firewall3: remove unnecessary fw3_has_table

Given that firewall3 already skips the table when fw3_ipt_open fails,
there is no need for fw3_has_table.

Furthermore, /proc/net/ip_tables_names is not reliable under linux
containers (e.g. Docker/LXC/LXD). This patch will remove the need for
existing hacks required for OpenWrt to run on those platforms.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
---
Additional comments:

Under linux containers, I believe /proc/net/ip_tables_names does not
contain the name of a table until it is accessed at least once.

This patch makes firewall3 consistent with the iptables command, which
fully works under linux containers and will output "Table does not
exist" when iptc_init/ip6tc_init returns ENOENT.

Examples of existing hacks required to run OpenWrt on those platforms:

LXC: https://github.com/openwrt/openwrt/pull/2525
LXD: https://github.com/cvmiller/openwrt-lxd/blob/bc09dc7ebf4f2904a9b717ed8a8a4065b5f8aaa5/init.sh#L67
Docker: https://github.com/oofnikj/docker-openwrt/commit/a4f19bbbe1932e3b36690eb9ed75a273287120e3

I've tested this patch on LXD and firewall3 appears to work without the
above hack.

 main.c  | 15 ---------------
 utils.c |  9 ---------
 utils.h |  2 --
 3 files changed, 26 deletions(-)

Hi Rui and Ansuel,

Can you take a look at this patch I sent a while ago for firewall3? I
think it is a better solution for the problem in kernel 5.15+ that is
identified here.

http://lists.openwrt.org/pipermail/openwrt-devel/2022-January/037534.html

Note that Ansuel's commit also seems to fix the problem with
LXC/LXD/Docker, because poking the table with fw3_ipt_open makes it
show up in ip_tables_names under Linux containers. However, as stated
in the commit, I don't think we need to check ip_tables_names at all?

Thanks!
Wenli


On Wed, Jun 9, 2021 at 9:51 PM Wenli Looi <wlooi@ucalgary.ca> wrote:
>
> Given that firewall3 already skips the table when fw3_ipt_open fails,
> there is no need for fw3_has_table.
>
> Furthermore, /proc/net/ip_tables_names is not reliable under linux
> containers (e.g. Docker/LXC/LXD). This patch will remove the need for
> existing hacks required for OpenWrt to run on those platforms.
>
> Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
> ---
> Additional comments:
>
> Under linux containers, I believe /proc/net/ip_tables_names does not
> contain the name of a table until it is accessed at least once.
>
> This patch makes firewall3 consistent with the iptables command, which
> fully works under linux containers and will output "Table does not
> exist" when iptc_init/ip6tc_init returns ENOENT.
>
> Examples of existing hacks required to run OpenWrt on those platforms:
>
> LXC: https://github.com/openwrt/openwrt/pull/2525
> LXD: https://github.com/cvmiller/openwrt-lxd/blob/bc09dc7ebf4f2904a9b717ed8a8a4065b5f8aaa5/init.sh#L67
> Docker: https://github.com/oofnikj/docker-openwrt/commit/a4f19bbbe1932e3b36690eb9ed75a273287120e3
>
> I've tested this patch on LXD and firewall3 appears to work without the
> above hack.
>
>  main.c  | 15 ---------------
>  utils.c |  9 ---------
>  utils.h |  2 --
>  3 files changed, 26 deletions(-)
>
> diff --git a/main.c b/main.c
> index 7ad00b4..7deb636 100644
> --- a/main.c
> +++ b/main.c
> @@ -195,9 +195,6 @@ stop(bool complete)
>
>                 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
>                 {
> -                       if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
> -                               continue;
> -
>                         if (!(handle = fw3_ipt_open(family, table)))
>                                 continue;
>
> @@ -268,9 +265,6 @@ start(void)
>
>                 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
>                 {
> -                       if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
> -                               continue;
> -
>                         if (!(handle = fw3_ipt_open(family, table)))
>                                 continue;
>
> @@ -339,9 +333,6 @@ reload(void)
>
>                 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
>                 {
> -                       if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
> -                               continue;
> -
>                         if (!(handle = fw3_ipt_open(family, table)))
>                                 continue;
>
> @@ -368,9 +359,6 @@ start:
>
>                 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
>                 {
> -                       if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
> -                               continue;
> -
>                         if (!(handle = fw3_ipt_open(family, table)))
>                                 continue;
>
> @@ -426,9 +414,6 @@ gc(void)
>
>                 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
>                 {
> -                       if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
> -                               continue;
> -
>                         if (!(handle = fw3_ipt_open(family, table)))
>                                 continue;
>
> diff --git a/utils.c b/utils.c
> index 17d5bf9..36897b0 100644
> --- a/utils.c
> +++ b/utils.c
> @@ -339,15 +339,6 @@ file_contains(const char *path, const char *str)
>         return seen;
>  }
>
> -bool
> -fw3_has_table(const bool ipv6, const char *table)
> -{
> -       const char *path = ipv6
> -               ? "/proc/net/ip6_tables_names" : "/proc/net/ip_tables_names";
> -
> -       return file_contains(path, table);
> -}
> -
>  bool
>  fw3_has_target(const bool ipv6, const char *target)
>  {
> diff --git a/utils.h b/utils.h
> index 884907d..5b17a2d 100644
> --- a/utils.h
> +++ b/utils.h
> @@ -102,8 +102,6 @@ void fw3_command_close(void);
>  void fw3_pr(const char *fmt, ...)
>         __attribute__ ((format (printf, 1, 2)));
>
> -bool fw3_has_table(const bool ipv6, const char *table);
> -
>  bool fw3_has_target(const bool ipv6, const char *target);
>
>  bool fw3_lock(void);
> --
> 2.25.1
>

