From patchwork Wed May 18 12:26:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Eckert X-Patchwork-Id: 1632801 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=MS8aapsg; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4L3C6J2h5Bz9sGT for ; Wed, 18 May 2022 22:31:51 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=X3xtAcF01tIRgvbZfzxYM1/P6540YB4M5mcxJav4+Jo=; b=MS8aapsgB2JfBq rrbw57pCSSY1VB0ldKMBs8tqAMhw81xkyuTGaTh8S3KT7G2p/yqLTl0jTjty5uHucF3m9ACE2hgJJ 1ptHVLsy3Yy/+Ds7qFGySSRCLhjVx8leSORVXUfcJJ7e5B49cNhBPs9522k4ImsYjnHPtVKFeCroh djmjms516+J8uacrEG/eQezjSDf+QXPU1sSZeALRy5aUJWGPPEeor5/kcjPpcqNbIBILYttf1Yql1 xlr+cY3ZzBEc6VKtOwSRmdGb2aNoJL+bHzWJ7j8LYWV5PTYDvetXLVjUXm/uipdcl2chiT6Puxw6j 8xjGS3z7dPcbAhIdQcjw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nrIlI-0020At-VE; Wed, 18 May 2022 12:26:45 +0000 Received: from mxout70.expurgate.net ([91.198.224.70]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nrIlG-00208u-09 for openwrt-devel@lists.openwrt.org; Wed, 18 May 2022 12:26:43 +0000 Received: from [127.0.0.1] (helo=localhost) by relay.expurgate.net with smtp (Exim 4.92) (envelope-from ) id 1nrIl7-000R19-WB; Wed, 18 May 2022 14:26:34 +0200 Received: from [195.243.126.94] (helo=securemail.tdt.de) by relay.expurgate.net with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nrIkz-000GPT-24; Wed, 18 May 2022 14:26:25 +0200 Received: from securemail.tdt.de (localhost [127.0.0.1]) by securemail.tdt.de (Postfix) with ESMTP id CC96F240049; Wed, 18 May 2022 14:26:24 +0200 (CEST) Received: from mail.dev.tdt.de (unknown [10.2.4.42]) by securemail.tdt.de (Postfix) with ESMTP id 7C1B5240040; Wed, 18 May 2022 14:26:24 +0200 (CEST) Received: from localhost.localdomain (unknown [10.2.3.40]) by mail.dev.tdt.de (Postfix) with ESMTPSA id E729227875; Wed, 18 May 2022 14:26:23 +0200 (CEST) From: Florian Eckert To: jo@mein.io Cc: openwrt-devel@lists.openwrt.org, Eckert.Florian@googlemail.com Subject: [PATCH firewall4] ruleset: add missing pre_* chains Date: Wed, 18 May 2022 14:26:19 +0200 Message-ID: <20220518122619.159926-1-fe@dev.tdt.de> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dev.tdt.de X-purgate-type: clean X-purgate-ID: 151534::1652876785-2B8CDC95-0BD4EC16/0/0 X-purgate: clean X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220518_052642_246702_78283C8E X-CRM114-Status: GOOD ( 12.07 ) X-Spam-Score: -0.7 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: There is the option to add a user change, but if the rule applies, the fw4 rules are still processed. This is because these chains are top-level chains that only have a different priority. This priority indicates whether they are processed before or after the fw4 chains. Content analysis details: (-0.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [91.198.224.70 listed in list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org There is the option to add a user change, but if the rule applies, the fw4 rules are still processed. This is because these chains are top-level chains that only have a different priority. This priority indicates whether they are processed before or after the fw4 chains. So that rules can also be processed in the context of the fw4 and are not passed on to the next toplevel chain in the event of an apply. The rule must be processed in the context of the fw4 tables. This commit adds a pre chain for input, output and forward. Firewall rules, that are not handeled by the fw4 can then be hooked into this, which are then processed in the context of the fw4 and are thus allowed through by the fw4 in the event of an accept. Signed-off-by: Florian Eckert (cherry picked from commit 596f9f7973560210a8ccf386d7017aaa07ea77d2) --- root/usr/share/firewall4/templates/ruleset.uc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index 0142d5a..79401d2 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -67,11 +67,16 @@ table inet fw4 { # Filter rules # + chain pre_input { + + } + chain input { type filter hook input priority filter; policy {{ fw4.input_policy(true) }}; iifname "lo" accept comment "!fw4: Accept traffic from loopback" + jump pre_input ct state established,related accept comment "!fw4: Allow inbound established and related flows" {% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" @@ -90,9 +95,14 @@ table inet fw4 { {% endif %} } + chain pre_forward { + + } + chain forward { type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }}; + jump pre_forward {% if (length(flowtable_devices) > 0): %} meta l4proto { tcp, udp } flow offload @ft; {% endif %} @@ -111,11 +121,16 @@ table inet fw4 { {% endif %} } + chain pre_output { + + } + chain output { type filter hook output priority filter; policy {{ fw4.output_policy(true) }}; oifname "lo" accept comment "!fw4: Accept traffic towards loopback" + jump pre_output ct state established,related accept comment "!fw4: Allow outbound established and related flows" {% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"