| Message ID | 20200903230011.38291-1-mail@david-bauer.net |
|---|---|
| State | Accepted |
| Headers | show |
| Series | zones: fix max length of zone names | expand |
Hi, please, see also https://patchwork.ozlabs.org/project/openwrt/patch/20200830211009.3359-1-dobrovolskiy.alexey@gmail.com/ Best regards, Alexey пт, 4 сент. 2020 г. в 02:02, David Bauer <mail@david-bauer.net>: > > Previously the max length of a zone name was assuming the max > length for a extension in netfilter is 32 bytes while in reality it is > only 29. > > Fix this incorrect assumption to allow firewall3 to validate the zone > name lengths correctly. > > Signed-off-by: David Bauer <mail@david-bauer.net> > --- > zones.h | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/zones.h b/zones.h > index d786736..beb0e22 100644 > --- a/zones.h > +++ b/zones.h > @@ -22,8 +22,12 @@ > #include "options.h" > #include "iptables.h" > > -/* 32 - sizeof("postrouting_") - sizeof("_rule") - sizeof("\0") */ > -#define FW3_ZONE_MAXNAMELEN 14 > +/* XT_EXTENSION_MAXNAMELEN (29) > + * - sizeof("postrouting_") > + * - sizeof("_rule") > + * - sizeof("\0") > + */ > +#define FW3_ZONE_MAXNAMELEN 11 > > extern const struct fw3_option fw3_zone_opts[]; > > -- > 2.28.0 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Hi Alexey, On 9/4/20 10:32 PM, Alexey Dobrovolskiy wrote: > Hi, > please, see also > https://patchwork.ozlabs.org/project/openwrt/patch/20200830211009.3359-1-dobrovolskiy.alexey@gmail.com/ I was not aware of this patch. Will merge yours in the coming days. Best wishes David > > Best regards, > Alexey > > пт, 4 сент. 2020 г. в 02:02, David Bauer <mail@david-bauer.net>: >> >> Previously the max length of a zone name was assuming the max >> length for a extension in netfilter is 32 bytes while in reality it is >> only 29. >> >> Fix this incorrect assumption to allow firewall3 to validate the zone >> name lengths correctly. >> >> Signed-off-by: David Bauer <mail@david-bauer.net> >> --- >> zones.h | 8 ++++++-- >> 1 file changed, 6 insertions(+), 2 deletions(-) >> >> diff --git a/zones.h b/zones.h >> index d786736..beb0e22 100644 >> --- a/zones.h >> +++ b/zones.h >> @@ -22,8 +22,12 @@ >> #include "options.h" >> #include "iptables.h" >> >> -/* 32 - sizeof("postrouting_") - sizeof("_rule") - sizeof("\0") */ >> -#define FW3_ZONE_MAXNAMELEN 14 >> +/* XT_EXTENSION_MAXNAMELEN (29) >> + * - sizeof("postrouting_") >> + * - sizeof("_rule") >> + * - sizeof("\0") >> + */ >> +#define FW3_ZONE_MAXNAMELEN 11 >> >> extern const struct fw3_option fw3_zone_opts[]; >> >> -- >> 2.28.0 >> >> >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
On 9/5/20 1:11 AM, David Bauer wrote: > Hi Alexey, > > On 9/4/20 10:32 PM, Alexey Dobrovolskiy wrote: >> Hi, >> please, see also >> https://patchwork.ozlabs.org/project/openwrt/patch/20200830211009.3359-1-dobrovolskiy.alexey@gmail.com/ > > I was not aware of this patch. Will merge yours in the coming days. > > Best wishes > David Maybe we could replace "postrouting" and similiar strings with abbreviated versions? Kind regards, Matthias > >> >> Best regards, >> Alexey >> >> пт, 4 сент. 2020 г. в 02:02, David Bauer <mail@david-bauer.net>: >>> >>> Previously the max length of a zone name was assuming the max >>> length for a extension in netfilter is 32 bytes while in reality it is >>> only 29. >>> >>> Fix this incorrect assumption to allow firewall3 to validate the zone >>> name lengths correctly. >>> >>> Signed-off-by: David Bauer <mail@david-bauer.net> >>> --- >>> zones.h | 8 ++++++-- >>> 1 file changed, 6 insertions(+), 2 deletions(-) >>> >>> diff --git a/zones.h b/zones.h >>> index d786736..beb0e22 100644 >>> --- a/zones.h >>> +++ b/zones.h >>> @@ -22,8 +22,12 @@ >>> #include "options.h" >>> #include "iptables.h" >>> >>> -/* 32 - sizeof("postrouting_") - sizeof("_rule") - sizeof("\0") */ >>> -#define FW3_ZONE_MAXNAMELEN 14 >>> +/* XT_EXTENSION_MAXNAMELEN (29) >>> + * - sizeof("postrouting_") >>> + * - sizeof("_rule") >>> + * - sizeof("\0") >>> + */ >>> +#define FW3_ZONE_MAXNAMELEN 11 >>> >>> extern const struct fw3_option fw3_zone_opts[]; >>> >>> -- >>> 2.28.0 >>> >>> >>> _______________________________________________ >>> openwrt-devel mailing list >>> openwrt-devel@lists.openwrt.org >>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel >
