What's new

Why does /jffs/scripts/firewall-start script run twice?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

chiwalfrm

Regular Contributor
I put iptables commands in the /jffs/scripts/firewall-start script.

Why does this script run twice at boot?

This is the script sequence after I reboot the router:

Oct 2 11:47:40 RT-N16 admin: /jffs/scripts/services-stop
Dec 31 18:00:07 0: /jffs/scripts/init-start
Dec 31 18:00:12 admin: /jffs/scripts/services-start
Dec 31 18:00:12 admin: /jffs/scripts/pre-mount
Dec 31 18:00:13 admin: /jffs/scripts/wan-start
Dec 31 18:00:14 admin: /jffs/scripts/pre-mount
Dec 31 18:00:16 admin: /jffs/scripts/firewall-start
Dec 31 18:00:16 admin: /jffs/scripts/firewall-start <--- it ran second time
Dec 31 18:00:17 admin: /jffs/scripts/post-mount

As a result of it running twice, each of my iptables commands show up twice which doesn't seem to break anything but still...

# iptables -L | grep 4500
logaccept udp -- anywhere anywhere udp dpt:4500
logaccept udp -- anywhere anywhere udp dpt:4500

So the question is why does it run twice.

Thank you.
 
I see only one single call for the script in the code, so it sounds like the FW might be calling start_firewall() twice. I will have to do some testings to figure out why the function gets called twice by the FW.
 
Do you use Dual WAN by any chance? I could see a case where start_firewall() gets called for each WAN interface.
 
It is an RT-N16 so no dual wan.

I see in the c code that there are two places that call the script?

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c

=== FIRST (line 4481)
Code:
#if defined(RTCONFIG_APP_PREINSTALLED) || defined(RTCONFIG_APP_NETINSTALLED)
	if(strcmp(nvram_safe_get("apps_dev"), "") != 0)
		run_app_script(NULL, "firewall-start");

=== SECOND (line 4504)
Code:
run_custom_script("firewall-start", NULL);
 
Last edited:
It is an RT-N16 so no dual wan.

I see in the c code that there are two places that call the script?

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c

=== FIRST (line 4481)
Code:
#if defined(RTCONFIG_APP_PREINSTALLED) || defined(RTCONFIG_APP_NETINSTALLED)
	if(strcmp(nvram_safe_get("apps_dev"), "") != 0)
		run_app_script(NULL, "firewall-start");

=== SECOND (line 4504)
Code:
run_custom_script("firewall-start", NULL);

They aren't the same. If you check run_app_script(), it doesn't run it from the /jffs/scripts/ partition. That first script is implemented by Asus and is related to Optware, the second is mine and will run from /jffs/scripts/.
 
I just tested it here, and firewall-start only gets executed once for me. Here's the result after a reboot:

Code:
admin@stargate2:/tmp/home/root# more /jffs/scripts/firewall-start 
#!/bin/sh
echo "*" >>/tmp/000firewall-start

admin@stargate2:/tmp/home/root# more /tmp/000firewall-start 
*

admin@stargate2:/tmp/home/root#

If it was running twice, there would be two stars in the temp file.

Are you sure you don't have a copy of the firewall-start script elsewhere, such as on a USB disk? That second copy might be the one getting accidentally executed by that other firewall-start command Asus uses for AiCloud/lighttpd.
 
Last edited:
Thanks for checking Merlin. First, I can say it is not some other copy of the firewall-start script because the syslog line says:

Dec 31 18:00:16 admin: /jffs/scripts/firewall-start
Dec 31 18:00:16 admin: /jffs/scripts/firewall-start

This line is generated via a "logger $0" rather than an echo command so it is definitely /jffs/scripts/firewall-start running twice.

The cause is most likely related to the VPN/Strongswan stuff I have been working on.

But I abandoned that effort since I could not proceed any further and went back to standard 3.0.0.4.374.32 firmware. This firewall-start twice problem does not happen on that firmware.

As far as the IPsec stuff goes, I got all the way to strongswan running and VPN clients can connect/authenticate, but it won't set up the tunnels. The following errors are in the syslog.

