You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*** Background ***
I use a very large custom script to block ipv4 of large companies (Google, Facebook, Oracle, ...) based on ASN information (https://notabug.org/maloe/ASN_IPFire_Script). At the moment, this results in about 1,700 iptables rules.
*** Issue ***
Very large custom scripts cause an error applying iptables rules.
*** Tests ***
Instead of using the custum script in AFWall+, after enabling the other rules of AFWall+ I tested to start the script in a shell. It complemented iptables without an error.
I tested shorter variants of the custom script in AFWall+. Around (!) the limit of 400 rules the custom script caused the error only sometimes. Hence, the error could caused by a timeout. My device is very old (2014) and slow; with newer and faster devices the limit may be higher.
*** Steps to reproduce the problem ***
Write a very large custom script with hundreds or (better) thousands of iptables rules.
Include the script in AFWall+ (e.g. ". /data/local/rules.sh")
Press "ok" -> error applying iptables rules
*** Expected behaviour ***
Applying iptables rules with large custom scripts without an error. At least an option to use very large custom scripts. If the problem is caused by a timeout: option to set a custom timeout.
*** Workaround ***
Start the custom script in AFWall+ in background with "/data/local/rules.sh &" (no point "." at the beginning, but an ampersand "&" at the end). Make sure, that the custom script waits with iptable commands until the other rules of AFWall+ are enabled. I do this with the command "sleep 10s" (waits 10 seconds) at the beginning of the custom script.
Perspective:
Afwall uses iptables command sequentially loading the rules.
It would work a lot faster for large rulesets with iptables-restore command (proposed & rejected in #749)
It works faster (reason: https://www.frozentux.net/iptables-tutorial/chunkyhtml/c1798.html) and (hence) without an error applying iptables rules when used as custom script in AFWall+. The file iptables-save.txt contains the iptables rules without the command iptables and one additional line at the beginning (*filter) and one additional line at the end (COMMIT):
I would argue this is a workaround and that Afwall+ should support iptables-save/iptables-restore natively.
Note also that the current iteration of Afwall doesn't provide these binaries! This means you're relying on external dependency (maybe Magisk?) - at least find what it is so you don't get left without it
*** Background ***
I use a very large custom script to block ipv4 of large companies (Google, Facebook, Oracle, ...) based on ASN information (https://notabug.org/maloe/ASN_IPFire_Script). At the moment, this results in about 1,700 iptables rules.
*** Issue ***
Very large custom scripts cause an error applying iptables rules.
*** Tests ***
*** Steps to reproduce the problem ***
*** Expected behaviour ***
Applying iptables rules with large custom scripts without an error. At least an option to use very large custom scripts. If the problem is caused by a timeout: option to set a custom timeout.
*** Workaround ***
Start the custom script in AFWall+ in background with "/data/local/rules.sh &" (no point "." at the beginning, but an ampersand "&" at the end). Make sure, that the custom script waits with iptable commands until the other rules of AFWall+ are enabled. I do this with the command "sleep 10s" (waits 10 seconds) at the beginning of the custom script.
*** Hard- and software ***
Device: Samsung Galaxy S5 SM-G900F
Android OS: LineageOS v18.1 (Android 11)
AFWall+: v3.6.0 from F-Droid (profile mode: whitelist)
Superuser: Magisk v24.3
Please let me know, if further information is needed.
Thank you, ukanth for great work!
The text was updated successfully, but these errors were encountered: