Stijn Tintel [Mon, 1 Aug 2022 09:40:14 +0000 (12:40 +0300)]
fw4: don't inherit zone family from ct helpers
It's perfectly valid to use a conntrack helper that only supports a
single address family in a zone where both IPv4 and IPv6 are used.
Restricting a zone to a certain family due to limitations of the
associated conntrack helpers may result in unexpected behaviour, which
in turn may have unintended security implications.
Don't inherit zone family from conntrack helper restrictions to avoid
this and add test coverage.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 17 Jun 2022 12:42:03 +0000 (14:42 +0200)]
fw4: add support for `option log` in rule and redirect sections
Sections of type `rule` and type `redirect` may now specify
`option log value` to enable logging matched traffic for the
corresponding rule/redirect.
The value may be either a string, in which case it is used as log prefix
verbatim or a boolean value (`1`, `on`, `true`, `yes`, `0`, `off`, `false`
or `no`).
In case a boolean false value is specified (the default), no logging is
performed. In case a true boolean value is specified, matched traffic is
logged and the rule's name (or uci section id i ncase the name is absent)
is used as log prefix.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
Jo-Philipp Wich [Fri, 17 Jun 2022 08:13:34 +0000 (10:13 +0200)]
fw4: support sets with timeout capability but without default expiry
Configure the set timeout flag explicitly and do not rely on nftables
inferring it from the defualt timeout value.
This allows treating uci `option timeout 0` specially, means enabling
the timeout capability flag on a set but do not emit a `timeout`
statement.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
Jo-Philipp Wich [Wed, 15 Jun 2022 11:52:56 +0000 (13:52 +0200)]
tests: add test coverage for firewall includes
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 13 Jun 2022 13:49:14 +0000 (15:49 +0200)]
fw4: add support for configurable includes
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 13 Jun 2022 13:48:35 +0000 (15:48 +0200)]
fw4: fix crash in parse_cthelper() if no helpers are present
Properly deal with a possibly uninitialized helper object array.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 13 Jun 2022 13:23:23 +0000 (15:23 +0200)]
fw4: simplify `is_loopback_dev()`
Use `fs.readfile()` to simplify the code reading flag values from sysfs.
Also add a mock implementation of `fs.readfile()` using the same mock
data files as `fs.open()`.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 13 Jun 2022 13:21:01 +0000 (15:21 +0200)]
fw4: fix skipping invalid IPv6 ipset entries
The current code did not account for invalid IPv6 entries yielding `null`
after subnet parsing, leading to an incorrect warning about multiple entries
and a subsequent `null` access leading to a crash.
Fix the issue by ensuring that the length check expression yields `0` on
invalid inputs.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 14 Jun 2022 14:23:50 +0000 (16:23 +0200)]
ruleset: reorder declarations & output tweaks
- Omit "Set definitions" header if no sets are declared
- Always emit ${zone}_devices and ${zone}_subnets defines, even if empty
- Move CT helper definitions to the top
- Move ${zone}_helper chain definitions after ${zone}_forward chain defs
- Consistently use two line spacing for output sections
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 14 Jun 2022 12:59:58 +0000 (14:59 +0200)]
ruleset: reuse zone-jump.uc template for notrack and helper chain jumps
Avoid some code-duplication by reusing the zone-jump.uc partial template
to emit the helper_* chain jump rules.
Also add some test coverage for notrack rules.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Mon, 13 Jun 2022 15:00:26 +0000 (18:00 +0300)]
ruleset: fix conntrack helpers
In nftables, helper assignments need to be performed after the conntrack
lookup has completed. Using the raw priority results in the assignment
being done before the conntrack lookup, which breaks conntrack helpers.
