From patchwork Thu Sep 7 07:04:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Eckert X-Patchwork-Id: 1830717 X-Patchwork-Delegate: jow@openwrt.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=xl5HgEVf; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Rh9LF10Fbz1ygc for ; Thu, 7 Sep 2023 17:07:48 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=eWmcjXGsvtiv/sVFq2b5EZ9LI4fPJoodz2T/nwidYJk=; b=xl5HgEVf3R8I5B ASma91BLQO/INDQzhSWAnkgOskrscQXikhLsX3tbbknaMT/Zl/Z5uZtY3+NLqzMhEZjl657VsTvxk DG0K92A3e7hs7uvXSySYCJ/84oDjYzaNC44RjAxe22i8ZMSyMlnyvgI0fJqC51492zHSQJIvLZTjA MJREnktF3sEjKiysq4m/a86wUzQZVSbLA8m+7Ef2rJzsKZFovMGeN3Sj2MC8pzHuLKM+UqWTmQw50 H8wViWZfeRz7ddCQXtdneXwDcSiVCeMfSpCoFwhGRZj7ZL8DaZsPtj6WY+PNCScQfI7Y/pvnTgxJJ gRGRO1BJ2+0XXC3v7hGA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qe93y-00BU4X-0f; Thu, 07 Sep 2023 07:04:26 +0000 Received: from mxout70.expurgate.net ([194.37.255.70]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qe93v-00BU3u-1i for openwrt-devel@lists.openwrt.org; Thu, 07 Sep 2023 07:04:25 +0000 Received: from [127.0.0.1] (helo=localhost) by relay.expurgate.net with smtp (Exim 4.92) (envelope-from ) id 1qe93n-003IVg-PH; Thu, 07 Sep 2023 09:04:15 +0200 Received: from [195.243.126.94] (helo=securemail.tdt.de) by relay.expurgate.net with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qe93n-0057B4-1q; Thu, 07 Sep 2023 09:04:15 +0200 Received: from securemail.tdt.de (localhost [127.0.0.1]) by securemail.tdt.de (Postfix) with ESMTP id C629B240049; Thu, 7 Sep 2023 09:04:14 +0200 (CEST) Received: from mail.dev.tdt.de (unknown [10.2.4.42]) by securemail.tdt.de (Postfix) with ESMTP id 768D5240040; Thu, 7 Sep 2023 09:04:14 +0200 (CEST) Received: from localhost.localdomain (unknown [10.2.3.40]) by mail.dev.tdt.de (Postfix) with ESMTPSA id D820028A3A; Thu, 7 Sep 2023 09:04:13 +0200 (CEST) From: Florian Eckert To: jo@mein.io Cc: openwrt-devel@lists.openwrt.org, Eckert.Florian@googlemail.com Subject: [PATCH] firewall4: ruleset: also evaluate the custom includes for the loopback interface Date: Thu, 7 Sep 2023 09:04:06 +0200 Message-ID: <20230907070406.8665-1-fe@dev.tdt.de> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dev.tdt.de X-purgate: clean X-purgate-type: clean X-purgate-ID: 151534::1694070255-35266C1B-EE60C403/0/0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230907_000423_734316_FFBEDACA X-CRM114-Status: GOOD ( 11.46 ) X-Spam-Score: -0.7 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Before this change, the user defined include rules in the output and input chain were not evaluated for the leepback interface. Traffic related to the loopback interface was always accepted. To ensure that the custom rules also apply to the loopback interface, this commit moves the custom rule for the input and output chain before the accept rule of the loopback interface. Content analysis details: (-0.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [194.37.255.70 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Before this change, the user defined include rules in the output and input chain were not evaluated for the leepback interface. Traffic related to the loopback interface was always accepted. To ensure that the custom rules also apply to the loopback interface, this commit moves the custom rule for the input and output chain before the accept rule of the loopback interface. User defined rules for the input and output chain are now always evaluated for the entire traffic. Signed-off-by: Florian Eckert --- root/usr/share/firewall4/templates/ruleset.uc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index 7bd9309..639795e 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -97,9 +97,9 @@ table inet fw4 { chain input { type filter hook input priority filter; policy {{ fw4.input_policy(true) }}; +{% fw4.includes('chain-prepend', 'input') %} iifname "lo" accept comment "!fw4: Accept traffic from loopback" -{% fw4.includes('chain-prepend', 'input') %} ct state established,related accept comment "!fw4: Allow inbound established and related flows" {% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" @@ -145,9 +145,9 @@ table inet fw4 { chain output { type filter hook output priority filter; policy {{ fw4.output_policy(true) }}; +{% fw4.includes('chain-prepend', 'output') %} oifname "lo" accept comment "!fw4: Accept traffic towards loopback" -{% fw4.includes('chain-prepend', 'output') %} ct state established,related accept comment "!fw4: Allow outbound established and related flows" {% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"