From patchwork Mon Mar 22 01:06:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tony Ambardar X-Patchwork-Id: 1456343 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=Lho7CBhl; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4F3by12r1wz9sW4 for ; Mon, 22 Mar 2021 12:09:44 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Type:List-Help: Reply-To:List-Archive:List-Unsubscribe:List-Subscribe:From:List-Post:List-Id: Message-ID:MIME-Version:References:In-Reply-To:Date:Subject:To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=NtagNtYlXgYhvDnaPQ0IxvOSVb7h+O5PjjQsgMD1+9I=; b=Lho7CBhlQNHlXg3G4aZ885LNX wyfPzp7KFG6dPTxusEI9gx2alzrZe/GByHOGaIlDvi/6f8Pdg8TEDacfc2qq1eInGgNC/I9bEdVGc Mxg/31J3L+XKkHrKEm6d5kHWC4ab1Swn2p+a0Fa2HqCnmdLCxykZ2oALaLA22BRiNGUxIbZhuW8OV 0E1kD8A8+99kGyv+96mZ1i49WppyeNs0ayofcMhlsDBuNoEAKWEsIaOT+2T28D9zr3oxkEYBZmihh tPfLJfB0qv6miwH7qa2ddsA3sUZdXJgSP3IIXV2EnRzufwpCkbIP317yOeL2FBoqA2U+j61XmizwC knqvNQy2w==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lO92K-00Advv-De; Mon, 22 Mar 2021 01:07:16 +0000 To: openwrt-devel@lists.openwrt.org Subject: [PATCH firewall3 v1 1/2] zone: avoid duplicates in devices list Date: Sun, 21 Mar 2021 18:06:18 -0700 In-Reply-To: <20210322010619.3210480-1-itugrok@yahoo.com> References: <20210322010619.3210480-1-itugrok@yahoo.com> MIME-Version: 1.0 Message-ID: List-Id: OpenWrt Development List List-Post: X-Patchwork-Original-From: Tony Ambardar via openwrt-devel From: Tony Ambardar Precedence: list X-Mailman-Version: 2.1.34 X-BeenThere: openwrt-devel@lists.openwrt.org List-Subscribe: , List-Unsubscribe: , List-Archive: Reply-To: Tony Ambardar List-Help: Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. While resolving zones to devices it's possible to introduce duplicates due to the presence of aliased interfaces. Fix this by consolidating the fw3_zone->devices list during creation. Signed-off-by: Tony Ambardar --- zones.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/zones.c b/zones.c index d45077a..51a8fdf 100644 --- a/zones.c +++ b/zones.c @@ -137,7 +137,7 @@ check_masq_addrs(struct list_head *head) static void resolve_networks(struct uci_element *e, struct fw3_zone *zone) { - struct fw3_device *net, *tmp; + struct fw3_device *net, *dev, *tmp; list_for_each_entry(net, &zone->networks, list) { @@ -149,8 +149,15 @@ resolve_networks(struct uci_element *e, struct fw3_zone *zone) continue; } + list_for_each_entry(dev, &zone->devices, list) + if (!strcmp(dev->name, tmp->name)) + goto alias; + snprintf(tmp->network, sizeof(tmp->network), "%s", net->name); list_add_tail(&tmp->list, &zone->devices); + continue; +alias: + free(tmp); } } From patchwork Mon Mar 22 01:06:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tony Ambardar X-Patchwork-Id: 1456345 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=ER0qUahE; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4F3byz2Vp8z9sW4 for ; Mon, 22 Mar 2021 12:10:35 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Type:List-Help: Reply-To:List-Archive:List-Unsubscribe:List-Subscribe:From:List-Post:List-Id: Message-ID:MIME-Version:References:In-Reply-To:Date:Subject:To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=uOt3cuAdi0ig8TGoKJT1xQZOwwMr85/3wh6PARHlvCU=; b=ER0qUahE+ghGFXJHW49Gn2G1R uHs3r5RPaJBKYuH1qepLepxfdN7bmZm4PaFYz4vbWVQ0z9xdkYlZiPXWYA+iriwrPvwOWH4D+HS6Q zyYjZUjTgXXT5yaCZA+d93sQu+Tv99chfD5yn+y+VBVerWedfTJBlEBDIAGOAQx6BZK0JHz1NaQCc R06Y+XQZFGtnJ7XDQGK7GXHZjAxfsbonbY9fZSpLh1uWVJuG4n5a2FcOuByEtKXvHAv4PYZfGDLDi oBlq+C4LgddV9QMj5mYxh6PYwmuysrEOZ1brb5Kub1PFSBxA/L9pNwBx92giO2wEGYRgx8bA5132n JVNqpawuA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lO92Y-00Adwc-6R; Mon, 22 Mar 2021 01:07:30 +0000 To: openwrt-devel@lists.openwrt.org Subject: [PATCH firewall3 v1 2/2] rules: fix device and chain usage for DSCP/MARK targets Date: Sun, 21 Mar 2021 18:06:19 -0700 In-Reply-To: <20210322010619.3210480-1-itugrok@yahoo.com> References: <20210322010619.3210480-1-itugrok@yahoo.com> MIME-Version: 1.0 Message-ID: List-Id: OpenWrt Development List List-Post: X-Patchwork-Original-From: Tony Ambardar via openwrt-devel From: Tony Ambardar Precedence: list