Hi, Wenli,

On Thu, 10 Feb 2022 at 19:19, Wenli Looi <wlooi@ucalgary.ca> wrote:
>
> Hi Rui and Ansuel,
>
> Can you take a look at this patch I sent a while ago for firewall3? I
> think it is a better solution for the problem in kernel 5.15+ that is
> identified here.
>
> http://lists.openwrt.org/pipermail/openwrt-devel/2022-January/037534.html
>
> Note that Ansuel's commit also seems to fix the problem with
> LXC/LXD/Docker, because poking the table with fw3_ipt_open makes it
> show up in ip_tables_names under Linux containers. However, as stated
> in the commit, I don't think we need to check ip_tables_names at all?

[patch snipped]

Does this still work when a table missing from the system? In other
words, when a table is compiled as a module, available in an
installable kernel package, but not installed in the system by default
(as is the case for the raw table in the kmod-ipt-raw package)? That's
the point of fw3_has_table, to check if a table exists in the system
before using it.

Thanks,
Rui

Sorry, forgot to reply all

On Fri, Feb 11, 2022 at 11:09 AM Wenli Looi <wlooi@ucalgary.ca> wrote:
>
> Hi Rui,
>
> Yes, I believe it still works. Every place where fw3_has_table is
> called, we check immediately after if fw3_ipt_open succeeds, which
> makes fw3_has_table superfluous?
>
> I added a few print statements to fw3_ipt_open to check the case you mentioned:
>
> root@OpenWrt:~# fw3 restart 2>/dev/null
> fw3_ipt_open SUCCESS for v4 filter
> fw3_ipt_open SUCCESS for v4 nat
> fw3_ipt_open SUCCESS for v4 mangle
> fw3_ipt_open FAILED for v4 raw
> fw3_ipt_open FAILED for v6 filter
> fw3_ipt_open FAILED for v6 nat
> fw3_ipt_open FAILED for v6 mangle
> fw3_ipt_open FAILED for v6 raw
> fw3_ipt_open SUCCESS for v4 filter
> fw3_ipt_open SUCCESS for v4 nat
> fw3_ipt_open SUCCESS for v4 mangle
> fw3_ipt_open FAILED for v4 raw
> fw3_ipt_open FAILED for v6 filter
> fw3_ipt_open FAILED for v6 nat
> fw3_ipt_open FAILED for v6 mangle
> fw3_ipt_open FAILED for v6 raw
> root@OpenWrt:~# opkg install kmod-ipt-raw
> Installing kmod-ipt-raw (5.10.96-1) to root...
> Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.96-1-d70ff298d8114a0df4de3fc8fa861191/kmod-ipt-raw_5.10.96-1_x86_64.ipk
> Configuring kmod-ipt-raw.
> root@OpenWrt:~# fw3 restart 2>/dev/null
> fw3_ipt_open SUCCESS for v4 filter
> fw3_ipt_open SUCCESS for v4 nat
> fw3_ipt_open SUCCESS for v4 mangle
> fw3_ipt_open SUCCESS for v4 raw
> fw3_ipt_open FAILED for v6 filter
> fw3_ipt_open FAILED for v6 nat
> fw3_ipt_open FAILED for v6 mangle
> fw3_ipt_open FAILED for v6 raw
> fw3_ipt_open SUCCESS for v4 filter
> fw3_ipt_open SUCCESS for v4 nat
> fw3_ipt_open SUCCESS for v4 mangle
> fw3_ipt_open SUCCESS for v4 raw
> fw3_ipt_open FAILED for v6 filter
> fw3_ipt_open FAILED for v6 nat
> fw3_ipt_open FAILED for v6 mangle
> fw3_ipt_open FAILED for v6 raw
>
> Thanks!
> Wenli
>
> On Fri, Feb 11, 2022 at 1:04 AM Rui Salvaterra <rsalvaterra@gmail.com> wrote:
> >
> > Hi, Wenli,
> >
> > On Thu, 10 Feb 2022 at 19:19, Wenli Looi <wlooi@ucalgary.ca> wrote:
> > >
> > > Hi Rui and Ansuel,
> > >
> > > Can you take a look at this patch I sent a while ago for firewall3? I
> > > think it is a better solution for the problem in kernel 5.15+ that is
> > > identified here.
> > >
> > > http://lists.openwrt.org/pipermail/openwrt-devel/2022-January/037534.html
> > >
> > > Note that Ansuel's commit also seems to fix the problem with
> > > LXC/LXD/Docker, because poking the table with fw3_ipt_open makes it
> > > show up in ip_tables_names under Linux containers. However, as stated
> > > in the commit, I don't think we need to check ip_tables_names at all?
> >
> > [patch snipped]
> >
> > Does this still work when a table missing from the system? In other
> > words, when a table is compiled as a module, available in an
> > installable kernel package, but not installed in the system by default
> > (as is the case for the raw table in the kmod-ipt-raw package)? That's
> > the point of fw3_has_table, to check if a table exists in the system
> > before using it.
> >
> > Thanks,
> > Rui

