"Error applying iptables rules" on AFWall+ 1.2.6 (and higher) with IPv6 enabled

[oper8]

Since AFWall v1.2.6, I get "Error applying iptables rules" when I enable IPv6 support. The following failure is shown in the logs:

======
Logcat
======

17:11:11 binary installation for armeabi-v7a succeeded
17:11:11 Starting root shell...
17:11:18 Root shell is open
17:11:55 logging using LOG target
17:11:55 command 'ip6tables -A afwall-reject -m limit --limit 1000/min -j LOG --log-prefix "{AFL}" --log-level 4 --log-uid' exited with status 1
Output:
ip6tables: No chain/target/match by that name.

17:34:15 command '/data/data/dev.ukanth.ufirewall/app_bin/ip6tables -A afwall-reject -m limit --limit 1000/min -j LOG --log-prefix "{AFL}" --log-level 4 --log-uid' exited with status 1
Output:
ip6tables: No chain/target/match by that name.

NOTE: When the error occurs, the AFWall+ icon indicates that the firewall is disabled, although the IPv4 rules did apply successfully.
I have tried 1.2.6, 1.2.6.1, 1.2.7, and all exhibit the same error above; version 1.2.5 does not present any errors.

Phone: Droid Razr Maxx XT912
ROM: CM10.1.3

[ukanth]

Looks like LOG chain is not supported, have you restored using TiB or something ? I guess it should be NFLOG. just disable the log and try again ?

[oper8]

No, I didn't use TiB. I installed 1.2.5, 1.2.6, and 1.2.6.1 using F-Droid, and 1.2.7 from the post on XDA (not sure why this version isn't on F-Droid yet).

Disabling logging does allow the rules to apply successfully. If I go into the preferences and enable logging afterwards, I get "Error toggling log status", along with the same error above in logcat.

It was working in 1.2.5. Any idea what caused this? Any workaround?

Note: I don't use GAPPS, and don't have it installed.

[ukanth]

can you paste the results from this command from your mobile ?

cat /proc/net/ip_tables_targets

[oper8]

root@android:/proc/net # cat ip_tables_targets
TRACE
NFQUEUE
NFQUEUE
NFQUEUE
NFLOG
CLASSIFY
CONNMARK
MARK
REJECT
REDIRECT
NETMAP
MASQUERADE
LOG
DNAT
SNAT
ERROR
TCPMSS
TPROXY
TPROXY
root@android:/proc/net # cat ip6_tables_targets
TRACE
NFQUEUE
NFQUEUE
NFQUEUE
NFLOG
CLASSIFY
CONNMARK
MARK
REJECT
ERROR
TCPMSS
TPROXY
root@android:/proc/net #

System iptables and ip6tables version: v1.4.11.1
Kernel version: 3.0.8-g67d26a8 SMP armv71

[cernekee]

So, for IPv4 the kernel supports LOG + NFLOG, but for IPv6 the kernel only supports NFLOG. This looks like a possible oversight.

It would be relatively straightforward to check ip6_tables_targets and try to pick the log mode based on what is supported by both protocols. And deny logging entirely if e.g. IPv4 only supports LOG, and IPv6 only supports NFLOG.

But since this is a custom ROM, the best solution might be to send a patch via CM gerrit to harmonize the IPv4 and IPv6 netfilter options.

What do you think?

[ukanth]

Agree.

[oper8]

It might take a while to get a stable CM release for my device which includes the suggested CM patch. CM is no longer doing 10.1 nightlies for my device, and the 10.2 nightlies/snapshot has issues with 3g data, along with a host of other issues which haven't been fixed yet.

I agree that fixing the issue in CM would be the best, but in the meanhile, making some adjustments to AFWall may prove to be more expedient. This would increase AFWall's compatibility with other devices and ROMs which may have the same issue, especially other ROMs which are based on CM, but may not be as well maintained.

[cb474]

I'm also getting this error with 1.2.7. Log only shows this:

12-23 15:02:56.284 D/AFWall (15738): Starting root shell...
12-23 15:02:56.435 D/AFWall (15738): Root shell is open

I'm running PA 3.99—RC2.

[dicer]

Still get this on CM 13.1 with maserati:
root@maserati:/proc/net # cat ip_tables_targets | grep LOG
NFLOG
LOG
root@maserati:/proc/net # cat ip6_tables_targets | grep LOG
NFLOG
root@maserati:/proc/net # uname -a
Linux localhost 3.0.8-gfd81692 #1 SMP PREEMPT Sat May 28 15:43:17 2016 armv7l