Fix this by moving the jumps helper rule chains to a new toplevel
`prerouting` and the existing `output` chain respectively.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
[new toplevel `prerouting` chain + reuse existing `output` chain]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Mon, 13 Jun 2022 14:13:50 +0000 (17:13 +0300)]
tests: add test for zone helpers
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Stijn Tintel [Mon, 13 Jun 2022 08:05:10 +0000 (11:05 +0300)]
fw4.uc: don't skip zone for unavailable helper
Skipping a zone because a configured helper is not available is a bigger
security risk than not setting up the helper, as a zone might have
stricter settings than the defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Stijn Tintel [Mon, 13 Jun 2022 07:57:29 +0000 (10:57 +0300)]
fw4.uc: fix zone helper assignment
Zone helpers are parsed as an array, so we need to loop over them to
check if they are available.
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Jo-Philipp Wich [Tue, 31 May 2022 18:55:36 +0000 (20:55 +0200)]
fw4: prefer /dev/stdin if available
The nftables executable treats `-` and `/dev/stdin` specially when processing
nft scripts from stdin; it will buffer the contents in order to be able to
print detailled error diagnostics. The `/proc/self/fd/0` path used by `fw4`
does not get this special treatment which will lead to nftables error
messages without any reported context.
Make the `fw4` executable prefer `/dev/stdin` in case it exists and fall back
to using `/proc/self/fd/0` as before.
Ref: https://github.com/openwrt/openwrt/issues/9927
Ref: https://git.openwrt.org/
50bc06e774f89517f98c89c76a7626f35c3ff659
Ref: https://git.netfilter.org/nftables/tree/src/libnftables.c?h=v1.0.3#n733
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 31 May 2022 07:36:20 +0000 (09:36 +0200)]
fw4: make `fw4 restart` behavior more robust
Start the firewall on `fw4 restart` even if it was not previously started.
Ref: #9935
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 30 May 2022 21:46:48 +0000 (23:46 +0200)]
ruleset: emit time ranges when both start and stop times are specified
Instead of emitting two time matches checking the start and stop time/hour
respectively, emit a range when both are given. This also properly deals
with time of day ranges where start > stop since nft will take care of
implicitly inverting those.
Also add basic test coverage for time related matches.
Fixes: #9923
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 30 May 2022 21:44:34 +0000 (23:44 +0200)]
fw4: fix datetime parsing
- Rework `parse_date()` to mirror the fw3 parsing logic which allows
omitting each part of the timestamp except the year
- Introduce `fw4.datestamp()` helper which formats the given timestamp
either as datetime or date, depending on whether time information is
present
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 30 May 2022 18:59:27 +0000 (20:59 +0200)]
ruleset: correct mangle_output chain type
Use the `route` chain type for the `mangle_output` chain since rules in
this chain influence egress packet routing.
Fixes: #9955
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 30 May 2022 18:44:17 +0000 (20:44 +0200)]
fw4: fix logic flaw in testing hw flow offloading support
The revised logic failed to account for cases where zero offload capable
devices where resolved, in this case the capability check was not performed
at all.
Fixes: #9935
Fixes: 57984e0 ("fw4: always resolve lower flowtable devices")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 30 May 2022 17:28:12 +0000 (19:28 +0200)]
fw4: ensure that negative bitcounts are properly translated
Set bits to `-1` after converting a negative count into an inverted mask,
in order to ensure that the resulting subnet list is properly grouped
and rendered later on.
Also add some minimal test coverage for this case.
Fixes: #9764
Fixes: c22eeef ("fw4: support negative CIDR bit notation")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 30 May 2022 14:30:35 +0000 (16:30 +0200)]
fw4: fix typo in emitted set types
Fixes: #9927
Fixes: b0b8122 ("treewide: use modern syntax")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 20 May 2022 10:34:54 +0000 (12:34 +0200)]
fw4: support negative CIDR bit notation
Add support for CIDR notation with a negative bit count to be compatible
with firewall3.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 20 May 2022 10:12:38 +0000 (12:12 +0200)]
hotplug: reliably handle interfaces with ubus zone hints
So far, the firewall hotplug did not initiate a reload for interfaces which
are not covered in the firewall configuration but provide a zone hint in
their ubus data section.