Hi, guys,

On Fri, 11 Feb 2022 at 19:12, Wenli Looi <wlooi@ucalgary.ca> wrote:
>
> Sorry, forgot to reply all
>
> On Fri, Feb 11, 2022 at 11:09 AM Wenli Looi <wlooi@ucalgary.ca> wrote:
> >
> > Hi Rui,
> >
> > Yes, I believe it still works. Every place where fw3_has_table is
> > called, we check immediately after if fw3_ipt_open succeeds, which
> > makes fw3_has_table superfluous?
> >
> > I added a few print statements to fw3_ipt_open to check the case you mentioned:
> >
> > root@OpenWrt:~# fw3 restart 2>/dev/null
> > fw3_ipt_open SUCCESS for v4 filter
> > fw3_ipt_open SUCCESS for v4 nat
> > fw3_ipt_open SUCCESS for v4 mangle
> > fw3_ipt_open FAILED for v4 raw
> > fw3_ipt_open FAILED for v6 filter
> > fw3_ipt_open FAILED for v6 nat
> > fw3_ipt_open FAILED for v6 mangle
> > fw3_ipt_open FAILED for v6 raw
> > fw3_ipt_open SUCCESS for v4 filter
> > fw3_ipt_open SUCCESS for v4 nat
> > fw3_ipt_open SUCCESS for v4 mangle
> > fw3_ipt_open FAILED for v4 raw
> > fw3_ipt_open FAILED for v6 filter
> > fw3_ipt_open FAILED for v6 nat
> > fw3_ipt_open FAILED for v6 mangle
> > fw3_ipt_open FAILED for v6 raw
> > root@OpenWrt:~# opkg install kmod-ipt-raw
> > Installing kmod-ipt-raw (5.10.96-1) to root...
> > Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.96-1-d70ff298d8114a0df4de3fc8fa861191/kmod-ipt-raw_5.10.96-1_x86_64.ipk
> > Configuring kmod-ipt-raw.
> > root@OpenWrt:~# fw3 restart 2>/dev/null
> > fw3_ipt_open SUCCESS for v4 filter
> > fw3_ipt_open SUCCESS for v4 nat
> > fw3_ipt_open SUCCESS for v4 mangle
> > fw3_ipt_open SUCCESS for v4 raw
> > fw3_ipt_open FAILED for v6 filter
> > fw3_ipt_open FAILED for v6 nat
> > fw3_ipt_open FAILED for v6 mangle
> > fw3_ipt_open FAILED for v6 raw
> > fw3_ipt_open SUCCESS for v4 filter
> > fw3_ipt_open SUCCESS for v4 nat
> > fw3_ipt_open SUCCESS for v4 mangle
> > fw3_ipt_open SUCCESS for v4 raw
> > fw3_ipt_open FAILED for v6 filter
> > fw3_ipt_open FAILED for v6 nat
> > fw3_ipt_open FAILED for v6 mangle
> > fw3_ipt_open FAILED for v6 raw

Ansuel, mind giving Wenli's fw3 patch [1] a spin on your 5.15 setup?
I've reverted your fix [2], tested it on 5.10 and had no regressions.
If it also works fine on 5.15, it's definitely a more elegant
solution.

