Fw4 not working with VLAN (802.1q) after installing dockerd

[dc-me]

Describe the bug

I'v created a few vlans with DSA, firewall is working fine as expected, after installed dockerd, it's not working, with the vlan the package actually come from the actual device, not the vlan bridge, thus the firewall is not working, with the defualt global forward not set to accept, the lan client can't ping to each other eventhough the lan zone has set forward to accept. the cause is that it's not treat the package from the vlan rather from an actual device.

OpenWrt version

r23497-6637af95aa

OpenWrt release

23.05.0

OpenWrt target/subtarget

mediatek/mt7622

Device

Linksys E8450 (UBI)

Image kind

Official downloaded image

Steps to reproduce

With everthing default, create few vlans, set all vlans forward to accept, but global as default reject, vlans internal client can ping right now, install dockerd, then test it again, firewall no working as expect for the vlans.

Actual behaviour

vlans firewall work as before not installing dockerd

Expected behaviour

vlans firewall are as before without dockerd.

Additional info

firewall not treat vlans as vlans, the package actually come from a device. makes it not working without allow global forward, not even with layer 2 communications.

Diffconfig

No response

Terms

• I am reporting an issue for OpenWrt, not an unsupported fork.

[brada4]

Attach:
nft list ruleset
fw4 print
/etc/config/firewall
/etc/config/network
iptables-nft-save
iptables-legacy-save (ideally empty or better not installed)

You should clear out mid parts of MAC addresses and public IPs.

[brada4]

The zone forward is something else, bridge forward filtering is possible but out of context of fw4.

[dc-me]

I don't have any special firewall setup, just the default, and the added some vlans, all the client in the vlan can ping each other, after installing docker, it's not working, I think it has something with iptables as docker depends on this.

[brada4]

Can you help with info:

• the "some vlans" as list (i can dig that from config files too)
• the ruleset and the stuff added by iptables-nft from 1st commands
• assurance iptables-legacy is NOT mixed in.

[dc-me]

I don't have other rules that's reject or drop, all are accept, everything is default, The client within vlan can't ping to each other, without installing docker, everything is ok. if I set global forward to accept it back to normal, but every vlan can ping each other, I used nft monitor to keep track of trafic, the iiface is like wl1-ap3 is not the br-lan.12 which cause the firewall zone rule not take effect.

[dc-me]

It's very easy to replicate the issue, with everything deafult, create some vlans test vlan clients ping, it's ok, now install dockerd, it broke, it's not working, what's working is that if the interface is still bridge, then it's fine, firewall will hornor the config, but if it's vlan with DSA, it borke you can't ping with the lan. it's basically the zone firewall not taking effect, because aforementioned input interface is not comming from the br-lan.12, it's actually comming from the wifi device like wl1-ap3.

[brada4]

You should not use vlan1 with DSA.
nor legacy iptables. At present default-forward-drop just drops any nat or masq packet mangled by other tables.
nor ever add wifi interface to a bridge port. hostapd does it by itself.
Once all misconfigurations above are addressed feel free to install docker again.
It is imperative to attach text files, compressing if bigger than a screen.

[dc-me]

legacy iptables is a dockerd dependency, I don't think is a misconfiguration, as if I don't install dockerd everything is ok.

[brada4]

You should pre-install iptables-nft and ip6tables-nft o avoid -zz-legacy packages. It was reported at least once in ../packages.
https://github.com/openwrt/packages/blob/d8bd171f838a4b1d2a3861ec6138ec1b9e2b3fca/utils/dockerd/Makefile#L39

Please re-configure network by:
a. adding network to wifi ap definitions and removing wifi ap-s from bridge membership.
b. eliminating vlan ID 1
c. pre-installing ip?tables-nft

backup config for yourself ;-)

Now install docker and if it is broken extract 6 files. fw4 and config/network will contain IPs, just type anything over those.

In principle this should have been reported in packages tracker, but you got wild misconfigurations, to the point it is fairly expected packets are lost in unpredictable places.

[dc-me]

After did everything you said, it's still the same, after installing docker the local lan client can't ping each other, I've attached a custom uci-default that can replicate the issues, the vlan 1 I haven't changed it, but I've tested it, still not working, By the way I did should let the hostapd join the bridge, but after fix still not working, Also why vlan1 can't be used, I changed it still does nothing.
99-custom.txt

[dc-me]

Note: the image ip 192.168.12.1 is another network, the gateway is 192.168.1.1 but is the same as the zone input is set to accept.
This is the wireshark data packet from the wifi device wl1-ap1 which belongs to 192.168.1.0/24 subnet, the local network should work at the layer 2 right? what can't they ping each other ? they can ping the gateway, but if I set the global forward to accept is working, eventhough the lan zone has forword to accept, but it shouldn't go forward, it's the local network. and should act like a switch right?