afwall icon indicating copy to clipboard operation
afwall copied to clipboard
verified publisher icon ukanth

[ISSUE] custom script "syntax" redefined, but not reflected in the docs

Open Fry-kun opened this issue 2 months ago • 8 comments

Describe the bug Commit ec7d350e9872aecb13bd94e4d0cb30d73e80ca9e adds check for "potentially dangerous custom rule", including $ -- but the doc tells user to use $IPTABLES -- so many users' existing rules will fail with the latest version (which is already in Play Store)

This also seems to completely remove Loading scripts from files functionality.

Users should get a warning somewhere (at least in the changelist), and docs should be updated

Fry-kun avatar Oct 07 '25 23:10 Fry-kun

Thanks @Fry-kun. I will fix it in the next release.

ukanth avatar Oct 08 '25 13:10 ukanth

What is the correct syntax now? Apps I have blocked INET are no longer exempt to local subnets by using:

`# Necessary at the beginning of each script! IP6TABLES=/system/bin/ip6tables IPTABLES=/system/bin/iptables

`# Allow Local Subnets $IPTABLES -A "afwall" --destination "192.168.0/24" -j RETURN

Pixel 7 Pro - Android 16, AFwall 4.0 Thank you.

AlmightyJojo avatar Nov 13 '25 04:11 AlmightyJojo

@AlmightyJojo do not use "$IPTABLES" (or anything with "$") use /system/bin/iptables or go back to older version in your case: /system/bin/iptables -A "afwall" --destination "192.168.0/24" -j RETURN

Amalia-Fleur avatar Nov 14 '25 22:11 Amalia-Fleur

@AlmightyJojo do not use "$IPTABLES" (or anything with "$") use /system/bin/iptables or go back to older version in your case: /system/bin/iptables -A "afwall" --destination "192.168.0/24" -j RETURN

Unfortunately local network traffic still being denied on apps

I've tried all 3: /system/bin/iptables -A "afwall" --destination "192.168.0.0/24" -j RETURN /system/bin/iptables -A afwall -d 192.168.0.0/24 -j RETURN /system/bin/iptables -A "afwall" --destination "192.168.0.0/24" -j ACCEPT

Using MIX explorer that is denied INET in afwall, I go to a MIX SMB local share bookmark and its denied. afwall notification log shows deny MIX explorer 192.168.0.10:445 (SMBv3)

If I removed MIX Explorer block from afwall then SMB share connects.

I tried downgrading but then had some issues with phone losing INET entirely even though only user apps denied. So purged lastest v3.x and re-installed v4.0. I'll give downgrade another attempt.

Also FYI - the rule import function doesn't appear to be cooperating on my Pixel 7 either. I browse to /storage/emulated/0/MY-SDCARD/afwall and the .json file doesn't appear.

AlmightyJojo avatar Nov 14 '25 23:11 AlmightyJojo

@AlmightyJojo Please do not "abuse" a Bug report with a question that something is not blocking/allowing ;)

Anyway i try to help and answer, and hope its not totally wrong :)

the way i told you to set a rule is working you can always check, by setting the rule and use iptables -nvL and look if it was set

to your problem: -A, --append chain rule-specification Append one or more rules to the end of the selected chain. -> iptables works from "top to bottom" if your 1st rule rejects, no matter what follows, it will always be rejected i guess you need to use: iptables -I chain [rule-number] firewall-rule (you can see the rules nr. with example: iptables -t filter -L INPUT --line-numbers -n -v) best thing to read a bit how iptables work and what commands (parameters,options) can be used

did you allow loopback? (might be needed by some apps) afwall has an option to allow lan inbound in the settings (not sure if it also works for smb) downgrading and loosing inet means afwall is working propperly, just the firewall is set too tight ;)

Amalia-Fleur avatar Nov 15 '25 20:11 Amalia-Fleur

What? Abuse? How? Just an example to HELP YOU understand how I was testing custom script. Doesn't matter my example. Any app I have checked in "blocked selected mode" isn't allowed local VLAN subnets. What I had with v 3.x in my first post worked for years. I'll try for downgrade again.

Edit: V4.0 - Under app log: rejecting non-iptables rule: /system/bin/iptables -A "afwall" --destination "192.168.0.0/24" -j RETURN

Edit2: V3.6.1 now works again with same command: /system/bin/iptables -A "afwall" --destination "192.168.0.0/24" -j RETURN (Just not using variable anymore on 3.6.1 - But my point is something is off with v4 beyond just special character $)

AlmightyJojo avatar Nov 15 '25 20:11 AlmightyJojo

@AlmightyJojo abuse was the wrong word (non native english) sorry. thats why in "" and a smiley...

the bug is known and thought better for the dev to not talk about other things. 4.0 is more broken; my opinion is to better use older version. anyway, just trying to help. good luck with your problem

Amalia-Fleur avatar Nov 15 '25 22:11 Amalia-Fleur

@AlmightyJojo abuse was the wrong word (non native english) sorry. thats why in "" and a smiley...

the bug is known and thought better for the dev to not talk about other things. 4.0 is more broken; my opinion is to better use older version. anyway, just trying to help. good luck with your problem

All good. Hey I only speak English - so your doing better than me. :) Thanks for your attention and help.

AlmightyJojo avatar Nov 15 '25 22:11 AlmightyJojo