[PATCH] rules: Prevent empty rule rejecting everything
Arkadiusz Kozdra
floss at arusekk.pl
Sun Oct 27 06:30:39 PDT 2024
Previously if the config file contained any empty rule (like a duplicate
'config rule' line), the firewall understood it as rejecting all output
traffic (TCP+UDP). The router was therefore functioning properly, but
was unable to answer DHCP requests (because they are not ESTABLISHED nor
RELATED) nor send any upstream packets, which was hard to diagnose.
The change now requires every rule to contain at least one of zone,
protocol or target.
Signed-off-by: Arkadiusz Kozdra <floss at arusekk.pl>
---
rules.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/rules.c b/rules.c
index d506a96..bbd9c37 100644
--- a/rules.c
+++ b/rules.c
@@ -104,6 +104,8 @@ alloc_rule(struct fw3_state *state)
static bool
check_rule(struct fw3_state *state, struct fw3_rule *r, struct uci_element *e)
{
+ int guessed = 0;
+
if (!r->enabled)
return false;
@@ -194,23 +196,35 @@ check_rule(struct fw3_state *state, struct fw3_rule *r, struct uci_element *e)
{
warn_section("rule", r, e, "has neither a source nor a destination zone assigned "
"- assuming an output rule");
+ guessed++;
}
if (list_empty(&r->proto))
{
warn_section("rule", r, e, "does not specify a protocol, assuming TCP+UDP");
fw3_parse_protocol(&r->proto, "tcpudp", true);
+ guessed++;
}
if (r->target == FW3_FLAG_UNSPEC)
{
warn_section("rule", r, e, "has no target specified, defaulting to REJECT");
r->target = FW3_FLAG_REJECT;
+ guessed++;
}
else if (r->target > FW3_FLAG_DSCP)
{
warn_section("rule", r, e, "has invalid target specified, defaulting to REJECT");
r->target = FW3_FLAG_REJECT;
+ guessed++;
+ }
+
+ if (guessed > 2)
+ {
+ /* empty config rule would reject all output TCP+UDP */
+ warn_section("rule", r, e, "must specify at least one valid value of "
+ "source/destination zone, protocol and target");
+ return false;
}
/* NB: r family... */
--
2.47.0
More information about the openwrt-devel
mailing list