===
Sep 26 19:32:39 RT-N16 syslog: 11[KNL] unable to add SAD entry with SPI c68e42df: Function not implemented (89)
Sep 26 19:32:39 RT-N16 syslog: 11[KNL] unable to add SAD entry with SPI 0b85c034: Function not implemented (89)
Sep 26 19:32:39 RT-N16 syslog: 11[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Sep 26 19:32:39 RT-N16 syslog: 11[KNL] unable to delete SAD entry with SPI 0b85c034: No such process (3)
Sep 26 19:32:39 RT-N16 syslog: 11[IKE] sending DELETE for ESP CHILD_SA with SPI 0b85c034
===

"Function not implemented" sounds like something missing in the kernel.

In any case, the problem is gone after I went back to 3.0.0.4.374.32 firmware so problem resolved. Thank you.
 
Last edited:
Hi,
I would like to reopen this case, due the same problem with 3.0.0.4.374.34_2.
Scripts firewall-start and nat-start definitely starts (at least) twice if "Enable PPTP Server" if checked.
 
Hi,
I would like to reopen this case, due the same problem with 3.0.0.4.374.34_2.
Scripts firewall-start and nat-start definitely starts (at least) twice if "Enable PPTP Server" if checked.

I can't reproduce the issue. My guess is you might have Dual WAN enabled (if not configured).

firewall-start now gets passed the WAN interface calling it. Output the content of $1, you will see which WAN interface is causing it to be called.
 
Dual WAN is as is right after "factory default", i.e. disabled (is there any other way how to get Dual WAN state except WebUI which shows "OFF"?).
"Log" of starting these scripts:
Code:
Sat  1  1:00:17 asuswrt nat-start
Sat  1  1:00:17 asuswrt firewall-start eth0
Sat  1  1:00:18 asuswrt nat-start
Sat  1  1:00:18 asuswrt firewall-start eth0


Twice running firewal and nat start scripts is really affected by enabling PPTP server. If I disable PPTP server, then scripts runs just once. If I enable PPTP server, scripts runs twice.
 
Last edited:
Hi,

I have had this issue since about May (I did post back then) but have lived with it since then as all was still working.

I have an N66U (no dual WAN) and have had the issue with all versions since May - currently on latest.

I have disabled my PPTP server as I dont use it often and it is now running the scripts only once.

Regards,
 
Dual WAN is as is right after "factory default", i.e. disabled (is there any other way how to get Dual WAN state except WebUI which shows "OFF"?).
"Log" of starting these scripts:
Code:
Sat  1  1:00:17 asuswrt nat-start
Sat  1  1:00:17 asuswrt firewall-start eth0
Sat  1  1:00:18 asuswrt nat-start
Sat  1  1:00:18 asuswrt firewall-start eth0


Twice running firewal and nat start scripts is really affected by enabling PPTP server. If I disable PPTP server, then scripts runs just once. If I enable PPTP server, scripts runs twice.

Then it means that the start_firewall() function gets called a second time, which means this is correct behaviour for firewall-start to be executed a second time, as all rules were wiped when the start_firewall() function was called a second time.

That function most likely get called as the pptpd server is started to it can reconfigure the firewall and open the necessary ports.

This is not a bug.
 
I would agree if old firewall rules were really wiped. But they aren't (except {nat}POSTROUTING).
I make test scripts which contains:
nat-start:
Code:
#!/bin/sh
iptables -t nat -I POSTROUTING -o eth0 -s 1.2.3.4 -d 4.3.2.1
iptables -t nat -I PREROUTING -i eth0 -s 1.2.3.4 -d 4.3.2.1
iptables -t nat -I OUTPUT -s 1.2.3.4 -d 4.3.2.1
firewall-start:
Code:
#!/bin/sh
iptables -I INPUT -s 1.2.3.4 -d 4.3.2.1
iptables -I OUTPUT -s 1.2.3.4 -d 4.3.2.1
iptables -I FORWARD -s 1.2.3.4 -d 4.3.2.1
ip6tables -I INPUT -s cafe:babe::
ip6tables -I OUTPUT -s cafe:babe::
ip6tables -I FORWARD -s cafe:babe::