[1] https://patchwork.ozlabs.org/project/openwrt/patch/20210610045106.285820-1-wlooi@ucalgary.ca/
[2] https://git.openwrt.org/?p=project/firewall3.git;a=commit;h=3624c3786601699b6e7f9d18209fad0d7c6fe4e9

Thanks in advance,
Rui

>
> Hi, guys,
>
> On Fri, 11 Feb 2022 at 19:12, Wenli Looi <wlooi@ucalgary.ca> wrote:
> >
> > Sorry, forgot to reply all
> >
> > On Fri, Feb 11, 2022 at 11:09 AM Wenli Looi <wlooi@ucalgary.ca> wrote:
> > >
> > > Hi Rui,
> > >
> > > Yes, I believe it still works. Every place where fw3_has_table is
> > > called, we check immediately after if fw3_ipt_open succeeds, which
> > > makes fw3_has_table superfluous?
> > >
> > > I added a few print statements to fw3_ipt_open to check the case you mentioned:
> > >
> > > root@OpenWrt:~# fw3 restart 2>/dev/null
> > > fw3_ipt_open SUCCESS for v4 filter
> > > fw3_ipt_open SUCCESS for v4 nat
> > > fw3_ipt_open SUCCESS for v4 mangle
> > > fw3_ipt_open FAILED for v4 raw
> > > fw3_ipt_open FAILED for v6 filter
> > > fw3_ipt_open FAILED for v6 nat
> > > fw3_ipt_open FAILED for v6 mangle
> > > fw3_ipt_open FAILED for v6 raw
> > > fw3_ipt_open SUCCESS for v4 filter
> > > fw3_ipt_open SUCCESS for v4 nat
> > > fw3_ipt_open SUCCESS for v4 mangle
> > > fw3_ipt_open FAILED for v4 raw
> > > fw3_ipt_open FAILED for v6 filter
> > > fw3_ipt_open FAILED for v6 nat
> > > fw3_ipt_open FAILED for v6 mangle
> > > fw3_ipt_open FAILED for v6 raw
> > > root@OpenWrt:~# opkg install kmod-ipt-raw
> > > Installing kmod-ipt-raw (5.10.96-1) to root...
> > > Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.96-1-d70ff298d8114a0df4de3fc8fa861191/kmod-ipt-raw_5.10.96-1_x86_64.ipk
> > > Configuring kmod-ipt-raw.
> > > root@OpenWrt:~# fw3 restart 2>/dev/null
> > > fw3_ipt_open SUCCESS for v4 filter
> > > fw3_ipt_open SUCCESS for v4 nat
> > > fw3_ipt_open SUCCESS for v4 mangle
> > > fw3_ipt_open SUCCESS for v4 raw
> > > fw3_ipt_open FAILED for v6 filter
> > > fw3_ipt_open FAILED for v6 nat
> > > fw3_ipt_open FAILED for v6 mangle
> > > fw3_ipt_open FAILED for v6 raw
> > > fw3_ipt_open SUCCESS for v4 filter
> > > fw3_ipt_open SUCCESS for v4 nat
> > > fw3_ipt_open SUCCESS for v4 mangle
> > > fw3_ipt_open SUCCESS for v4 raw
> > > fw3_ipt_open FAILED for v6 filter
> > > fw3_ipt_open FAILED for v6 nat
> > > fw3_ipt_open FAILED for v6 mangle
> > > fw3_ipt_open FAILED for v6 raw
>
> Ansuel, mind giving Wenli's fw3 patch [1] a spin on your 5.15 setup?
> I've reverted your fix [2], tested it on 5.10 and had no regressions.
> If it also works fine on 5.15, it's definitely a more elegant
> solution.

Sure I will test this today and give a response ASAP.

>
> [1] https://patchwork.ozlabs.org/project/openwrt/patch/20210610045106.285820-1-wlooi@ucalgary.ca/
> [2] https://git.openwrt.org/?p=project/firewall3.git;a=commit;h=3624c3786601699b6e7f9d18209fad0d7c6fe4e9
>
> Thanks in advance,
> Rui