Extend the hotplug script to handle this case by checking whether a zone
hint is present and if the requested zone exists in the configuration if
a direct zone lookup fails.
Fixes: #9611
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 20 May 2022 10:10:30 +0000 (12:10 +0200)]
fw4: store zone associations from ubus in statefile as well
The current implementation already stored related subnets and devices,
but not the logical interface names themselves.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 9 May 2022 13:09:50 +0000 (15:09 +0200)]
fw4: filter non hw-offload capable devices when resolving lower devices
Make sure to ignore devices not capable of hardware offloading when resolving
lower devices for the flowtable declaration.
Commit
57984e0 ("fw4: always resolve lower flowtable devices") changed the
behaviour of fw4 to always resolve lower devices, even for soft offloading
but removed some a crucial check to omit incapable devices in the hardware
offloading case, regressing previously working setups due to the inclusion
of wireless devices into the hardware offloaded table declaration.
Since we need to reintroduce ubus device status information for this change,
we can utilize the devinfo value exposed there instead or resolving it from
sysfs ourselves. Also make sure to sort the deduplicated device list to
produce a deterministic result.
Fixes: 57984e0 ("fw4: always resolve lower flowtable devices")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 9 May 2022 08:51:03 +0000 (10:51 +0200)]
fw4: always resolve lower flowtable devices
Do not restrict lower device resolving to hardware flow offloading, it is
required for software flow offloading as well.
While we're at it, also refactor and simplify the code to not require ubus
runtime state for device resolving anymore.
Fixes: #9854
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 9 May 2022 08:49:43 +0000 (10:49 +0200)]
tests: fix mocked `fd.read("line")` api
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tiago Gaspar [Wed, 4 May 2022 09:36:07 +0000 (10:36 +0100)]
config: remove restictions on DHCPv6 allow rule
Remove restrictions on source and destination addresses, which aren't
specified on RFC8415, and for some reason in openwrt are configured
to allow both link-local and ULA addresses.
As cleared out in issue #5066 there are some ISPs that use Gloabal
Unicast addresses, so fix this rule to allow them.
Fixes: #5066
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
Jo-Philipp Wich [Fri, 29 Apr 2022 12:48:16 +0000 (14:48 +0200)]
fw4: refactor family selection for forwarding rules
Use the common `infer_family()` helper when parsing `forwarding` sections
to simplify the code. Also add some test coverage for the changed code.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 28 Apr 2022 19:41:13 +0000 (21:41 +0200)]
treewide: use modern syntax
- Use `||=` operator expressions instead of `expr = expr || value` patterns
- Use optional chaining instead of `foo && foo.bar && foo.bar.baz` patterns
- Use template strings instead of string concatenations or sprintf() calls
- Use `const` for global default variables
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 29 Apr 2022 12:29:39 +0000 (14:29 +0200)]
fw4: fix emitting device jump rules for family restricted zones
Ref: https://forum.openwrt.org/t/22-03-0-rc1-first-rc/126045/80
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 28 Apr 2022 09:49:47 +0000 (11:49 +0200)]
fw4: fix family auto-selection for config nat rules
- Ensure that a nat rule without any AF specifics and no explictly set
family ends up being IPv4 only
- Ensure that an IPv6 address without explicitly set family results in
an IPv6 rule
- Ensure that explicitly setting family any results in a IPv4/IPv6 rule
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 26 Apr 2022 12:27:41 +0000 (14:27 +0200)]
ruleset: ensure that family-agnostic ICMP rules cover ICMPv6 as well
Fixes: #9765
Ref: https://github.com/openwrt/openwrt/issues/9765
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 21 Apr 2022 19:27:28 +0000 (21:27 +0200)]
tests: add test coverage for zone family selection logic
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 21 Apr 2022 19:21:02 +0000 (21:21 +0200)]
ruleset: set auto-merge directive for interval sets
Set the auto-merge directive for interval sets to automatically merge
overlapping CIDRs such as 192.168.1.0/24, 192.168.1.1. Without that
directive, nft will fail to apply the rendered ruleset with an error.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 21 Apr 2022 19:10:26 +0000 (21:10 +0200)]
fw4: fix skipping invalid ipset entries
The current code did not account for invalid entires yielding `null` after
subnet parsing, leading to an incorrect warning about multiple entries and
a subsequent `null` access leading to a crash.
