Re: [PATCH] fw4: handle bad forward_zone packets with v_from_z
This comment was posted to "[PATCH] Send bad forward_zone packets to
verdict_from_zone".
> the forward policy for zones is supposed to only apply to forwarded traffic
> among interfaces of the same zone. If I read it correctly, your patch would
> change this long standing behavior to something else.
In this patch, forwarded traffic for a zone is still handled by chains
for interfaces of that zone.
For a typical simple home router with a "wan" zone, the current
behavior of firewall4 for a forwarded zone is to create these chains,
extracted from the output of "fw4 print":
chain forward {
type filter hook forward priority filter; policy drop;
... accept established, related
iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6
forward traffic"
jump handle_reject
}
...
chain forward_wan {
... accept icmpv6, esp, isakmp
jump drop_to_wan
}
...
chain drop_to_wan {
oifname "wan" counter log prefix "drop wan out: " drop comment
"!fw4: drop wan IPv4/IPv6 traffic"
}
I believe "jump drop_to_wan" in chain forward_wan is incorrect, it
should be "jump drop_from_wan". Chain "drop_to_wan" won't do
anything with packets received on "wan" but destined for other zones,
because it matches packets with oifname "wan", not iifname "wan".
The additional change to fw4.uc ensures that "drop_from_wan" is
defined, even if the default policy for forward is not drop:
chain drop_from_wan {
iifname "wan" counter log prefix "drop wan in: " drop comment
"!fw4: drop wan IPv4/IPv6
}
Gordon
Gordon
On Wed, Sep 28, 2022 at 10:50 AM wrote:
>
> From: Gordon Maclean
>
> Received forward packets which fail acceptance tests are finally handled
> by a _to_ chain where is typically
> "drop" or "reject". This "_to_" chain only matches packets destined
> for the interface, and so does not match packets destined for interfaces
> other than where they were received.
>
> The final resolution of these packets will then be the policy for the
> forward chain, which for a reasonably configured router is "drop" or
> "reject", so this is unlikely to be a security hole. However,
> this does not match what the user has configured as the verdict for
> forward packets received for the zone. Also, if the user has enabled
> logging of failed packets, these packets will not be logged.
>
> This patch changes the forward vertict to "_from_",
> and enables the definition of that chain for received packets.
>
> This patch may also result in failures in firewall4/tests, which has not
> been investigated.
>
> Signed-off-by: Gordon Maclean
> ---
> root/usr/share/firewall4/templates/ruleset.uc | 2 +-
> root/usr/share/ucode/fw4.uc | 1 +
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/root/usr/share/firewall4/templates/ruleset.uc
> b/root/usr/share/firewall4/templates/ruleset.uc
> index eaa1f04..daef252 100644
> --- a/root/usr/share/firewall4/templates/ruleset.uc
> +++ b/root/usr/share/firewall4/templates/ruleset.uc
> @@ -239,7 +239,7 @@ table inet fw4 {
> ct status dnat accept comment "!fw4: Accept port forwards"
> {% endif %}
> {% fw4.includes('chain-append', `forward_${zone.name}`) %}
> - jump {{ zone.forward }}_to_{{ zone.name }}
> + jump {{ zone.forward }}_from_{{ zone.name }}
> }
>
> {% if (zone.dflags.helper): %}
> diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
> index 29ae053..a6c1ae5 100644
> --- a/root/usr/share/ucode/fw4.uc
> +++ b/root/usr/share/ucode/fw4.uc
> @@ -2113,6 +2113,7 @@ return {
>
> zone.sflags = {};
> zone.sflags[zone.input] = true;
> + zone.sflags[zone.forward] = true;
>
> zone.dflags = {};
> zone.dflags[zone.output] = true;
> --
> 2.37.3
>
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] Send bad forward_zone packets to verdict_from_zone
This patch was resubmitted, in a format more closely matching the openwrt
patch guidelines, with the subject
"[PATCH] fw4: handle bad forward_zone packets with v_from_z" .
Gordon
On Wed, Sep 28, 2022 at 9:31 AM wrote:
>
> From: Gordon Maclean
>
> Received forward packets which fail acceptance tests are finally handled by a
> _to_ chain
> where is typically "drop" or "reject". This "_to_" chain only
> matches packets destined
> for the interface, and so does not match packets destined for interfaces
> other than where they were received.
>
> As a result the final resolution depends on the default policy for the
> forward chain, which for a
> reasonably configured router is "drop" or "reject", so this is unlikely to be
> a security hole,
> This does not match what the user has configured as the resolution of forward
> packets received
> for the zone. Also, if the user has enabled logging of failed packets, these
> packets will not be logged.
>
> This patch may also result in failues in firewall4/tests. That has not been
> investigated.
