[PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation

Philip Prindeville philipp_subx at redfish-solutions.com
Mon Mar 22 03:23:04 GMT 2021 

Are you aware that many open source apps already do DSCP marking?

I submitted the changes to Firefox, Thunderbird, Cyrus, Proftpd, Sendmail, Postfix, Curl, Wget, Apache... and this was more than 15 years ago.

Why would you want to overwrite marking if it's already present?


> On Mar 21, 2021, at 7:06 PM, Tony Ambardar via openwrt-devel <openwrt-devel at lists.openwrt.org> wrote:
> 
> The sender domain has a DMARC Reject/Quarantine policy which disallows
> sending mailing list messages using the original "From" header.
> 
> To mitigate this problem, the original message has been wrapped
> automatically by the mailing list software.
> From: Tony Ambardar <itugrok at yahoo.com>
> Subject: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation
> Date: March 21, 2021 at 7:06:17 PM MDT
> To: openwrt-devel at lists.openwrt.org
> Cc: Jo-Philipp Wich <jo at mein.io>, Tony Ambardar <itugrok at yahoo.com>
> 
> 
> Currently, fw3 places all DSCP/MARK target rules into the PREROUTING chain,
> and accepts but ignores a src device. This behaviour is impractical for
> most common applications (e.g. QOS setup), since rules are applied to all
> devices and in all directions. Fix this generally by honouring src/dest
> device selection and placing the rules into the appropriate chain of the
> mangle table. 
> 
> These changes revealed the process of resolving zones to devices can add
> duplicates due to the presence of aliased interfaces. Fix this by filtering
> the fw3_zone->devices list during creation.
> 
> Thanks go to Jo-Philipp Wich <jo at mein.io> for sharing proof of concept code
> on IRC and providing additional review afterwards.
> 
> Tony Ambardar (2):
>  zone: avoid duplicates in devices list
>  rules: fix device and chain usage for DSCP/MARK targets
> 
> rules.c | 68 ++++++++++++++++++++++++++++++++++++---------------------
> zones.c |  9 +++++++-
> 2 files changed, 51 insertions(+), 26 deletions(-)
> 
> Testing
> =======
> 
> Regression testing was done to confirm the default OpenWrt firewall rules
> are unchanged before and after this patch.
> 
> Functional testing was carried out using the UCI firewall rules below. This
> set of test cases would normally yield the following incorrect iptables
> rules (from iptables-save, sorted by test):
> 
> -A PREROUTING -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
> -A PREROUTING -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
> -A PREROUTING -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30
> 
> After this change, the resulting iptables rules use the expected devices
> and chains:
> 
> -A PREROUTING -i br-lan -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
> -A FORWARD -i br-lan -o eth0 -p udp -m udp --dport 1950 -m comment --comment "!fw3: Test-2-Zone-Zone-FORW" -j DSCP --set-dscp 0x08
> -A POSTROUTING -o eth0 -p tcp -m tcp --dport 1955 -m comment --comment "!fw3: Test-3-Any-Zone-POST" -j MARK --set-xmark 0x3/0xff
> -A FORWARD -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
> -A INPUT -i br-lan -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
> -A OUTPUT -o eth0 -p tcp -m tcp --dport 1970 -m comment --comment "!fw3: Test-6-Dev-Zone-OUT" -j MARK --set-xmark 0xf/0xff
> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30
> 
> UCI FW Rules
> ------------
> 
> config rule
>        option enabled '1'
>        option target 'DSCP'
>        option set_dscp 'BE'
>        option proto 'udp'
>        option dest_port '1945'
>        option name 'Test-1-Zone-Any-PRE'
>        option src 'lan'
>        option dest '*'
> 
> config rule
>        option enabled '1'
>        option target 'DSCP'
>        option set_dscp 'CS1'
>        option proto 'udp'
>        option dest_port '1950'
>        option name 'Test-2-Zone-Zone-FORW'
>        option src 'lan'
>        option dest 'wan'
> 
> config rule
>        option enabled '1'
>        option target 'MARK'
>        option set_mark '0x03/0xff'
>        option proto 'tcp'
>        option dest_port '1955'
>        option name 'Test-3-Any-Zone-POST'
>        option src '*'
>        option dest 'wan'
> 
> config rule
>        option enabled '1'
>        option target 'MARK'
>        option set_mark '0x07/0xff'
>        option proto 'tcp'
>        option dest_port '1960'
>        option name 'Test-4-Any-Any-FORW'
>        option src '*'
>        option dest '*'
> 
> config rule
>        option enabled '1'
>        option target 'DSCP'
>        option set_dscp 'EF'
>        option proto 'udp'
>        option dest_port '1965'
>        option name 'Test-5-Zone-Dev-IN'
>        option src 'lan'
> 
> config rule
>        option enabled '1'
>        option target 'MARK'
>        option set_mark '0x0f/0xff'
>        option proto 'tcp'
>        option dest_port '1970'
>        option name 'Test-6-Dev-Zone-OUT'
>        option dest 'wan'
> 
> config rule
>        option enabled '1'
>        option target 'DSCP'
>        option set_dscp 'CS6'
>        option proto 'udp'
>        option dest_port '1975'
>        option name 'Test-7-Dev-Dev-OUT'
> 
> -- 
> 2.25.1
> 
> 
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list