X-Mailman-Version: 2.1.34 X-BeenThere: openwrt-devel@lists.openwrt.org List-Subscribe: , List-Unsubscribe: , List-Archive: Reply-To: Tony Ambardar List-Help: Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Currently, fw3 places all DSCP/MARK target rules into the PREROUTING chain, and accepts but ignores a src device. This behaviour is impractical for most common applications (e.g. QOS setup), since rules are applied to all devices and in all directions. Fix this generally by honouring src/dest device selection and placing the rules into the appropriate chain of the mangle table. This code is based on a proof of concept shared by Jo-Philipp Wich . Fixes: 12a7cf9db1f9 ("Add support for DSCP matches and target") Signed-off-by: Tony Ambardar --- rules.c | 68 ++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 25 deletions(-) diff --git a/rules.c b/rules.c index 181c6b1..d506a96 100644 --- a/rules.c +++ b/rules.c @@ -170,13 +170,6 @@ check_rule(struct fw3_state *state, struct fw3_rule *r, struct uci_element *e) return false; } - if (r->_dest && (r->target == FW3_FLAG_MARK || r->target == FW3_FLAG_DSCP)) - { - warn_section("rule", r, e, "must not specify 'dest' for %s target", - fw3_flag_names[r->target]); - return false; - } - if (r->set_mark.invert || r->set_xmark.invert || r->set_dscp.invert) { warn_section("rule", r, e, "must not have inverted 'set_mark', " @@ -309,10 +302,19 @@ append_chain(struct fw3_ipt_rule *r, struct fw3_rule *rule) { snprintf(chain, sizeof(chain), "zone_%s_helper", rule->src.name); } - else if ((rule->target == FW3_FLAG_MARK || rule->target == FW3_FLAG_DSCP) && - (rule->_src || rule->src.any)) + else if (rule->target == FW3_FLAG_MARK || rule->target == FW3_FLAG_DSCP) { - snprintf(chain, sizeof(chain), "PREROUTING"); + if ((rule->_dest && rule->_src) || + (rule->dest.any && rule->src.any)) + snprintf(chain, sizeof(chain), "FORWARD"); + else if (rule->src.any && rule->_dest) + snprintf(chain, sizeof(chain), "POSTROUTING"); + else if (rule->dest.any && rule->_src) + snprintf(chain, sizeof(chain), "PREROUTING"); + else if (!rule->dest.set && rule->src.set) + snprintf(chain, sizeof(chain), "INPUT"); + else /* if (!rule->src.set) */ + snprintf(chain, sizeof(chain), "OUTPUT"); } else { @@ -420,6 +422,10 @@ print_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, struct fw3_mac *mac, struct fw3_icmptype *icmptype) { struct fw3_ipt_rule *r; + struct fw3_device *idev, *odev; + struct list_head empty, *idevices, *odevices; + INIT_LIST_HEAD(&empty); + idevices = odevices = ∅ if (!fw3_is_family(sip, handle->family) || !fw3_is_family(dip, handle->family)) @@ -471,21 +477,33 @@ print_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, return; } - r = fw3_ipt_rule_create(handle, proto, NULL, NULL, sip, dip); - fw3_ipt_rule_sport_dport(r, sport, dport); - fw3_ipt_rule_device(r, rule->device, rule->direction_out); - fw3_ipt_rule_icmptype(r, icmptype); - fw3_ipt_rule_mac(r, mac); - fw3_ipt_rule_ipset(r, &rule->ipset); - fw3_ipt_rule_helper(r, &rule->helper); - fw3_ipt_rule_limit(r, &rule->limit); - fw3_ipt_rule_time(r, &rule->time); - fw3_ipt_rule_mark(r, &rule->mark); - fw3_ipt_rule_dscp(r, &rule->dscp); - set_target(r, rule); - fw3_ipt_rule_extra(r, rule->extra); - set_comment(r, rule->name, num); - append_chain(r, rule); + if (rule->target == FW3_FLAG_DSCP || rule->target == FW3_FLAG_MARK) + { + if (rule->_src) + idevices = &rule->_src->devices; + if (rule->_dest) + odevices = &rule->_dest->devices; + } + + fw3_foreach(idev, idevices) + fw3_foreach(odev, odevices) + { + r = fw3_ipt_rule_create(handle, proto, idev, odev, sip, dip); + fw3_ipt_rule_sport_dport(r, sport, dport); + fw3_ipt_rule_device(r, rule->device, rule->direction_out); + fw3_ipt_rule_icmptype(r, icmptype); + fw3_ipt_rule_mac(r, mac); + fw3_ipt_rule_ipset(r, &rule->ipset); + fw3_ipt_rule_helper(r, &rule->helper); + fw3_ipt_rule_limit(r, &rule->limit); + fw3_ipt_rule_time(r, &rule->time); + fw3_ipt_rule_mark(r, &rule->mark); + fw3_ipt_rule_dscp(r, &rule->dscp); + set_target(r, rule); + fw3_ipt_rule_extra(r, rule->extra); + set_comment(r, rule->name, num); + append_chain(r, rule); + } } static void