>
> >
> > Hi, guys,
> >
> > On Fri, 11 Feb 2022 at 19:12, Wenli Looi <wlooi@ucalgary.ca> wrote:
> > >
> > > Sorry, forgot to reply all
> > >
> > > On Fri, Feb 11, 2022 at 11:09 AM Wenli Looi <wlooi@ucalgary.ca> wrote:
> > > >
> > > > Hi Rui,
> > > >
> > > > Yes, I believe it still works. Every place where fw3_has_table is
> > > > called, we check immediately after if fw3_ipt_open succeeds, which
> > > > makes fw3_has_table superfluous?
> > > >
> > > > I added a few print statements to fw3_ipt_open to check the case you mentioned:
> > > >
> > > > root@OpenWrt:~# fw3 restart 2>/dev/null
> > > > fw3_ipt_open SUCCESS for v4 filter
> > > > fw3_ipt_open SUCCESS for v4 nat
> > > > fw3_ipt_open SUCCESS for v4 mangle
> > > > fw3_ipt_open FAILED for v4 raw
> > > > fw3_ipt_open FAILED for v6 filter
> > > > fw3_ipt_open FAILED for v6 nat
> > > > fw3_ipt_open FAILED for v6 mangle
> > > > fw3_ipt_open FAILED for v6 raw
> > > > fw3_ipt_open SUCCESS for v4 filter
> > > > fw3_ipt_open SUCCESS for v4 nat
> > > > fw3_ipt_open SUCCESS for v4 mangle
> > > > fw3_ipt_open FAILED for v4 raw
> > > > fw3_ipt_open FAILED for v6 filter
> > > > fw3_ipt_open FAILED for v6 nat
> > > > fw3_ipt_open FAILED for v6 mangle
> > > > fw3_ipt_open FAILED for v6 raw
> > > > root@OpenWrt:~# opkg install kmod-ipt-raw
> > > > Installing kmod-ipt-raw (5.10.96-1) to root...
> > > > Downloading https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.96-1-d70ff298d8114a0df4de3fc8fa861191/kmod-ipt-raw_5.10.96-1_x86_64.ipk
> > > > Configuring kmod-ipt-raw.
> > > > root@OpenWrt:~# fw3 restart 2>/dev/null
> > > > fw3_ipt_open SUCCESS for v4 filter
> > > > fw3_ipt_open SUCCESS for v4 nat
> > > > fw3_ipt_open SUCCESS for v4 mangle
> > > > fw3_ipt_open SUCCESS for v4 raw
> > > > fw3_ipt_open FAILED for v6 filter
> > > > fw3_ipt_open FAILED for v6 nat
> > > > fw3_ipt_open FAILED for v6 mangle
> > > > fw3_ipt_open FAILED for v6 raw
> > > > fw3_ipt_open SUCCESS for v4 filter
> > > > fw3_ipt_open SUCCESS for v4 nat
> > > > fw3_ipt_open SUCCESS for v4 mangle
> > > > fw3_ipt_open SUCCESS for v4 raw
> > > > fw3_ipt_open FAILED for v6 filter
> > > > fw3_ipt_open FAILED for v6 nat
> > > > fw3_ipt_open FAILED for v6 mangle
> > > > fw3_ipt_open FAILED for v6 raw
> >
> > Ansuel, mind giving Wenli's fw3 patch [1] a spin on your 5.15 setup?
> > I've reverted your fix [2], tested it on 5.10 and had no regressions.
> > If it also works fine on 5.15, it's definitely a more elegant
> > solution.
>
> Sure I will test this today and give a response ASAP.
>

Hi, sorry for the delay... I reverted my patch and applied this
and I can confirm that this works correctly on linux 5.15.

> >
> > [1] https://patchwork.ozlabs.org/project/openwrt/patch/20210610045106.285820-1-wlooi@ucalgary.ca/
> > [2] https://git.openwrt.org/?p=project/firewall3.git;a=commit;h=3624c3786601699b6e7f9d18209fad0d7c6fe4e9
> >
> > Thanks in advance,
> > Rui

Hi, Ansuel,

On Mon, 21 Feb 2022 at 16:09, Ansuel Smith <ansuelsmth@gmail.com> wrote:
>
> Hi, sorry for the delay... I reverted my patch and applied this
> and I can confirm that this works correctly on linux 5.15.

No worries, thanks for confirming. I'll take it from here. :)

Cheers,
Rui

On Mon, Feb 21, 2022 at 2:31 PM Rui Salvaterra <rsalvaterra@gmail.com> wrote:
>
> Hi, Ansuel,
>
> On Mon, 21 Feb 2022 at 16:09, Ansuel Smith <ansuelsmth@gmail.com> wrote:
> >
> > Hi, sorry for the delay... I reverted my patch and applied this
> > and I can confirm that this works correctly on linux 5.15.
>
> No worries, thanks for confirming. I'll take it from here. :)
>
> Cheers,
> Rui

Thanks for accepting this patch!

Would someone be able to update the firewall3 version used in openwrt?

https://github.com/openwrt/openwrt/blob/master/package/network/config/firewall/Makefile