I'm working with Rpi and I want my application to modify the firewall rules on RDK-B router, I have following question could you please clarify to understand better.


  1. Does RDK-B stack allow user application to manipulate firewall rules using iptables?
  2. Does RDK-B have a ccsp layer to manage firewall routes?
  3. I have try to create new Chain on NAT table from my user application, after some time the Chain get removed automatically? does RDK-B enforce firewall rules or user application running on RDKB can also modify the firewall rules?
  • No labels

9 Comments

  1. Narayanaswamy Ramaiyer

    Hi Z-Nitin Patet,

    Please refer firewall.c in Utopia for firewall management related stuff. You can add your own firewall rules

  2. Z-Nitin Patet

    Hi Narayanaswamy Ramaiyer


    Yes, I referred firewall.c. It is kind of service (firewall) getting triggered every 90 seconds, It enforces the firewall rules. Due to this enforcement it remove the custom modification (from my application) that I made on the firewall setting.

    For example, (from cli)
    iptables -t nat -N custom_chain
    iptables -t nat -I PREROUTING -j custom_chain
    ...<adding some rules>

    After 90 seconds, above chain is getting deleted. I'm getting error as "iptables: No chain/target/match by that name."

    It issue looks to me due to the enforcement done by firewall service. So, I tried stopping firewall service using "sysevent set firewall-stop" command, it tells firewall is stopped, But after 90 seconds it again get triggered and default rules are enforced.

    Is there any way to disable this firewall service enforcement for some time and enable it later?

  3. Priyankaa K V B

    Hi Z-Nitin Patet,

    The firewall restart at several scenarios. The best solution for adding your new firewall rules would be as follows

    • Create your script and add your rules 
    • Place the script under ./meta-rdk-broadband/recipes-ccsp/util/utopia/
    • Add and install  in utopia.bb
    • Invoke it from firewall_log_handle.sh file after firewall 

    NOTE : Make sure that you have a reverse rule for every rule you are adding in your script , to avoid the multiple references of the same rule on several firewall-restart .

    Regards,
    Priyankaa KVB

  4. Z-Nitin Patet

    Hi Priyankaa K V B,


    The idea here is that our application will be running on RDK-B router, but it will be independent of RDK-B code base and our application wants to control firewall configuration (by add/remove rules dynamically in runtime). So we prefer not to modify the RDK-B code base to achieve this. 


    The problem what I could see is in current RDK-B code is that it is not allowing other application to manage firewall rules on NAT table. The RDK-B firewall  (firewall.c) is removing all the rules added by other application. This firewall service not just verifying is all the required rules are present or not during enforcement. It also removes all the rules added by other application or manual added from cli.

    I'm not sure whether it is a bug or its RDK-B design requirement. Why i'm saying this is because the rules added by other application on FILTER table remain after the firewall service enforcement. This issue is seen only with NAT table.


    If its RDK-B requirement to remove all the rules set by other application during firewall enforcement;

    then Is it allowed to disable firewall feature on RDK-B or not? 

    is there a way to disable firewall feature during RDK-B compilation or in runtime?

    1. Priyankaa K V B

      Hi Z-Nitin Patet,

      Yes , in RDK-B the rules from firewall.c will remove the rules set by the other applications during firewall restart everytime .

      In-order to have your own set of rules available  , there are two ways 

      1. Remove the firewall binary(hide the registration of firewall) and run your script from utopia init 
      2. Overwrite firewall.c (complete file) with your rules 

      Also , when we tried to add our own script(add/removing few rules) and executed from firewall_log_handle.sh file , we could observe that it removes all the existing default rules (NAT, mangle, raw, filter rules) and had only our rules. Could you please share the list of filter rules which you are observing  after the firewall service enforcement .

      Regards,
      Priyankaa KVB

  5. Z-Nitin Patet

    Hi Priyankaa K V B,


    Here in below example I explain the problem how the chain MYRULES under NAT tables is getting deleted during enforcement. But the chain MYRULES under filter table is still available. 

    root@RaspberryPi-Gateway:~# iptables -t nat -D PREROUTING -j MYRULES
root@RaspberryPi-Gateway:~# iptables -t nat -F MYRULES
root@RaspberryPi-Gateway:~# iptables -t nat -X MYRULES
root@RaspberryPi-Gateway:~# iptables -t nat -N MYRULES
root@RaspberryPi-Gateway:~# iptables -t nat -I PREROUTING -j MYRULES
root@RaspberryPi-Gateway:~# iptables -t nat -A MYRULES -s 192.168.1.1/32 -j RETURN
root@RaspberryPi-Gateway:~# iptables -t nat -A MYRULES -d 192.168.1.1/32 -j RETURN
root@RaspberryPi-Gateway:~# iptables -D FORWARD -j MYRULES
root@RaspberryPi-Gateway:~# iptables -F MYRULES
root@RaspberryPi-Gateway:~# iptables -N MYRULES
iptables: Chain already exists.
root@RaspberryPi-Gateway:~# iptables -I FORWARD -j MYRULES
root@RaspberryPi-Gateway:~# iptables -A MYRULES -p tcp -m tcp --sport 443 -m string --string "facebook" --algo bm -j DROP
root@RaspberryPi-Gateway:~# iptables -A MYRULES -p tcp -m tcp --sport 80 -m string --string "facebook" --algo bm -j DROP

