[ISSUE] AFWall+ v3.6.0 Very large Custom Scripts Cause an Error Applying Iptables Rules

[coldspring67]

*** Background ***
I use a very large custom script to block ipv4 of large companies (Google, Facebook, Oracle, ...) based on ASN information (https://notabug.org/maloe/ASN_IPFire_Script). At the moment, this results in about 1,700 iptables rules.

*** Issue ***
Very large custom scripts cause an error applying iptables rules.

*** Tests ***

1. Instead of using the custum script in AFWall+, after enabling the other rules of AFWall+ I tested to start the script in a shell. It complemented iptables without an error.
2. I tested shorter variants of the custom script in AFWall+. Around (!) the limit of 400 rules the custom script caused the error only sometimes. Hence, the error could caused by a timeout. My device is very old (2014) and slow; with newer and faster devices the limit may be higher.

*** Steps to reproduce the problem ***

1. Write a very large custom script with hundreds or (better) thousands of iptables rules.
2. Include the script in AFWall+ (e.g. ". /data/local/rules.sh")
3. Press "ok" -> error applying iptables rules

*** Expected behaviour ***
Applying iptables rules with large custom scripts without an error. At least an option to use very large custom scripts. If the problem is caused by a timeout: option to set a custom timeout.

*** Workaround ***
Start the custom script in AFWall+ in background with "/data/local/rules.sh &" (no point "." at the beginning, but an ampersand "&" at the end). Make sure, that the custom script waits with iptable commands until the other rules of AFWall+ are enabled. I do this with the command "sleep 10s" (waits 10 seconds) at the beginning of the custom script.

*** Hard- and software ***
Device: Samsung Galaxy S5 SM-G900F
Android OS: LineageOS v18.1 (Android 11)
AFWall+: v3.6.0 from F-Droid (profile mode: whitelist)
Superuser: Magisk v24.3

Please let me know, if further information is needed.

Thank you, ukanth for great work!

[Fry-kun]

Perspective:
Afwall uses iptables command sequentially loading the rules.
It would work a lot faster for large rulesets with iptables-restore command (proposed & rejected in #749)

ref: https://www.frozentux.net/iptables-tutorial/chunkyhtml/c1798.html

[coldspring67]

Thank you Fry-kun for your comment. It has led me to the following solution:

*** Solution ***
Do not use a custom script with many iptables rules. Use instead a custom script in AFWall+ with this command:

iptables-restore -c -n < /data/local/iptabels-save.txt

It works faster (reason: https://www.frozentux.net/iptables-tutorial/chunkyhtml/c1798.html) and (hence) without an error applying iptables rules when used as custom script in AFWall+. The file iptables-save.txt contains the iptables rules without the command iptables and one additional line at the beginning (*filter) and one additional line at the end (COMMIT):

*filter
-A afwall -d 22.22.22.0/21 -j REJECT
...
<more rules>
...
COMMIT

[Fry-kun]

I would argue this is a workaround and that Afwall+ should support iptables-save/iptables-restore natively.
Note also that the current iteration of Afwall doesn't provide these binaries! This means you're relying on external dependency (maybe Magisk?) - at least find what it is so you don't get left without it