From 334a71e3e3757bf7bbad795a1489984cf765e666 Mon Sep 17 00:00:00 2001 From: Joshua Klinesmith Date: Wed, 1 Apr 2026 08:03:27 -0400 Subject: [PATCH] luci-app-firewall: sync protocol list with musl libc nftables resolves symbolic protocol names via getprotobyname() which on musl only knows a hardcoded subset of protocols (src/network/proto.c). Names not in that list cause nftables to fail with "Could not resolve protocol name", breaking the firewall on rule load. Remove 23 protocol entries (including vrrp, sctp, dccp, l2tp) that musl cannot resolve. Users who need these protocols can still enter them by number in firewall rules. The removed protocols were originally sourced from a glibc-based /etc/protocols file. musl intentionally does not read that file. Fixes: #8449 Signed-off-by: Joshua Klinesmith Co-Authored-By: Claude Opus 4.6 (1M context) --- .../luci-static/resources/tools/firewall.js | 30 ++++--------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/applications/luci-app-firewall/htdocs/luci-static/resources/tools/firewall.js b/applications/luci-app-firewall/htdocs/luci-static/resources/tools/firewall.js index a63f18aee1c6..67095021fee1 100644 --- a/applications/luci-app-firewall/htdocs/luci-static/resources/tools/firewall.js +++ b/applications/luci-app-firewall/htdocs/luci-static/resources/tools/firewall.js @@ -9,24 +9,25 @@ 'require validation'; 'require tools.prng as random'; +/* Only include protocol names that musl's getprotobyname() can resolve. + * nftables calls getprotobyname() for symbolic names; musl has a small + * hardcoded list (src/network/proto.c) and does not read /etc/protocols. + * Protocols not in this list must be entered by number in firewall rules. */ const protocols = [ 'ip', 0, 'IP', - 'hopopt', 0, 'HOPOPT', 'icmp', 1, 'ICMP', 'igmp', 2, 'IGMP', - 'ggp', 3 , 'GGP', + 'ggp', 3, 'GGP', 'ipencap', 4, 'IP-ENCAP', 'st', 5, 'ST', 'tcp', 6, 'TCP', 'egp', 8, 'EGP', - 'igp', 9, 'IGP', 'pup', 12, 'PUP', 'udp', 17, 'UDP', 'hmp', 20, 'HMP', 'xns-idp', 22, 'XNS-IDP', 'rdp', 27, 'RDP', 'iso-tp4', 29, 'ISO-TP4', - 'dccp', 33, 'DCCP', 'xtp', 36, 'XTP', 'ddp', 37, 'DDP', 'idpr-cmtp', 38, 'IDPR-CMTP', @@ -39,36 +40,15 @@ const protocols = [ 'esp', 50, 'IPSEC-ESP', 'ah', 51, 'IPSEC-AH', 'skip', 57, 'SKIP', - 'icmpv6', 58, 'IPv6-ICMP', 'ipv6-icmp', 58, 'IPv6-ICMP', 'ipv6-nonxt', 59, 'IPv6-NoNxt', 'ipv6-opts', 60, 'IPv6-Opts', 'rspf', 73, 'RSPF', - 'rspf', 73, 'CPHB', 'vmtp', 81, 'VMTP', - 'eigrp', 88, 'EIGRP', 'ospf', 89, 'OSPFIGP', - 'ax.25', 93, 'AX.25', 'ipip', 94, 'IPIP', - 'etherip', 97, 'ETHERIP', 'encap', 98, 'ENCAP', 'pim', 103, 'PIM', - 'ipcomp', 108, 'IPCOMP', - 'vrrp', 112, 'VRRP', - 'l2tp', 115, 'L2TP', - 'isis', 124, 'ISIS', - 'sctp', 132, 'SCTP', - 'fc', 133, 'FC', - 'mh', 135, 'Mobility-Header', - 'ipv6-mh', 135, 'Mobility-Header', - 'mobility-header', 135, 'Mobility-Header', - 'udplite', 136, 'UDPLite', - 'mpls-in-ip', 137, 'MPLS-in-IP', - 'manet', 138, 'MANET', - 'hip', 139, 'HIP', - 'shim6', 140, 'Shim6', - 'wesp', 141, 'WESP', - 'rohc', 142, 'ROHC', ]; function lookupProto(x) {