    In above snippet I have created new chain named MYRULES under filter table and nat table with some sample rules 


    root@RaspberryPi-Gateway:~# iptables -S MYRULES -t nat
-N MYRULES
-A MYRULES -s 192.168.1.1/32 -j RETURN
-A MYRULES -d 192.168.1.1/32 -j RETURN
root@RaspberryPi-Gateway:~# iptables -S MYRULES
-N MYRULES
-A MYRULES -p tcp -m tcp --sport 443 -m string --string "facebook" --algo bm --to 65535 -j DROP
-A MYRULES -p tcp -m tcp --sport 80 -m string --string "facebook" --algo bm --to 65535 -j DROP

    In the above snippet, you could see the chain MYRULES under filter table and nat table both are available

    root@RaspberryPi-Gateway:~# iptables -S MYRULES
-N MYRULES
-A MYRULES -p tcp -m tcp --sport 443 -m string --string "facebook" --algo bm --to 65535 -j DROP
-A MYRULES -p tcp -m tcp --sport 80 -m string --string "facebook" --algo bm --to 65535 -j DROP
root@RaspberryPi-Gateway:~# iptables -S MYRULES -t nat
iptables: No chain/target/match by that name.

    In the above snippet after firewall enforcement happens, you could see the chain MYRULES under filter table  is available. But chain MYRULES under nat table is getting removed.


    One question from your previous comment, If we can replace firewall service with our own firewall rules, in that case RDKB itself add few rules to manage router then those will not to enforced at all, do you want us to include those files as part of our new firewall service? Could please give us the recommended default rules should be added and need to be a RDKB router?

    1. Priyankaa K V B

      Hi Z-Nitin Patet,

      I tried with the above rules "MYRULES" , I could see both nat as well as filter table rules gets removed after firewall restart.

      root@RaspberryPi-Gateway:~# iptables -S MYRULES -t nat
      -N MYRULES
      -A MYRULES -s 192.168.1.1/32 -j RETURN
      -A MYRULES -d 192.168.1.1/32 -j RETURN
      root@RaspberryPi-Gateway:~# iptables -S MYRULES
      -N MYRULES
      -A MYRULES -p tcp -m tcp --sport 443 -m string --string "facebook" --algo bm --to 65535 -j DROP
      -A MYRULES -p tcp -m tcp --sport 80 -m string --string "facebook" --algo bm --to 65535 -j DROP

      After firewall restart,
      root@RaspberryPi-Gateway:~# iptables -S MYRULES
      iptables: No chain/target/match by that name.
      root@RaspberryPi-Gateway:~# iptables -S MYRULES -t nat
      iptables: No chain/target/match by that name.

      Basically , all the rules are applied from firewall.c file , if you are replacing the existing rules with your own rules in firewall.c file (either by removing the existing firewall binary and run your script from utopia init or by Overwriting the entire existing rules from firewall.c file) , you have to at least retain few default rules like

      1. NAT rules 
      2. filter rules (ssh, http)

      Regards,
      Priyankaa KVB

  6. Z-Nitin Patet

    Hello Priyankaa K V B


    I wanted to understand why my environment is behaving differently. Find the details out my build on below and let me know about your build setup to understand this issue better.


    I'm on rdk-next updated on 12th May 2020 and bild steps as below:

    1. source meta-cmf-raspberrypi/setup-environment
    2. Select --> 9) meta-cmf-raspberrypi/conf/machine/raspberrypi-rdk-broadband.conf
    3. bitbake rdk-generic-broadband-image

    For more details about git version I have attached version file 


    are you on tags or rdk-next? can you give me more details about your build setup to align and to find the issue?


    Thanks

    1. Priyankaa K V B

      Hi Z-Nitin Patet,

      Please find the below procedure to build rdk-next 

      • repo init -u https://code.rdkcentral.com/r/manifests -b rdk-next -m rdkb-extsrc.xml
      • repo sync -j4 --no-clone-bundle
      • source meta-cmf-raspberrypi/setup-environment
      • option 9 : meta-cmf-raspberrypi/conf/machine/raspberrypi-rdk-broadband.conf
      • bitbake rdk-generic-broadband-image

      Could you please confirm your "repo init" command . 

      Regards,
      Priyankaa KVB