Fix the issue by ensuring that the length check expression yields `0` on
invalid inputs.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 13 Apr 2022 14:18:44 +0000 (16:18 +0200)]
fw4: fix applying zone flags for source bound rules
The rule parsing code failed to properly set the source zone flags for
rules requiring `${verdict}_from_${zone}` chains, causing those chains
to be missing, leading to errors when applying the ruleset.
Fix this issue by applying the flag to the correct property (source-
instead of destination flags).
Ref: https://github.com/openwrt/openwrt/issues/9686
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 2 Apr 2022 18:27:25 +0000 (20:27 +0200)]
fw4: fix emitting family specific redirect rules without any addrs
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 2 Apr 2022 18:06:11 +0000 (20:06 +0200)]
fw4: bracketize IPv6 addresses in dnat addr:port notation
Ref: https://github.com/openwrt/openwrt/issues/9624
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 30 Mar 2022 14:49:22 +0000 (16:49 +0200)]
fw4: ensure to capitalize weekday names
Despite what's being documented in the nftables wiki, nftables does not
actually accept lowercased or abbreviated weekday names, currently failing
with a "Error: Could not parse Day of week of packet reception" error for
expressions such as `meta day { "sunday", "wed" }`.
Work around the problem by explicitly emitting capitalized weekday names
while a more thorough nftables-side solution is being sent upstream.
Ref: https://forum.openwrt.org/t/firewall-time-restrictions-parental-controls-problems/123964
Ref: https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_by_time
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 22 Mar 2022 18:17:22 +0000 (19:17 +0100)]
treewide: forward compatibility changes
Adapt testsuite code and fw4 wrapper to current ucode HEAD semantics,
in particular ensure that main.uc is invoked as template since ucode now
defaults to raw mode for cli invocations.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 12 Feb 2022 19:32:38 +0000 (20:32 +0100)]
fw4: resolve zone layer 2 devices for hw flow offloading
Some interface protocols like PPPoE use a layer 3 device that is different
fro mthe layer 2 one and which cannot be resolved to a lower device through
sysfs, so additionally track related layer 2 devices and resolve those when
constructing a hardware flow offloading table.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 12 Feb 2022 19:13:06 +0000 (20:13 +0100)]
fw4: rework and fix family inheritance logic
Fix various quirks in the logic inferring the effective rule family from
referenced entities, consider subnet matches when determining family of
zones and set the zone family to the determined value in case it is
unspecified in configuration.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 12 Feb 2022 18:36:27 +0000 (19:36 +0100)]
tests: mocklib: fix infinite recursion in wrapped print()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 12 Feb 2022 12:16:24 +0000 (13:16 +0100)]
tests: change mocked wan interface type to PPPoE
Change the WAN interface type in the mock data to PPPoE. PPPoE interfaces
are special because their L3 device differs from the L2 one which becomes
important later for resolving hw offloaded flowtable devices.
Adjust the test cases accordingly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 11 Feb 2022 16:41:00 +0000 (17:41 +0100)]
tests: mocklib: forward compatibility change
Upstream ucode will change ord()'s return value type from array to integer,
add logic to handle both old and new cases.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 10 Feb 2022 18:52:00 +0000 (19:52 +0100)]
fw4: only stage reflection rules if all required addrs are known
Do not stage reflection rules if any of the internal, external or
rewrite IP addrs cannot be determined. Also emit a warning in this
case and extend the redirect test case to cover this.
Fixes: #5067
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 10 Feb 2022 18:17:28 +0000 (19:17 +0100)]
fw4: add device iifname/oifname matches to DSCP and MARK rules
Mirror firewall3 logic and do ingress/egress device matches for MARK
and DSCP rules. Also complete support option `device` and `option direction`
to allow overriding the automatic device matches.