> ---
> root/usr/share/firewall4/templates/ruleset.uc | 2 +-
> root/usr/share/ucode/fw4.uc | 1 +
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/root/usr/share/firewall4/templates/ruleset.uc
> b/root/usr/share/firewall4/templates/ruleset.uc
> index eaa1f04..daef252 100644
> --- a/root/usr/share/firewall4/templates/ruleset.uc
> +++ b/root/usr/share/firewall4/templates/ruleset.uc
> @@ -239,7 +239,7 @@ table inet fw4 {
> ct status dnat accept comment "!fw4: Accept port forwards"
> {% endif %}
> {% fw4.includes('chain-append', `forward_${zone.name}`) %}
> - jump {{ zone.forward }}_to_{{ zone.name }}
> + jump {{ zone.forward }}_from_{{ zone.name }}
> }
>
> {% if (zone.dflags.helper): %}
> diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
> index 29ae053..a6c1ae5 100644
> --- a/root/usr/share/ucode/fw4.uc
> +++ b/root/usr/share/ucode/fw4.uc
> @@ -2113,6 +2113,7 @@ return {
>
> zone.sflags = {};
> zone.sflags[zone.input] = true;
> + zone.sflags[zone.forward] = true;
>
> zone.dflags = {};
> zone.dflags[zone.output] = true;
> --
> 2.37.3
>
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] Send bad forward_zone packets to verdict_from_zone
Hi, the forward policy for zones is supposed to only apply to forwarded traffic among interfaces of the same zone. If I read it correctly, your patch would change this long standing behavior to something else. ~ Jo signature.asc Description: OpenPGP digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] fw4: handle bad forward_zone packets with v_from_z
From: Gordon Maclean
Received forward packets which fail acceptance tests are finally handled
by a _to_ chain where is typically
"drop" or "reject". This "_to_" chain only matches packets destined
for the interface, and so does not match packets destined for interfaces
other than where they were received.
The final resolution of these packets will then be the policy for the
forward chain, which for a reasonably configured router is "drop" or
"reject", so this is unlikely to be a security hole. However,
this does not match what the user has configured as the verdict for
forward packets received for the zone. Also, if the user has enabled
logging of failed packets, these packets will not be logged.
This patch changes the forward vertict to "_from_",
and enables the definition of that chain for received packets.
This patch may also result in failures in firewall4/tests, which has not
been investigated.
Signed-off-by: Gordon Maclean
---
root/usr/share/firewall4/templates/ruleset.uc | 2 +-
root/usr/share/ucode/fw4.uc | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/root/usr/share/firewall4/templates/ruleset.uc
b/root/usr/share/firewall4/templates/ruleset.uc
index eaa1f04..daef252 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -239,7 +239,7 @@ table inet fw4 {
ct status dnat accept comment "!fw4: Accept port forwards"
{% endif %}
{% fw4.includes('chain-append', `forward_${zone.name}`) %}
- jump {{ zone.forward }}_to_{{ zone.name }}
+ jump {{ zone.forward }}_from_{{ zone.name }}
}
{% if (zone.dflags.helper): %}
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 29ae053..a6c1ae5 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2113,6 +2113,7 @@ return {
zone.sflags = {};
zone.sflags[zone.input] = true;
+ zone.sflags[zone.forward] = true;
zone.dflags = {};
zone.dflags[zone.output] = true;
--
2.37.3
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] Send bad forward_zone packets to verdict_from_zone
From: Gordon Maclean
Received forward packets which fail acceptance tests are finally handled by a
_to_ chain
where is typically "drop" or "reject". This "_to_" chain only
matches packets destined
for the interface, and so does not match packets destined for interfaces other
than where they were received.
As a result the final resolution depends on the default policy for the forward
chain, which for a
reasonably configured router is "drop" or "reject", so this is unlikely to be a
security hole,
This does not match what the user has configured as the resolution of forward
packets received
for the zone. Also, if the user has enabled logging of failed packets, these
packets will not be logged.
This patch may also result in failues in firewall4/tests. That has not been
investigated.
---
root/usr/share/firewall4/templates/ruleset.uc | 2 +-
root/usr/share/ucode/fw4.uc | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/root/usr/share/firewall4/templates/ruleset.uc
b/root/usr/share/firewall4/templates/ruleset.uc
index eaa1f04..daef252 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -239,7 +239,7 @@ table inet fw4 {
ct status dnat accept comment "!fw4: Accept port forwards"
{% endif %}
{% fw4.includes('chain-append', `forward_${zone.name}`) %}
- jump {{ zone.forward }}_to_{{ zone.name }}
+ jump {{ zone.forward }}_from_{{ zone.name }}
}
{% if (zone.dflags.helper): %}
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 29ae053..a6c1ae5 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2113,6 +2113,7 @@ return {
zone.sflags = {};
zone.sflags[zone.input] = true;
+ zone.sflags[zone.forward] = true;
zone.dflags = {};
zone.dflags[zone.output] = true;
--
2.37.3
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] argp-standalone: generate a shared library instead of static library
Thomas Langer [2022-09-13 17:47:56]: Hi, > Change the argp-standalone package to produce a shared library instead > of a static library for the target. The host build is not changed. we can see that from the diff already, so we would prefer to know, why would you like to have this change included. > Update related packages to add it as a direct dependency, otherwise the > buildsystem will complain. > > Please check also https://github.com/openwrt/packages/pull/19357, > a related pull request for the packages feed, to avoid that this change > is breaking all the packages that depend on argp-standalone. Can't this be solved in some less intrusive way? I can imagine, that this is not going to be bisect friendly and could provide other woes in the future. What about introducing shared library in conjunction to the static one, thus not breaking anything? Then if it makes sense, we could convert existing static users to shared version in a next step. Cheers, Petr ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
