luci-app-firewall: sync protocol list with musl libc#8494
Closed
R41D1 wants to merge 1 commit intoopenwrt:masterfrom
Closed
luci-app-firewall: sync protocol list with musl libc#8494R41D1 wants to merge 1 commit intoopenwrt:masterfrom
R41D1 wants to merge 1 commit intoopenwrt:masterfrom
Conversation
nftables resolves symbolic protocol names via getprotobyname() which on musl only knows a hardcoded subset of protocols (src/network/proto.c). Names not in that list cause nftables to fail with "Could not resolve protocol name", breaking the firewall on rule load. Remove 23 protocol entries (including vrrp, sctp, dccp, l2tp) that musl cannot resolve. Users who need these protocols can still enter them by number in firewall rules. The removed protocols were originally sourced from a glibc-based /etc/protocols file. musl intentionally does not read that file. Fixes: openwrt#8449 Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Closing in favor of the approach from the issue discussion — adding a musl-compatibility flag (4th field) to each protocol entry and converting unsupported names to numeric values on write via |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
getprotobyname()cannot resolvenftables resolves symbolic protocol names via
getprotobyname(). On musl (used by all OpenWrt targets), this function only knows a hardcoded subset of 36 protocols (src/network/proto.c). musl intentionally does not read/etc/protocols.When LuCI writes a symbolic name like
vrrpto/etc/config/firewall, nftables fails withCould not resolve protocol nameon rule load, breaking the entire firewall.The protocol list was originally sourced from a glibc-based
/etc/protocols. This patch syncs it to only include names musl can resolve. Users who need removed protocols (e.g. VRRP=112, SCTP=132) can still enter them by number.Removed protocols: hopopt, igp, dccp, icmpv6 (alias; ipv6-icmp stays), eigrp, ax.25, etherip, ipcomp, vrrp, l2tp, isis, sctp, fc, mh, ipv6-mh, mobility-header, udplite, mpls-in-ip, manet, hip, shim6, wesp, rohc, duplicate rspf/CPHB alias.
Test plan
tcp— rule saves and firewall loads112— rule saves and firewall loadsvrrpno longer appears in protocol dropdown (prevents the nftables failure)service firewall restartsucceeds with all selectable protocolsFixes #8449
🤖 Generated with Claude Code