Michael Tremer from comment #1) > Could you please attach your firewall configuration files? There it is.
Silly me.... I was sure there is a check for a mac-address in the target group. unfortunately, there is a wrong hashparameter used. line 609 of firewall.cgi has to be if ($customgrp{$grpkey}[2] eq $customhost{$hostkey}[0] && $customgrp{$grpkey}[0] eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $customhost{$hostkey}[1] eq 'mac'){
Alex, can you please send a patch for this? Does any configuration need to be migrated or is the simply change everything we need?
Created attachment 870 [details] attachment-19917-0.html Depends.... when having mac addresses in the hostgroupgroup there will be a HINT that those addresses will be skipped. But the rule will be accepted and the firewall will create rules for all hosts with ip-addresses. Otherwise i will have to make an errormessage and block saving the rules. which of these options should be implemented? Am 01.04.21 um 12:13 schrieb IPFire Bugzilla: > > *Comment # 5 <https://bugzilla.ipfire.org/show_bug.cgi?id=12301#c5> on > bug 12301 <https://bugzilla.ipfire.org/show_bug.cgi?id=12301> from > Michael Tremer <mailto:michael.tremer@ipfire.org> * > Alex, can you please send a patch for this? > > Does any configuration need to be migrated or is the simply change everything > we need? > ------------------------------------------------------------------------ > You are receiving this mail because: > > * You are the assignee for the bug. >
(In reply to Alexander Marx from comment #6) > when having mac addresses in the hostgroupgroup there will be a HINT > that those addresses will be skipped. Where is this hint currently shown? > But the rule will be accepted and the firewall will create rules for all > hosts with ip-addresses. I suppose this is what we should do. > Otherwise i will have to make an errormessage and block saving the rules. No, this would limit the capabilities and make MAC address rules even more useless.
Created attachment 871 [details] attachment-20564-0.html Am 01.04.21 um 14:39 schrieb IPFire Bugzilla: > > *Comment # 7 <https://bugzilla.ipfire.org/show_bug.cgi?id=12301#c7> on > bug 12301 <https://bugzilla.ipfire.org/show_bug.cgi?id=12301> from > Michael Tremer <mailto:michael.tremer@ipfire.org> * > (In reply to Alexander Marx fromcomment #6 <show_bug.cgi?id=12301#c6>) > > when having mac addresses in the hostgroupgroup there will be a HINT > that those addresses will be skipped. > > Where is this hint currently shown? This hint is shown when i committed the patch.... give me 10 minutes > > > But the rule will be accepted and the firewall will create rules for all > hosts with ip-addresses. > > I suppose this is what we should do. > > > Otherwise i will have to make an errormessage and block saving the rules. > > No, this would limit the capabilities and make MAC address rules even more > useless. > ------------------------------------------------------------------------ > You are receiving this mail because: > > * You are the assignee for the bug. >
I would recommend removing the entire previous content when replying because Bugzilla is not very good at stripping this away.
Please test if this works. https://patchwork.ipfire.org/patch/4011/
The rules are not skipped, they can't be created because target will be "none". If someone really ignores the hint and saves the rule, i think the bootmessages are a good "reminder". Else there's the possibillity to forget that there are rules that are not applied. To completely skip those rules, we have to edit the rules.pl.
We cannot try to insert rules with this. iptables will try to resolve "none" using DNS and if someone controls this, they can return any IP address which will be inserted into the firewall ruleset. This is a security risk.
Try this one: https://patchwork.ipfire.org/patch/4146/ The Bug is fixed, Hint is shown and the rules are skipped with mac-addresses as target.
@Arne, Michael, please merge the second patch. Thanks in advance, -Stefan
I would recommend CC'ing Arne if you want your message to reach him :)
This patch is not merged yet, resetting this bug back to ASSIGNED.
I just got bit by this one also! My IPFire box has always been headless. So the boot errors were never noticed. To debug I would change a Firewall Rules (firewall.cgi), Apply Changes, then reboot. Lots of reboots. Is it possible that these IPTable errors end up in the messages Log? Is saw a possible patch in "Comment 13". Did that get approved?
https://git.ipfire.org/?p=people/pmueller/ipfire-2.x.git;a=commit;h=feef6aca68a3b7953c09e3abc9e5a18e9fa3a4eb Not setting to MODIFIED since this is my personal temporary branch for Core Update 165. However, I expect this patch to land there as soon C165 is officially worked on.
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=feef6aca68a3b7953c09e3abc9e5a18e9fa3a4eb
https://blog.ipfire.org/post/ipfire-2-27-core-update-165-is-available-for-testing
https://blog.ipfire.org/post/ipfire-2-27-core-update-165-released