[PATCH] fw4: handle bad forward_zone packets with v_from_z

dsmtngoat at gmail.com dsmtngoat at gmail.com
Wed Sep 28 09:49:30 PDT 2022 

From: Gordon Maclean <dsmtngoat at gmail.com>

Received forward packets which fail acceptance tests are finally handled
by a <verdict>_to_<zone> chain where <verdict> is typically
"drop" or "reject".  This "_to_" chain only matches packets destined
for the interface, and so does not match packets destined for interfaces
other than where they were received.

The final resolution of these packets will then be the policy for the
forward chain, which for a reasonably configured router is "drop" or
"reject", so this is unlikely to be a security hole.  However,
this does not match what the user has configured as the verdict for
forward packets received for the zone.  Also, if the user has enabled
logging of failed packets, these packets will not be logged.

This patch changes the forward vertict to "<verdict>_from_<zone>",
and enables the definition of that chain for received packets.

This patch may also result in failures in firewall4/tests, which has not
been investigated.

Signed-off-by: Gordon Maclean <dsmtngoat at gmail.com>
---
 root/usr/share/firewall4/templates/ruleset.uc | 2 +-
 root/usr/share/ucode/fw4.uc                   | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index eaa1f04..daef252 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -239,7 +239,7 @@ table inet fw4 {
 		ct status dnat accept comment "!fw4: Accept port forwards"
 {%  endif %}
 {%  fw4.includes('chain-append', `forward_${zone.name}`) %}
-		jump {{ zone.forward }}_to_{{ zone.name }}
+		jump {{ zone.forward }}_from_{{ zone.name }}
 	}
 
 {%  if (zone.dflags.helper): %}
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 29ae053..a6c1ae5 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2113,6 +2113,7 @@ return {
 
 		zone.sflags = {};
 		zone.sflags[zone.input] = true;
+		zone.sflags[zone.forward] = true;
 
 		zone.dflags = {};
 		zone.dflags[zone.output] = true;
-- 
2.37.3

More information about the openwrt-devel mailing list