Fixes: #5061
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 8 Feb 2022 18:22:55 +0000 (19:22 +0100)]
tests: adjust 01_ruleset test case to latest changes
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 7 Feb 2022 22:27:37 +0000 (23:27 +0100)]
fw4: gracefully handle unsupported hardware offloading
Try to create a hardware-offloaded flowtable using `nft -c` and fall back
to software offloading in case the test command fails.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 7 Feb 2022 18:01:04 +0000 (19:01 +0100)]
init: fix boot action in init script
We need to call `start()` instead of `start_service()` from `boot()` in
order to properly register the firewall service.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 7 Feb 2022 10:08:20 +0000 (11:08 +0100)]
fw4: parse traffic rules before forwarding rules
Parse traffic rules before inter-zone-forwarding rules to ensure that
those rules end up in the correct order within the rendered ruleset.
Traffic rules must preceede zone forwarding rules, like they did in
firewall3.
Fixes: FS#4258
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 4 Feb 2022 22:44:25 +0000 (23:44 +0100)]
fw4: consolidate helper code
- Move various local helper functions out of main.uc into the fw4 class
- Rework settype reading to use nft JSON output as terse mode now works
- Simplify testing flowtable enable conditions
- Adjust testcases to changed flowtable logic
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 5 Feb 2022 23:30:41 +0000 (00:30 +0100)]
fw4: fix applying zone family restrictions to forwardings
The source or destination zone family may be `null` instead of `0`, so
loosen the condition to cover both `0` and `null` values.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 5 Feb 2022 23:29:54 +0000 (00:29 +0100)]
tests: implement fs.opendir() mock interface
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 5 Feb 2022 23:29:11 +0000 (00:29 +0100)]
tests: fix mocked fs.popen() trace log
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 4 Feb 2022 19:34:06 +0000 (20:34 +0100)]
fw4: improve flowtable handling
- Delete the flowtable while loading the rulset in case it exists already
since flowtable with offload flag canot overwrite ones without and vice
versa
- Resolve higher level devices such as 802.1q or bridge devices to lower,
offload capable ones in case hardware offloading is requested
- Revert disabling of "flow_offloading_hw" option
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 3 Feb 2022 22:35:35 +0000 (23:35 +0100)]
fw4: disable "flow_offloading_hw" option for now
Currently there does not appear to exist any kernel side nft flowtable
implementation that supports hardware flow offloading.
Attempting to upload a ruleset containing a flowtable declaration with
the hardware offloading flag set will fail with a generic EOPNOTSUPP
error.
Since there is neither a graceful recovery (e.g. continue without
hardware flow offloading) nor any possibility to probe kernel side
support from userspace, disable the facility entirely for now.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 3 Feb 2022 22:10:13 +0000 (23:10 +0100)]
fw4: fix enabling NAT reflection rules for DNATs without explicit family
Ref: https://forum.openwrt.org/t/x/119218
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 28 Jan 2022 11:06:16 +0000 (12:06 +0100)]
ruleset: fix undeclared variable access uncovered by strict mode
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 28 Jan 2022 10:54:19 +0000 (11:54 +0100)]
tests: run testcases in strict mode
Since /sbin/fw4 invokes ucode in strict mode, we should do the same in
test cases.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 28 Jan 2022 08:51:12 +0000 (09:51 +0100)]
ruleset: remove redundant syn check
The syn_flood chain entry is guarded by a TCP flags check in the calling
chain, so the syn_flood chain doesn't need to check packet flags again,
it only needs to count and potentially drop.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 28 Jan 2022 08:44:33 +0000 (09:44 +0100)]
fw4: add RFC-8622 'Least Effort' (LE) DSCP mark
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 22:11:11 +0000 (23:11 +0100)]
tests: add test coverage for redirect rules
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 15:23:23 +0000 (16:23 +0100)]
fw4: fix address selection logic for DNAT reflection rules
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 18:35:14 +0000 (19:35 +0100)]
fw4: fix redirect destination zone resolving
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 18:34:19 +0000 (19:34 +0100)]
fw4: fix potential crashes when parsing invalid redirect sections
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 11:05:39 +0000 (12:05 +0100)]
ruleset: support non-contiguous address masks
Support non-contiguous address masks (such as `::1234/::ffff`) for zone
subnet and rule src_ip / dest_ip options and translate them into appropriate
bitwise & expressions internally.
