From patchwork Thu Nov 3 21:09:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gordon Maclean X-Patchwork-Id: 1699194 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=v+q6i0tE; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=i8D5Otzj; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4N3Gjb6PmNz20KC for ; Fri, 4 Nov 2022 08:14:43 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=UBikEx9Zyeu6O5G1THtblLtSpIToHhw5XJjAviM1AB0=; b=v+q6i0tEw/mfUi jyeD7WYAujtE4QUT6v7jUSgIA9O+J2LnrGJwoxqrDPSrxZYb5wEA+NFGStxpWC1Wg82yFd/qSg+gJ xOOlLvfxlHljBiNFl0wxm4zs4Q7fOtqTH00G5Iccfhy8lZ92G05TToEO4ohewWTkzZT2k4z7hNrQL 15jPlggVhIeGOrJyjjiES6xSE4WqgpVt2BBb3iNmx09TEPKxwu99g48x3ud0uoU0oWeKrZ6NyUqHK hOAsPp68E86Lurk8ik9IC9Q7OXFhPkzlPQMi7TKDSXZJm6ojEGEG8wwJ/mYaA2j7dZ9F+qxxXgE8r uVoXiT09RIpr4TSMZo+g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oqhTl-001hwu-Uk; Thu, 03 Nov 2022 21:10:26 +0000 Received: from mail-io1-xd31.google.com ([2607:f8b0:4864:20::d31]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oqhTg-001hu9-Op for openwrt-devel@lists.openwrt.org; Thu, 03 Nov 2022 21:10:22 +0000 Received: by mail-io1-xd31.google.com with SMTP id e189so2451139iof.1 for ; Thu, 03 Nov 2022 14:10:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=I0ay4rTFkJI+BpUPIhU8RSJnL+2OoZuYRZl5Y+qrqKs=; b=i8D5OtzjKLMSXOlmhVUNMvTyb3FZMwHlYJjB8pr90PLzK2vLt7nZkrLOl+QPuaOeic 2DwpP6iUGkabt5SWG2Jp06PctYvEUJG2Y1tpzmJ/p+eWvIImojMEaWbjqKVJ6gQWtrO7 FRQxSlRYZy5QGuWcFEPuHcn6cd8FIibjRdSQRmJSt02wldQUImaqXyQN6u8qCWnPP3FK ei2xmGoC4GEPHtMSj2Rx632m9dqIiiFuCfQqWZhWXkUFp4lb8Vr3v9kvrP4inxSk/qsS SwpSY+9L7OkSS5rXEU2V1Qeu9iI7K9yf+Jxu8clhRdi6NtbqPpo3ZLI34nodYvAJKQek PKpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=I0ay4rTFkJI+BpUPIhU8RSJnL+2OoZuYRZl5Y+qrqKs=; b=BukWUSeHtmZ60oEO/YdkraSimLipMFRyDnevZg+Erq27/QjrWJZ0180Q54QCTEeF7H flOiSq8PQEsyKSgXAjb29RwXbSnti2ocQRKwVkPBPH60J0jwx9h+zgksbq9r80GEMLBR +tTPEZR+prwWneibq4T7Kem4+wSECx88QL1aAVf8TkyFPkw600HkojNqvZOG7wgbwkge xpgIIQR8dzyssHCgCdS76t8cSQWw6zPR0fJTPRfnaNHC+ZIgbUYU9I5LkQVtOqXv1+KK D5PwjlsCHNYgNVs8L5E9vUqRnBOcnFEdm3hF6jQ0tuvJTsDa4Eun1zF20gc5C4dA81ii YF4g== X-Gm-Message-State: ACrzQf2QK57crMpQZp+Yo5InWnmlL2YVxduriYVPf5feEj+nOdzt5CZt P/nbILWCy9+vkXYcLTPgWitK5dzieIc= X-Google-Smtp-Source: AMsMyM5/KJOjUqIr8YvMExVyzgxjFtyawpZjiAL1tnHMeF9VvbTnCr+lhVNSuqPujzOoj2mIEnbZsA== X-Received: by 2002:a02:ac92:0:b0:375:6b5c:1643 with SMTP id x18-20020a02ac92000000b003756b5c1643mr12382215jan.186.1667509816593; Thu, 03 Nov 2022 14:10:16 -0700 (PDT) Received: from gmlat.lan ([2601:281:8000:c0::a8e]) by smtp.gmail.com with ESMTPSA id n5-20020a056638110500b0036368623574sm535875jal.169.2022.11.03.14.10.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Nov 2022 14:10:16 -0700 (PDT) From: dsmtngoat@gmail.com To: openwrt-devel@lists.openwrt.org Cc: Gordon Maclean Subject: [PATCH] fw4: fix handling of unaccepted forward packets Date: Thu, 3 Nov 2022 15:09:21 -0600 Message-Id: <20221103210921.580870-1-dsmtngoat@gmail.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221103_141020_846068_76D7076B X-CRM114-Status: GOOD ( 11.59 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gordon Maclean This is a resumbit of [PATCH] fw4: handle bad forward_zone packets with v_from_z, with an updated commit message. Below, FROM and TO are capitalized for emphasis. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:d31 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [dsmtngoat[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Gordon Maclean This is a resumbit of [PATCH] fw4: handle bad forward_zone packets with v_from_z, with an updated commit message. Below, FROM and TO are capitalized for emphasis. Packets on the input chain that fail accceptance rules are eventually handled by a rule created by "jump {{ zone.input }}_FROM_{{ zone.name }}" in ruleset.uc. For a wan zone, with input policy "drop", this results in a jump to the "drop_FROM_wan" chain where they are optionally logged, and dropped. However, packets on the forward chain that fail acceptance rules are eventually handled by the rule created by "jump {{ zone.forward }}_TO_{{ zone.name }}" in ruleset.uc. For zone wan, with forward policy "drop", packets would be sent to the "drop_TO_wan" chain. This is a bug, since that chain matches packets sent TO the interface for the zone, not FROM the interface, and so will fail to match all unaccepted forwarded packets received on the zone. As a result these forwarded packets are handled by the global forward policy and not by the forward policy for the zone, and will not be logged. This patch sets the final disposition for unaccepted forwarded packets to be the same as for unaccepted input packets. Signed-off-by: Gordon Maclean --- root/usr/share/firewall4/templates/ruleset.uc | 2 +- root/usr/share/ucode/fw4.uc | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index d6eedfd..833c762 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -239,7 +239,7 @@ table inet fw4 { ct status dnat accept comment "!fw4: Accept port forwards" {% endif %} {% fw4.includes('chain-append', `forward_${zone.name}`) %} - jump {{ zone.forward }}_to_{{ zone.name }} + jump {{ zone.forward }}_from_{{ zone.name }} {% if (fw4.forward_policy() != "accept" && (zone.log & 1)): %} log prefix "{{ fw4.forward_policy() }} {{ zone.name }} forward: " {% endif %} diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 47e86cd..74b7c81 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -2113,6 +2113,7 @@ return { zone.sflags = {}; zone.sflags[zone.input] = true; + zone.sflags[zone.forward] = true; zone.dflags = {}; zone.dflags[zone.output] = true;