[PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation
Tony Ambardar
itugrok at yahoo.com
Mon Mar 22 01:06:17 GMT 2021
Currently, fw3 places all DSCP/MARK target rules into the PREROUTING chain,
and accepts but ignores a src device. This behaviour is impractical for
most common applications (e.g. QOS setup), since rules are applied to all
devices and in all directions. Fix this generally by honouring src/dest
device selection and placing the rules into the appropriate chain of the
mangle table.
These changes revealed the process of resolving zones to devices can add
duplicates due to the presence of aliased interfaces. Fix this by filtering
the fw3_zone->devices list during creation.
Thanks go to Jo-Philipp Wich <jo at mein.io> for sharing proof of concept code
on IRC and providing additional review afterwards.
Tony Ambardar (2):
zone: avoid duplicates in devices list
rules: fix device and chain usage for DSCP/MARK targets
rules.c | 68 ++++++++++++++++++++++++++++++++++++---------------------
zones.c | 9 +++++++-
2 files changed, 51 insertions(+), 26 deletions(-)
Testing
=======
Regression testing was done to confirm the default OpenWrt firewall rules
are unchanged before and after this patch.
Functional testing was carried out using the UCI firewall rules below. This
set of test cases would normally yield the following incorrect iptables
rules (from iptables-save, sorted by test):
-A PREROUTING -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
-A PREROUTING -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
-A PREROUTING -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30
After this change, the resulting iptables rules use the expected devices
and chains:
-A PREROUTING -i br-lan -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
-A FORWARD -i br-lan -o eth0 -p udp -m udp --dport 1950 -m comment --comment "!fw3: Test-2-Zone-Zone-FORW" -j DSCP --set-dscp 0x08
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 1955 -m comment --comment "!fw3: Test-3-Any-Zone-POST" -j MARK --set-xmark 0x3/0xff
-A FORWARD -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
-A INPUT -i br-lan -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
-A OUTPUT -o eth0 -p tcp -m tcp --dport 1970 -m comment --comment "!fw3: Test-6-Dev-Zone-OUT" -j MARK --set-xmark 0xf/0xff
-A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30
UCI FW Rules
------------
config rule
option enabled '1'
option target 'DSCP'
option set_dscp 'BE'
option proto 'udp'
option dest_port '1945'
option name 'Test-1-Zone-Any-PRE'
option src 'lan'
option dest '*'
config rule
option enabled '1'
option target 'DSCP'
option set_dscp 'CS1'
option proto 'udp'
option dest_port '1950'
option name 'Test-2-Zone-Zone-FORW'
option src 'lan'
option dest 'wan'
config rule
option enabled '1'
option target 'MARK'
option set_mark '0x03/0xff'
option proto 'tcp'
option dest_port '1955'
option name 'Test-3-Any-Zone-POST'
option src '*'
option dest 'wan'
config rule
option enabled '1'
option target 'MARK'
option set_mark '0x07/0xff'
option proto 'tcp'
option dest_port '1960'
option name 'Test-4-Any-Any-FORW'
option src '*'
option dest '*'
config rule
option enabled '1'
option target 'DSCP'
option set_dscp 'EF'
option proto 'udp'
option dest_port '1965'
option name 'Test-5-Zone-Dev-IN'
option src 'lan'
config rule
option enabled '1'
option target 'MARK'
option set_mark '0x0f/0xff'
option proto 'tcp'
option dest_port '1970'
option name 'Test-6-Dev-Zone-OUT'
option dest 'wan'
config rule
option enabled '1'
option target 'DSCP'
option set_dscp 'CS6'
option proto 'udp'
option dest_port '1975'
option name 'Test-7-Dev-Dev-OUT'
--
2.25.1
More information about the openwrt-devel
mailing list