[Net] Firewall IP Forwarding rules entered in the Web UI lost on reboot

[cdealti]

Affects Kura 2.0.2. Not checked against Kura 2.1.0.

The use case is configure IP forwarding between wlan0 and ppp0 but without NAT.
This can be achieved by setting IP Forwarding rules in the Web UI.

When you save the IP Forwarding rules, they are correctly saved in the snapshot and in the firewall configuration file /etc/sysconfig/iptables. They are also correctly listed with iptables --list.
The above network configuration works nicely.

Then two things happen:

1. In the Web UI if you click outside the IP Forwarding tab and you go back to it, the rules are no longer there.

2. If you change the network configuration, the /etc/sysconfig/iptables and the snapshot are rewritten and the IP forwarding rules are deleted. The above network configuration stops working.

As a workaround we added the IP forwarding rules to the firewall custom script which triggered another bug fixed by #1194.

There is another issue, difficult to describe:
If you use the firewall custom script, /etc/init.d/firewall_cust, on the next configuration change, the custom rules are saved also /etc/sysconfig/iptables.
If you change the configuration again the custom rules are removed from /etc/sysconfig/iptables.
So, if the custom rules are not present in /etc/sysconfig/iptables, they are added. If they are present then they are removed.
This is weird but it does not cause any troubles

[markoer]

I can confirm that the behavior is similar in 3.2.0-SNAPSHOT on RPi3. And it happens both if NAT is enabled on wlan0 and if it is not.

Note that the initial forwarding rule from wlan0 to eth0 that is set up in /etc/sysconfig/iptables is not set up in snapshot 0 and is not visible in Firewall->IP Forwarding/Masquerading tab.

I can proceed to adding an additional rule that forwards from eth0 to wlan0 (ppp0 is not available). The change is visible in the new snapshot, in /etc/sysconfig/iptables and in output of iptables -L -n -v. Now for the part where the behaviors differ: I can leave the firewall page and return and the rule will still be visible. When I reload the page the rule changes a bit - source and destination networks are now displayed (0.0.0.0/0). If I restart Kura, the rule disappears from the table, but it's still in the snapshot and file and is applied on the gateway.

Change of eth0 from Using DHCP to Manually will remove the rule from the file and the system.

As far as the custom script is concerned, the observed behavior is this:

• /etc/sysconfig/iptables will be updated with its rule (only one used in the test)
• its rule is not initially displayed in Kura
• its rule is not initially in the snapshot

When Kura is restarted, the custom rule shows up in web UI. When configuration is updated, the rule is added to the new snapshot and applied on the system one more time. It is now also present twice in the file.

[MMaiero]

@ibinshtok Can you take a look at this?