summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Jo-Philipp Wich [Mon, 7 Feb 2022 18:01:04 +0000 (19:01 +0100)]
init: fix boot action in init script
We need to call `start()` instead of `start_service()` from `boot()` in
order to properly register the firewall service.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 7 Feb 2022 10:08:20 +0000 (11:08 +0100)]
fw4: parse traffic rules before forwarding rules
Parse traffic rules before inter-zone-forwarding rules to ensure that
those rules end up in the correct order within the rendered ruleset.
Traffic rules must preceede zone forwarding rules, like they did in
firewall3.
Fixes: FS#4258
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 4 Feb 2022 22:44:25 +0000 (23:44 +0100)]
fw4: consolidate helper code
- Move various local helper functions out of main.uc into the fw4 class
- Rework settype reading to use nft JSON output as terse mode now works
- Simplify testing flowtable enable conditions
- Adjust testcases to changed flowtable logic
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 5 Feb 2022 23:30:41 +0000 (00:30 +0100)]
fw4: fix applying zone family restrictions to forwardings
The source or destination zone family may be `null` instead of `0`, so
loosen the condition to cover both `0` and `null` values.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 5 Feb 2022 23:29:54 +0000 (00:29 +0100)]
tests: implement fs.opendir() mock interface
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 5 Feb 2022 23:29:11 +0000 (00:29 +0100)]
tests: fix mocked fs.popen() trace log
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 4 Feb 2022 19:34:06 +0000 (20:34 +0100)]
fw4: improve flowtable handling
- Delete the flowtable while loading the rulset in case it exists already
since flowtable with offload flag canot overwrite ones without and vice
versa
- Resolve higher level devices such as 802.1q or bridge devices to lower,
offload capable ones in case hardware offloading is requested
- Revert disabling of "flow_offloading_hw" option
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 3 Feb 2022 22:35:35 +0000 (23:35 +0100)]
fw4: disable "flow_offloading_hw" option for now
Currently there does not appear to exist any kernel side nft flowtable
implementation that supports hardware flow offloading.
Attempting to upload a ruleset containing a flowtable declaration with
the hardware offloading flag set will fail with a generic EOPNOTSUPP
error.
Since there is neither a graceful recovery (e.g. continue without
hardware flow offloading) nor any possibility to probe kernel side
support from userspace, disable the facility entirely for now.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 3 Feb 2022 22:10:13 +0000 (23:10 +0100)]
fw4: fix enabling NAT reflection rules for DNATs without explicit family
Ref: https://forum.openwrt.org/t/x/119218
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 28 Jan 2022 11:06:16 +0000 (12:06 +0100)]
ruleset: fix undeclared variable access uncovered by strict mode
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 28 Jan 2022 10:54:19 +0000 (11:54 +0100)]
tests: run testcases in strict mode
Since /sbin/fw4 invokes ucode in strict mode, we should do the same in
test cases.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 28 Jan 2022 08:51:12 +0000 (09:51 +0100)]
ruleset: remove redundant syn check
The syn_flood chain entry is guarded by a TCP flags check in the calling
chain, so the syn_flood chain doesn't need to check packet flags again,
it only needs to count and potentially drop.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 28 Jan 2022 08:44:33 +0000 (09:44 +0100)]
fw4: add RFC-8622 'Least Effort' (LE) DSCP mark
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 22:11:11 +0000 (23:11 +0100)]
tests: add test coverage for redirect rules
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 15:23:23 +0000 (16:23 +0100)]
fw4: fix address selection logic for DNAT reflection rules
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 18:35:14 +0000 (19:35 +0100)]
fw4: fix redirect destination zone resolving
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 18:34:19 +0000 (19:34 +0100)]
fw4: fix potential crashes when parsing invalid redirect sections
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 11:05:39 +0000 (12:05 +0100)]
ruleset: support non-contiguous address masks
Support non-contiguous address masks (such as `::1234/::ffff`) for zone
subnet and rule src_ip / dest_ip options and translate them into appropriate
bitwise & expressions internally.
Add appropriate logic to calculate permutations of inverted, non-inverted,
contiguous and non-contiguous address matches since bitwise calculation
expressions can not appear within sets which means that any non-inverted,
non-contiguous mask addresses must be put into separate rules while the
remaining addresses (if any) may be grouped into a common set.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 14:55:38 +0000 (15:55 +0100)]
tests: update interface dump mock data
Reorder and extend ubus interface dump mock. Ensure that the lan interface
has two IPv4 and IPv6 addresses each to cover address selection logic in
various fw4 parts.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 12:44:33 +0000 (13:44 +0100)]
fw4: fix family selection logic for redirect rules
Only assume IPv4 family if the family is unspecified and src, dest or
rewrite addresses do not indicate otherwise.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 27 Jan 2022 12:43:36 +0000 (13:43 +0100)]
ruleset: properly render redirect targets without port
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 22:41:43 +0000 (23:41 +0100)]
fw4: consolidate device grouping logic
Simplify the code for grouping devices into wildcard and non-wildcard
buckets and remove some redundancies along the way.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 22:09:01 +0000 (23:09 +0100)]
ruleset: consolidate zone matches for raw_prerouting and raw_output chains
Instead of duplicating the zone match rule expressions, reuse the
`zone-match.uc` template emit the correct match expressions.