Hi Matthias, On 9/5/20 4:08 PM, Matthias Schiffer wrote: > On 9/5/20 1:11 AM, David Bauer wrote: >> Hi Alexey, >> >> On 9/4/20 10:32 PM, Alexey Dobrovolskiy wrote: >>> Hi, >>> please, see also >>> https://patchwork.ozlabs.org/project/openwrt/patch/20200830211009.3359-1-dobrovolskiy.alexey@gmail.com/ >> >> I was not aware of this patch. Will merge yours in the coming days. >> >> Best wishes >> David > > > Maybe we could replace "postrouting" and similiar strings with abbreviated > versions? From my perspective this should be possible. However, postrouting might not be the primary limiting factor then, as there are also chains such as "zone_<zonename>_dest_REJECT" automatically created. Sure enough, these can also be renamed. Best wishes David > > Kind regards, > Matthias > > > >> >>> >>> Best regards, >>> Alexey >>> >>> пт, 4 сент. 2020 г. в 02:02, David Bauer <mail@david-bauer.net>: >>>> >>>> Previously the max length of a zone name was assuming the max >>>> length for a extension in netfilter is 32 bytes while in reality it is >>>> only 29. >>>> >>>> Fix this incorrect assumption to allow firewall3 to validate the zone >>>> name lengths correctly. >>>> >>>> Signed-off-by: David Bauer <mail@david-bauer.net> >>>> --- >>>> zones.h | 8 ++++++-- >>>> 1 file changed, 6 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/zones.h b/zones.h >>>> index d786736..beb0e22 100644 >>>> --- a/zones.h >>>> +++ b/zones.h >>>> @@ -22,8 +22,12 @@ >>>> #include "options.h" >>>> #include "iptables.h" >>>> >>>> -/* 32 - sizeof("postrouting_") - sizeof("_rule") - sizeof("\0") */ >>>> -#define FW3_ZONE_MAXNAMELEN 14 >>>> +/* XT_EXTENSION_MAXNAMELEN (29) >>>> + * - sizeof("postrouting_") >>>> + * - sizeof("_rule") >>>> + * - sizeof("\0") >>>> + */ >>>> +#define FW3_ZONE_MAXNAMELEN 11 >>>> >>>> extern const struct fw3_option fw3_zone_opts[]; >>>> >>>> -- >>>> 2.28.0 >>>> >>>> >>>> _______________________________________________ >>>> openwrt-devel mailing list >>>> openwrt-devel@lists.openwrt.org >>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >> >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >> > >
On 9/5/20 4:32 PM, David Bauer wrote: > Hi Matthias, > > On 9/5/20 4:08 PM, Matthias Schiffer wrote: >> On 9/5/20 1:11 AM, David Bauer wrote: >>> Hi Alexey, >>> >>> On 9/4/20 10:32 PM, Alexey Dobrovolskiy wrote: >>>> Hi, >>>> please, see also >>>> https://patchwork.ozlabs.org/project/openwrt/patch/20200830211009.3359-1-dobrovolskiy.alexey@gmail.com/ >>> >>> I was not aware of this patch. Will merge yours in the coming days. >>> >>> Best wishes >>> David >> >> >> Maybe we could replace "postrouting" and similiar strings with abbreviated >> versions? > > From my perspective this should be possible. However, postrouting might not be > the primary limiting factor then, as there are also chains such as > "zone_<zonename>_dest_REJECT" automatically created. Sure enough, these can > also be renamed. > > Best wishes > David > I wonder which solution will break more configurations... keeping the current names, breaking zones with longer names, or renaming them, breaking custom rulesets that rely on the current naming. >> >> Kind regards, >> Matthias >> >> >> >>> >>>> >>>> Best regards, >>>> Alexey >>>> >>>> пт, 4 сент. 2020 г. в 02:02, David Bauer <mail@david-bauer.net>: >>>>> >>>>> Previously the max length of a zone name was assuming the max >>>>> length for a extension in netfilter is 32 bytes while in reality it is >>>>> only 29. >>>>> >>>>> Fix this incorrect assumption to allow firewall3 to validate the zone >>>>> name lengths correctly. >>>>> >>>>> Signed-off-by: David Bauer <mail@david-bauer.net> >>>>> --- >>>>> zones.h | 8 ++++++-- >>>>> 1 file changed, 6 insertions(+), 2 deletions(-) >>>>> >>>>> diff --git a/zones.h b/zones.h >>>>> index d786736..beb0e22 100644 >>>>> --- a/zones.h >>>>> +++ b/zones.h >>>>> @@ -22,8 +22,12 @@ >>>>> #include "options.h" >>>>> #include "iptables.h" >>>>> >>>>> -/* 32 - sizeof("postrouting_") - sizeof("_rule") - sizeof("\0") */ >>>>> -#define FW3_ZONE_MAXNAMELEN 14 >>>>> +/* XT_EXTENSION_MAXNAMELEN (29) >>>>> + * - sizeof("postrouting_") >>>>> + * - sizeof("_rule") >>>>> + * - sizeof("\0") >>>>> + */ >>>>> +#define FW3_ZONE_MAXNAMELEN 11 >>>>> >>>>> extern const struct fw3_option fw3_zone_opts[]; >>>>> >>>>> -- >>>>> 2.28.0 >>>>> >>>>> >>>>> _______________________________________________ >>>>> openwrt-devel mailing list >>>>> openwrt-devel@lists.openwrt.org >>>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >>> >>> _______________________________________________ >>> openwrt-devel mailing list >>> openwrt-devel@lists.openwrt.org >>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >>> >> >>