Add appropriate logic to calculate permutations of inverted, non-inverted,
contiguous and non-contiguous address matches since bitwise calculation
expressions can not appear within sets which means that any non-inverted,
non-contiguous mask addresses must be put into separate rules while the
remaining addresses (if any) may be grouped into a common set.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 14:55:38 +0000 (15:55 +0100)]
tests: update interface dump mock data
Reorder and extend ubus interface dump mock. Ensure that the lan interface
has two IPv4 and IPv6 addresses each to cover address selection logic in
various fw4 parts.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 12:44:33 +0000 (13:44 +0100)]
fw4: fix family selection logic for redirect rules
Only assume IPv4 family if the family is unspecified and src, dest or
rewrite addresses do not indicate otherwise.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 12:43:36 +0000 (13:43 +0100)]
ruleset: properly render redirect targets without port
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 22:41:43 +0000 (23:41 +0100)]
fw4: consolidate device grouping logic
Simplify the code for grouping devices into wildcard and non-wildcard
buckets and remove some redundancies along the way.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 22:09:01 +0000 (23:09 +0100)]
ruleset: consolidate zone matches for raw_prerouting and raw_output chains
Instead of duplicating the zone match rule expressions, reuse the
`zone-match.uc` template emit the correct match expressions.
This simplifies the code somewhat and ensures that wildcard interfaces
are also properly handled for notrack/helper rules.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 11:00:21 +0000 (12:00 +0100)]
fw4: fix wrong `parse_network()` return value on `parse_subnet()` failure
Ref: https://forum.openwrt.org/t/x/118427
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 10:13:44 +0000 (11:13 +0100)]
fw4: fix parsing inverted numeric DSCP values
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 10:00:44 +0000 (11:00 +0100)]
ruleset: emit AF specific rules for DSCP matches
Since nftables `dscp` matches are IP family specific we must emit
separate IPv4 and IPv6 rules in case DSCP matches are present.
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=4240
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 10:01:55 +0000 (11:01 +0100)]
fw4: fix family comparisons
The address family of an object might be either `0` or `null` so loosen
the checks to accomodate both.
Ref: https://github.com/jow-/ucode/commit/
aa860a35252b4833a188f8b2f9c6a7d68963767d
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 25 Jan 2022 22:12:20 +0000 (23:12 +0100)]
ruleset: properly deal with wildcards in zone device selectors
Translate iptables style wildcards (`name+`) to nftables ones (`name*`)
and ensure that such wildcards are not used as anonymous set items but
that they're tested by separate expressions.
Also move redundant zone device/subnet selection expressions into a common
template and include it where applicable.
Finally add a new testcase which covers various device name wildcard corner-
cases and rule permutation requirements.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 22 Jan 2022 19:36:29 +0000 (20:36 +0100)]
ruleset: fix chain selection for mark and dscp targets
Align the chain selection logic for mark and dscp targets with the one
implemented in firewall3 with commit https://git.openwrt.org/
61db17e
Also add corresponding testcases to assert the correct selection logic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 22 Jan 2022 18:16:19 +0000 (19:16 +0100)]
fw4.uc: handle zone masq6 option
The ruleset template and internal adress selection logc has been prepared
for IPv6 masquerading already but the toplevel option was not exposed
until now.
Also add some initial testcases for zone configuration while we're at it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 17:52:40 +0000 (19:52 +0200)]
fw4.uc: handle interface zone option
With firewall3 it is possible to specify the firewall zone in interface
sections in /etc/config/network. Handle this in firewall4 as well.
