[PATCH] fw4: fix handling of unaccepted forward packets

Thu Nov 3 14:09:21 PDT 2022

From: Gordon Maclean <dsmtngoat at gmail.com>

This is a resumbit of
[PATCH] fw4: handle bad forward_zone packets with v_from_z,
with an updated commit message.

Below, FROM and TO are capitalized for emphasis.

Packets on the input chain that fail accceptance
rules are eventually handled by a rule created by
"jump {{ zone.input }}_FROM_{{ zone.name }}" in ruleset.uc.

For a wan zone, with input policy "drop", this results in a jump to
the "drop_FROM_wan" chain where they are optionally logged, and
dropped.

However, packets on the forward chain that fail acceptance rules
are eventually handled by the rule created by
"jump {{ zone.forward }}_TO_{{ zone.name }}" in ruleset.uc.

For zone wan, with forward policy "drop", packets would be sent to
the "drop_TO_wan" chain.

This is a bug, since that chain matches packets sent TO the
interface for the zone, not FROM the interface, and so will
fail to match all unaccepted forwarded packets received on the
zone. As a result these forwarded packets are handled by the
global forward policy and not by the forward policy for the
zone, and will not be logged.

This patch sets the final disposition for unaccepted forwarded
packets to be the same as for unaccepted input packets.

Signed-off-by: Gordon Maclean <dsmtngoat at gmail.com>
---
 root/usr/share/firewall4/templates/ruleset.uc | 2 +-
 root/usr/share/ucode/fw4.uc                   | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index d6eedfd..833c762 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -239,7 +239,7 @@ table inet fw4 {
 		ct status dnat accept comment "!fw4: Accept port forwards"
 {%  endif %}
 {%  fw4.includes('chain-append', `forward_${zone.name}`) %}
-		jump {{ zone.forward }}_to_{{ zone.name }}
+		jump {{ zone.forward }}_from_{{ zone.name }}
 {%  if (fw4.forward_policy() != "accept" && (zone.log & 1)): %}
 		log prefix "{{ fw4.forward_policy() }} {{ zone.name }} forward: "
 {%  endif %}
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 47e86cd..74b7c81 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2113,6 +2113,7 @@ return {
 
 		zone.sflags = {};
 		zone.sflags[zone.input] = true;
+		zone.sflags[zone.forward] = true;
 
 		zone.dflags = {};
 		zone.dflags[zone.output] = true;
-- 
2.38.1


