[PATCH] Send bad forward_zone packets to verdict_from_zone
Gordon Maclean
dsmtngoat at gmail.com
Wed Sep 28 14:48:26 PDT 2022
This patch was resubmitted, in a format more closely matching the openwrt
patch guidelines, with the subject
"[PATCH] fw4: handle bad forward_zone packets with v_from_z" .
Gordon
On Wed, Sep 28, 2022 at 9:31 AM <dsmtngoat at gmail.com> wrote:
>
> From: Gordon Maclean <dsmtngoat at gmail.com>
>
> Received forward packets which fail acceptance tests are finally handled by a <verdict>_to_<zone> chain
> where <verdict> is typically "drop" or "reject". This "_to_" chain only matches packets destined
> for the interface, and so does not match packets destined for interfaces other than where they were received.
>
> As a result the final resolution depends on the default policy for the forward chain, which for a
> reasonably configured router is "drop" or "reject", so this is unlikely to be a security hole,
> This does not match what the user has configured as the resolution of forward packets received
> for the zone. Also, if the user has enabled logging of failed packets, these packets will not be logged.
>
> This patch may also result in failues in firewall4/tests. That has not been investigated.
> ---
> root/usr/share/firewall4/templates/ruleset.uc | 2 +-
> root/usr/share/ucode/fw4.uc | 1 +
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
> index eaa1f04..daef252 100644
> --- a/root/usr/share/firewall4/templates/ruleset.uc
> +++ b/root/usr/share/firewall4/templates/ruleset.uc
> @@ -239,7 +239,7 @@ table inet fw4 {
> ct status dnat accept comment "!fw4: Accept port forwards"
> {% endif %}
> {% fw4.includes('chain-append', `forward_${zone.name}`) %}
> - jump {{ zone.forward }}_to_{{ zone.name }}
> + jump {{ zone.forward }}_from_{{ zone.name }}
> }
>
> {% if (zone.dflags.helper): %}
> diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
> index 29ae053..a6c1ae5 100644
> --- a/root/usr/share/ucode/fw4.uc
> +++ b/root/usr/share/ucode/fw4.uc
> @@ -2113,6 +2113,7 @@ return {
>
> zone.sflags = {};
> zone.sflags[zone.input] = true;
> + zone.sflags[zone.forward] = true;
>
> zone.dflags = {};
> zone.dflags[zone.output] = true;
> --
> 2.37.3
>
More information about the openwrt-devel
mailing list