MARK target implementation

Tony Ambardar via openwrt-devel Sun, 21 Mar 2021 18:14:56 -0700

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.


To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.

--- Begin Message ---

Currently, fw3 places all DSCP/MARK target rules into the PREROUTING chain,
and accepts but ignores a src device. This behaviour is impractical for
most common applications (e.g. QOS setup), since rules are applied to all
devices and in all directions. Fix this generally by honouring src/dest
device selection and placing the rules into the appropriate chain of the
mangle table. 

These changes revealed the process of resolving zones to devices can add
duplicates due to the presence of aliased interfaces. Fix this by filtering
the fw3_zone->devices list during creation.

Thanks go to Jo-Philipp Wich <j...@mein.io> for sharing proof of concept code
on IRC and providing additional review afterwards.

Tony Ambardar (2):
  zone: avoid duplicates in devices list
  rules: fix device and chain usage for DSCP/MARK targets

 rules.c | 68 ++++++++++++++++++++++++++++++++++++---------------------
 zones.c |  9 +++++++-
 2 files changed, 51 insertions(+), 26 deletions(-)

Testing
=======

Regression testing was done to confirm the default OpenWrt firewall rules
are unchanged before and after this patch.

Functional testing was carried out using the UCI firewall rules below. This
set of test cases would normally yield the following incorrect iptables
rules (from iptables-save, sorted by test):

-A PREROUTING -p udp -m udp --dport 1945 -m comment --comment "!fw3: 
Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
-A PREROUTING -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: 
Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
-A PREROUTING -p udp -m udp --dport 1965 -m comment --comment "!fw3: 
Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: 
Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30

After this change, the resulting iptables rules use the expected devices
and chains:

-A PREROUTING -i br-lan -p udp -m udp --dport 1945 -m comment --comment "!fw3: 
Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
-A FORWARD -i br-lan -o eth0 -p udp -m udp --dport 1950 -m comment --comment 
"!fw3: Test-2-Zone-Zone-FORW" -j DSCP --set-dscp 0x08
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 1955 -m comment --comment "!fw3: 
Test-3-Any-Zone-POST" -j MARK --set-xmark 0x3/0xff
-A FORWARD -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: 
Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
-A INPUT -i br-lan -p udp -m udp --dport 1965 -m comment --comment "!fw3: 
Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
-A OUTPUT -o eth0 -p tcp -m tcp --dport 1970 -m comment --comment "!fw3: 
Test-6-Dev-Zone-OUT" -j MARK --set-xmark 0xf/0xff
-A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: 
Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30

UCI FW Rules
------------

config rule
        option enabled '1'
        option target 'DSCP'
        option set_dscp 'BE'
        option proto 'udp'
        option dest_port '1945'
        option name 'Test-1-Zone-Any-PRE'
        option src 'lan'
        option dest '*'

config rule
        option enabled '1'
        option target 'DSCP'
        option set_dscp 'CS1'
        option proto 'udp'
        option dest_port '1950'
        option name 'Test-2-Zone-Zone-FORW'
        option src 'lan'
        option dest 'wan'

config rule
        option enabled '1'
        option target 'MARK'
        option set_mark '0x03/0xff'
        option proto 'tcp'
        option dest_port '1955'
        option name 'Test-3-Any-Zone-POST'
        option src '*'
        option dest 'wan'

config rule
        option enabled '1'
        option target 'MARK'
        option set_mark '0x07/0xff'
        option proto 'tcp'
        option dest_port '1960'
        option name 'Test-4-Any-Any-FORW'
        option src '*'
        option dest '*'

config rule
        option enabled '1'
        option target 'DSCP'
        option set_dscp 'EF'
        option proto 'udp'
        option dest_port '1965'
        option name 'Test-5-Zone-Dev-IN'
        option src 'lan'

config rule
        option enabled '1'
        option target 'MARK'
        option set_mark '0x0f/0xff'
        option proto 'tcp'
        option dest_port '1970'
        option name 'Test-6-Dev-Zone-OUT'
        option dest 'wan'

config rule
        option enabled '1'
        option target 'DSCP'
        option set_dscp 'CS6'
        option proto 'udp'
        option dest_port '1975'
        option name 'Test-7-Dev-Dev-OUT'

-- 
2.25.1

--- End Message ---

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation

Reply via email to