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 12:56:16 +0000 (14:56 +0200)]
tests: add test for unknown rule option
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 12:54:36 +0000 (14:54 +0200)]
tests: add test for deprecated rule option
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 12:45:49 +0000 (14:45 +0200)]
tests: add test for unknown defaults option
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 08:50:14 +0000 (10:50 +0200)]
tests: enable flow offloading in tests
As flow offloading is a popular feature, it makes sense to cover it in
the tests. This would have caught the issue fixed in
b68cf6701945
("main.uc: fix device gathering").
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 08:45:50 +0000 (10:45 +0200)]
ruleset.uc: don't trim newline before comment sign
When flow offloading is enabled, the comment block is inserted in the
ruleset like this:
table inet fw4 { #
# Flowtable
#
This is due to the trimming of newlines which was done to avoid having
to modify all the test files. A better solution is to just add an extra
newline in the template.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 08:24:54 +0000 (10:24 +0200)]
ruleset.uc: consolidate ip and ip6 offload
Remove the space before the comma while at it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 14:27:37 +0000 (16:27 +0200)]
main.uc: fix device gathering
While reworking the render_ruleset function to address review comments,
the devices variable should have been changed to an array. Fix that.
Fixes: 85b74f35e4a7 ("treewide: support flow offloading")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Stijn Tintel [Sat, 6 Nov 2021 00:29:37 +0000 (02:29 +0200)]
fw4.uc: allow use of cidr in ipsets
Sets of type ipv4_addr or ipv6_addr support entries in CIDR notation.
However, the parse_ipsetentry ignores them. Fix this by using
parse_subnet instead of iptoarr.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 09:52:02 +0000 (11:52 +0200)]
fw4.uc: don't fail on unknown options
Warn the user when a section contains invalid options, but do not stop
processing the section, like firewall3.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 25 Nov 2021 04:15:15 +0000 (06:15 +0200)]
fw4.uc: add _name as deprecated option
Add _name as deprecated option for rules and redirects, as this might
have been added by LuCI at some point.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 25 Nov 2021 04:01:51 +0000 (06:01 +0200)]
fw4.uc: introduce DEPRECATED flag
When a section contains unknown options, the parse_options function will
return false, and based on that the entire section might be skipped.
For example, rules containing a _name option will be skipped. As this
option used to be added by LuCI in the past, we should not skip those
rules, as it might break existing configs for many users.
Add a new DEPRECATED flag to handle such options.
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 25 Nov 2021 03:41:16 +0000 (05:41 +0200)]
fw4.uc: do not skip defaults with invalid option
Skipping a defaults section because it contains invalid options can be a
security risk. If the user configures a default policy to DROP or
REJECT, this should always be applied. The user is warned about the
invalid option anyway.
This makes firewall4 behave like firewall3 with regards to defaults.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Sat, 6 Nov 2021 01:21:33 +0000 (03:21 +0200)]
treewide: support set timeout
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 14 Oct 2021 18:50:41 +0000 (20:50 +0200)]
treewide: support hardware flow offloading
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 14 Oct 2021 18:42:46 +0000 (20:42 +0200)]
treewide: support flow offloading
Flow offloading doesn't work if the devices aren't specified. Pass
interfaces used by enabled firewall zones to the ruleset renderer.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 11:12:37 +0000 (13:12 +0200)]
fw4.uc: filter duplicates in fw4.set
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 09:00:52 +0000 (11:00 +0200)]
treewide: move executables to /sbin
In firewall3, the fw3 executable is installed in /sbin. As
luci-app-firewall looks for the fw3 executable in /sbin, the firewall
menu is hidden when firewall4 is installed. Move both executables to
/sbin so the firewall app will show when firewall4 is installed.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Thomas Weißschuh [Sun, 24 Oct 2021 08:59:57 +0000 (10:59 +0200)]
fw4.uc: Do not quote port ranges
This fixes the translation of rules like the following:
config rule
...
option dest_port '67:68'
Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>