and after reboot I got:
Code:
admin@asuswrt:/# iptables -t nat -L -v -n --line | grep -e Chain -e 1.2.3.4
Chain PREROUTING (policy ACCEPT 119 packets, 8214 bytes)
1        0     0            all  --  eth0   *       1.2.3.4              4.3.2.1             
2        0     0            all  --  eth0   *       1.2.3.4              4.3.2.1             
Chain POSTROUTING (policy ACCEPT 15 packets, 2132 bytes)
1        0     0            all  --  *      eth0    1.2.3.4              4.3.2.1             
Chain OUTPUT (policy ACCEPT 15 packets, 2132 bytes)
1        0     0            all  --  *      *       1.2.3.4              4.3.2.1             
2        0     0            all  --  *      *       1.2.3.4              4.3.2.1             
Chain LOCALSRV (0 references)
Chain VSERVER (1 references)
Chain VUPNP (1 references)
Chain YADNS (0 references)
admin@asuswrt:/# iptables -L -v -n --line | grep -e Chain -e 1.2.3.4
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
1        0     0            all  --  *      *       1.2.3.4              4.3.2.1             
2        0     0            all  --  *      *       1.2.3.4              4.3.2.1             
Chain FORWARD (policy DROP 0 packets, 0 bytes)
1        0     0            all  --  *      *       1.2.3.4              4.3.2.1             
2        0     0            all  --  *      *       1.2.3.4              4.3.2.1             
Chain OUTPUT (policy ACCEPT 108 packets, 19614 bytes)
1        0     0            all  --  *      *       1.2.3.4              4.3.2.1             
2        0     0            all  --  *      *       1.2.3.4              4.3.2.1             
Chain FUPNP (0 references)
Chain PControls (0 references)
Chain logaccept (0 references)
Chain logdrop (0 references)
admin@asuswrt:/# ip6tables -L -v -n --line | grep -e Chain -e cafe:babe
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
1        0     0            all      *      *       cafe:babe::/128      ::/0               
2        0     0            all      *      *       cafe:babe::/128      ::/0               
Chain FORWARD (policy DROP 0 packets, 0 bytes)
1        0     0            all      *      *       cafe:babe::/128      ::/0               
2        0     0            all      *      *       cafe:babe::/128      ::/0               
Chain OUTPUT (policy ACCEPT 140 packets, 19174 bytes)
1        0     0            all      *      *       cafe:babe::/128      ::/0               
2        0     0            all      *      *       cafe:babe::/128      ::/0               
Chain PControls (0 references)
Chain logaccept (0 references)
Chain logdrop (0 references)
 
Last edited:
I don't see how that can happen - the firewall-start script is called at the very end of the function that will create the firewall config script, and applies it to the router.
 
In my case the firewall script is called 3-times on my AC87U:
two times before the time is set and once later.
Private Log file from the script:
2015-08-01 02:00:32 START_firewall-start started [vlan2]
2015-08-01 02:00:32 Script execution OK. Script: /jffs/scripts/firewall-start

2015-08-01 02:00:39 START_firewall-start started [vlan2]
2015-08-01 02:00:39 Script execution OK. Script: /jffs/scripts/firewall-start

2017-04-30 14:12:19 START_firewall-start started [vlan2]
2017-04-30 14:12:19 Script execution OK. Script: /jffs/scripts/firewall-start
Looking thru the syslog.log file I see a common pattern:
Aug 1 02:00:32 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan2_vlan2)!

Aug 1 02:00:38 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan2_vlan2)!

Apr 30 14:12:18 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan2_vlan2)!
It looks like the NAT rules change triggers the firewall event... :rolleyes:

Not a problem for my config as I have only very simple iptables commands in the firewall script which can be re-run without any issues.
 
In my case the firewall script is called 3-times on my AC87U:
two times before the time is set and once later.

Looking thru the syslog.log file I see a common pattern:

It looks like the NAT rules change triggers the firewall event... :rolleyes:
I have also 3-times: 2 after time is set and one before.

Sent from my ONE A2003 using Tapatalk
 
I did it with a trick sleep 180. You could find details here:
https://www.snbforums.com/threads/i...-for-ipset-v6-and-v4.37976/page-4#post-321183

Edit:
I stil have other duplicated :( even I haven't Blacklist duplicated any more:
Code:
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -i tun21 -j ACCEPT
Thank you all!

All the best!
 
Last edited:
I don't see how that can happen - the firewall-start script is called at the very end of the function that will create the firewall config script, and applies it to the router.
I too have a duplicate firewall-start. Dnscrypt's dns forward line is added to firewall-start by default. I get two forwarding entries in system log/port forwarding. The first has both tcp and udp port 53 however there is a second set of these entries that has the exact same information. It is forwarded right but no need to do it twice. So I believe my firewall-start is being called twice.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top