Hello Matthias, On 9/5/20 4:45 PM, Matthias Schiffer wrote: > On 9/5/20 4:32 PM, David Bauer wrote: >> Hi Matthias, >> >> On 9/5/20 4:08 PM, Matthias Schiffer wrote: >>> On 9/5/20 1:11 AM, David Bauer wrote: >>>> Hi Alexey, >>>> >>>> On 9/4/20 10:32 PM, Alexey Dobrovolskiy wrote: >>>>> Hi, >>>>> please, see also >>>>> https://patchwork.ozlabs.org/project/openwrt/patch/20200830211009.3359-1-dobrovolskiy.alexey@gmail.com/ >>>> >>>> I was not aware of this patch. Will merge yours in the coming days. >>>> >>>> Best wishes >>>> David >>> >>> >>> Maybe we could replace "postrouting" and similiar strings with abbreviated >>> versions? >> >> From my perspective this should be possible. However, postrouting might not be >> the primary limiting factor then, as there are also chains such as >> "zone_<zonename>_dest_REJECT" automatically created. Sure enough, these can >> also be renamed. >> >> Best wishes >> David >> > > I wonder which solution will break more configurations... keeping the > current names, breaking zones with longer names, or renaming them, breaking > custom rulesets that rely on the current naming. The patch in this thread effectively only fixes the validation. Commiting the iptables rules with long names failed already previously with the safer string operations patch from jow. So this patch does not break these longer names as they are currently already broken, just provides the user with a clearer error message. Best wishes David > > > >>> >>> Kind regards, >>> Matthias >>> >>> >>> >>>> >>>>> >>>>> Best regards, >>>>> Alexey >>>>> >>>>> пт, 4 сент. 2020 г. в 02:02, David Bauer <mail@david-bauer.net>: >>>>>> >>>>>> Previously the max length of a zone name was assuming the max >>>>>> length for a extension in netfilter is 32 bytes while in reality it is >>>>>> only 29. >>>>>> >>>>>> Fix this incorrect assumption to allow firewall3 to validate the zone >>>>>> name lengths correctly. >>>>>> >>>>>> Signed-off-by: David Bauer <mail@david-bauer.net> >>>>>> --- >>>>>> zones.h | 8 ++++++-- >>>>>> 1 file changed, 6 insertions(+), 2 deletions(-) >>>>>> >>>>>> diff --git a/zones.h b/zones.h >>>>>> index d786736..beb0e22 100644 >>>>>> --- a/zones.h >>>>>> +++ b/zones.h >>>>>> @@ -22,8 +22,12 @@ >>>>>> #include "options.h" >>>>>> #include "iptables.h" >>>>>> >>>>>> -/* 32 - sizeof("postrouting_") - sizeof("_rule") - sizeof("\0") */ >>>>>> -#define FW3_ZONE_MAXNAMELEN 14 >>>>>> +/* XT_EXTENSION_MAXNAMELEN (29) >>>>>> + * - sizeof("postrouting_") >>>>>> + * - sizeof("_rule") >>>>>> + * - sizeof("\0") >>>>>> + */ >>>>>> +#define FW3_ZONE_MAXNAMELEN 11 >>>>>> >>>>>> extern const struct fw3_option fw3_zone_opts[]; >>>>>> >>>>>> -- >>>>>> 2.28.0 >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> openwrt-devel mailing list >>>>>> openwrt-devel@lists.openwrt.org >>>>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >>>> >>>> _______________________________________________ >>>> openwrt-devel mailing list >>>> openwrt-devel@lists.openwrt.org >>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >>>> >>> >>> > >
diff --git a/zones.h b/zones.h index d786736..beb0e22 100644 --- a/zones.h +++ b/zones.h @@ -22,8 +22,12 @@ #include "options.h" #include "iptables.h" -/* 32 - sizeof("postrouting_") - sizeof("_rule") - sizeof("\0") */ -#define FW3_ZONE_MAXNAMELEN 14 +/* XT_EXTENSION_MAXNAMELEN (29) + * - sizeof("postrouting_") + * - sizeof("_rule") + * - sizeof("\0") + */ +#define FW3_ZONE_MAXNAMELEN 11 extern const struct fw3_option fw3_zone_opts[];
Previously the max length of a zone name was assuming the max length for a extension in netfilter is 32 bytes while in reality it is only 29. Fix this incorrect assumption to allow firewall3 to validate the zone name lengths correctly. Signed-off-by: David Bauer <mail@david-bauer.net> --- zones.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)