From patchwork Wed Sep 28 15:31:26 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gordon Maclean <dsmtngoat@gmail.com>
X-Patchwork-Id: 1683943
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=r3vi800o;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20210112 header.b=GoHFrx1S;
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:3::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Md0tQ4rFmz1ypH
	for <incoming@patchwork.ozlabs.org>; Thu, 29 Sep 2022 01:35:09 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=5P2APQUHzd6WPdBYyAfiiBJtAwZ09+RxUNvR6UJEjAs=; b=r3vi800oDtFYDk
	RwWrgYJWnmvswcTgqAvpJUV52suHqCIMesule/NlaKh2nuLVxol32RodQ1u92NtO63PnJXJjj7Tfq
	2hUS5RRpo2rbrWnUFnvDJw84LcQxoWgxBauH0SwMLiRcac6Dhe8AXs9q5On7JULb1U72dut+iPl/7
	SHKw1jeFH2ORAUwLSHHmZuME6/UlKXlX2rHXNQSyTMx3WxPtTcsvK8EZMXJeC/VFRSaL66wp5Ra78
	iYpTa8pJkB7PVa5d2QesnkyGMBuc2cN4YCO7/KE/gqWenb1ngReAkgl2nLY+UWyH9FKfZhuKyT4OJ
	tYR2KM/joYstnd8V0ULw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1odZ2F-00GupR-8P; Wed, 28 Sep 2022 15:31:43 +0000
Received: from mail-io1-xd33.google.com ([2607:f8b0:4864:20::d33])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1odZ26-00Gum1-79
	for openwrt-devel@lists.openwrt.org; Wed, 28 Sep 2022 15:31:36 +0000
Received: by mail-io1-xd33.google.com with SMTP id r134so10428925iod.8
        for <openwrt-devel@lists.openwrt.org>;
 Wed, 28 Sep 2022 08:31:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date;
        bh=LTrDdov+kdR7VEKdFUHUEdlXOLycaMLs7EGHK0s/2i0=;
        b=GoHFrx1SIqipBQergpJ8ZeV73z0vDr3e8M5vh9dm8SlYmkFC3DKq9+Tse3Rd5xBBC/
         J77pjkipntGZcGDTYfMJa7g19Hm8ioUyLKCsLEHtws3igS9KL5KXYuWg3f2yOBqYrlDb
         KLDmenvvt6hIvwJYIhYPi3Tg9q8vOkbldVggQlrn6/vR6liImy42+Op5qQJPik9FHjNS
         inqSNQjRDf4QySsbijg5MvPAPU4HXSYKYXnQU4WLlsMQYequnhe2F5VsON9QSCrKLbR1
         stZuYPbDTrL3gNKKSe4SEhKNbt6RWigTp3jQk71GADQmu1fRzuuvxa9hwdX/UgcRo2AG
         /o4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date;
        bh=LTrDdov+kdR7VEKdFUHUEdlXOLycaMLs7EGHK0s/2i0=;
        b=zKQf/mu6BD6yfbvMVYkNX6eHNHMtBmLxddGje98BEiM5X8qb89QN++a6zk0QfmmzU5
         H1h6Tfy5drYUrHC0nbQ/OSf66HYKOZkAv5dRghKPmnb5GwH0zjub4bha69DcEgkbvz+k
         q75UYgOntMJ9Ej7U+Y9VBvfus3EQG6cMMMzaMngbrRCktEM9ZWu6kqJA7NooPGQlNrdX
         ZF1ditttSWhq9AMh4e7T1W2EN0HIF4XmwuezWYLYhmqg45ZSc5R/orF8uBe0yJ993+6i
         TuYQuE3zLFEjB0dJgUexmUwAYv11pZ0FHhB94dYcPwk/WkXO0qvvERlEIzWwUU9s3MAQ
         6yeQ==
X-Gm-Message-State: ACrzQf24mDINwWXOMF87mlZMWm+2BICo1/j0Er3EU/m9+QT9TIQdEchZ
	H4ntGivYvyRFrQzGr8uG58Xhgq05wr0ydaT1scW9vQ==
X-Google-Smtp-Source: 
 AMsMyM571sFNUQ19TL+cZqmutTzZpR5UY9qEvZ8KYvERsc1RRDsD39qAteh13RvJq2/yt/Cxttz/pg==
X-Received: by 2002:a02:900a:0:b0:35a:84e4:39aa with SMTP id
 w10-20020a02900a000000b0035a84e439aamr18010432jaf.191.1664379090472;
        Wed, 28 Sep 2022 08:31:30 -0700 (PDT)
Received: from gmlat.lan ([2601:281:8000:c0::a8e])
        by smtp.googlemail.com with ESMTPSA id
 k40-20020a056638372800b00358430a719dsm1953028jav.40.2022.09.28.08.31.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 28 Sep 2022 08:31:30 -0700 (PDT)
From: dsmtngoat@gmail.com
To: openwrt-devel@lists.openwrt.org
Cc: Gordon Maclean <dsmtngoat@gmail.com>
Subject: [PATCH] Send bad forward_zone packets to verdict_from_zone
Date: Wed, 28 Sep 2022 09:31:26 -0600
Message-Id: <20220928153126.624032-1-dsmtngoat@gmail.com>
X-Mailer: git-send-email 2.37.3
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220928_083134_301214_E76B8944 
X-CRM114-Status: GOOD (  13.93  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Gordon Maclean Received forward packets which fail
 acceptance
    tests are finally handled by a <verdict>_to_<zone> chain where <verdict>
   is typically "drop" or "reject". This "_to_" chain only matches packets
 destined
    [...]
 Content analysis details:   (-0.2 points, 5.0 required)
  pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [2607:f8b0:4864:20:0:0:0:d33 listed in]
                             [list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
                             provider
                             [dsmtngoat[at]gmail.com]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK
 signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
                             valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

From: Gordon Maclean <dsmtngoat@gmail.com>

Received forward packets which fail acceptance tests are finally handled by a <verdict>_to_<zone> chain
where <verdict> is typically "drop" or "reject".  This "_to_" chain only matches packets destined
for the interface, and so does not match packets destined for interfaces other than where they were received.

As a result the final resolution depends on the default policy for the forward chain, which for a
reasonably configured router is "drop" or "reject", so this is unlikely to be a security hole,
This does not match what the user has configured as the resolution of forward packets received
for the zone.  Also, if the user has enabled logging of failed packets, these packets will not be logged.

This patch may also result in failues in firewall4/tests. That has not been investigated.
---
 root/usr/share/firewall4/templates/ruleset.uc | 2 +-
 root/usr/share/ucode/fw4.uc                   | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index eaa1f04..daef252 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -239,7 +239,7 @@ table inet fw4 {
 		ct status dnat accept comment "!fw4: Accept port forwards"
 {%  endif %}
 {%  fw4.includes('chain-append', `forward_${zone.name}`) %}
-		jump {{ zone.forward }}_to_{{ zone.name }}
+		jump {{ zone.forward }}_from_{{ zone.name }}
 	}
 
 {%  if (zone.dflags.helper): %}
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 29ae053..a6c1ae5 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2113,6 +2113,7 @@ return {
 
 		zone.sflags = {};
 		zone.sflags[zone.input] = true;
+		zone.sflags[zone.forward] = true;
 
 		zone.dflags = {};
 		zone.dflags[zone.output] = true;