This simplifies the code somewhat and ensures that wildcard interfaces
are also properly handled for notrack/helper rules.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 11:00:21 +0000 (12:00 +0100)]
fw4: fix wrong `parse_network()` return value on `parse_subnet()` failure
Ref: https://forum.openwrt.org/t/x/118427
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 10:13:44 +0000 (11:13 +0100)]
fw4: fix parsing inverted numeric DSCP values
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 10:00:44 +0000 (11:00 +0100)]
ruleset: emit AF specific rules for DSCP matches
Since nftables `dscp` matches are IP family specific we must emit
separate IPv4 and IPv6 rules in case DSCP matches are present.
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=4240
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Jan 2022 10:01:55 +0000 (11:01 +0100)]
fw4: fix family comparisons
The address family of an object might be either `0` or `null` so loosen
the checks to accomodate both.
Ref: https://github.com/jow-/ucode/commit/
aa860a35252b4833a188f8b2f9c6a7d68963767d
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 25 Jan 2022 22:12:20 +0000 (23:12 +0100)]
ruleset: properly deal with wildcards in zone device selectors
Translate iptables style wildcards (`name+`) to nftables ones (`name*`)
and ensure that such wildcards are not used as anonymous set items but
that they're tested by separate expressions.
Also move redundant zone device/subnet selection expressions into a common
template and include it where applicable.
Finally add a new testcase which covers various device name wildcard corner-
cases and rule permutation requirements.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 22 Jan 2022 19:36:29 +0000 (20:36 +0100)]
ruleset: fix chain selection for mark and dscp targets
Align the chain selection logic for mark and dscp targets with the one
implemented in firewall3 with commit https://git.openwrt.org/
61db17e
Also add corresponding testcases to assert the correct selection logic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Sat, 22 Jan 2022 18:16:19 +0000 (19:16 +0100)]
fw4.uc: handle zone masq6 option
The ruleset template and internal adress selection logc has been prepared
for IPv6 masquerading already but the toplevel option was not exposed
until now.
Also add some initial testcases for zone configuration while we're at it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 17:52:40 +0000 (19:52 +0200)]
fw4.uc: handle interface zone option
With firewall3 it is possible to specify the firewall zone in interface
sections in /etc/config/network. Handle this in firewall4 as well.
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 12:56:16 +0000 (14:56 +0200)]
tests: add test for unknown rule option
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 12:54:36 +0000 (14:54 +0200)]
tests: add test for deprecated rule option
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 12:45:49 +0000 (14:45 +0200)]
tests: add test for unknown defaults option
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 08:50:14 +0000 (10:50 +0200)]
tests: enable flow offloading in tests
As flow offloading is a popular feature, it makes sense to cover it in
the tests. This would have caught the issue fixed in
b68cf6701945
("main.uc: fix device gathering").
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 08:45:50 +0000 (10:45 +0200)]
ruleset.uc: don't trim newline before comment sign
When flow offloading is enabled, the comment block is inserted in the
ruleset like this:
table inet fw4 { #
# Flowtable
#
This is due to the trimming of newlines which was done to avoid having
to modify all the test files. A better solution is to just add an extra
newline in the template.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Fri, 7 Jan 2022 08:24:54 +0000 (10:24 +0200)]
ruleset.uc: consolidate ip and ip6 offload
Remove the space before the comma while at it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 14:27:37 +0000 (16:27 +0200)]
main.uc: fix device gathering
While reworking the render_ruleset function to address review comments,
the devices variable should have been changed to an array. Fix that.
Fixes: 85b74f35e4a7 ("treewide: support flow offloading")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Stijn Tintel [Sat, 6 Nov 2021 00:29:37 +0000 (02:29 +0200)]
fw4.uc: allow use of cidr in ipsets
Sets of type ipv4_addr or ipv6_addr support entries in CIDR notation.
However, the parse_ipsetentry ignores them. Fix this by using
parse_subnet instead of iptoarr.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 09:52:02 +0000 (11:52 +0200)]
fw4.uc: don't fail on unknown options
Warn the user when a section contains invalid options, but do not stop
processing the section, like firewall3.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 25 Nov 2021 04:15:15 +0000 (06:15 +0200)]
fw4.uc: add _name as deprecated option
Add _name as deprecated option for rules and redirects, as this might
have been added by LuCI at some point.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 25 Nov 2021 04:01:51 +0000 (06:01 +0200)]
fw4.uc: introduce DEPRECATED flag
When a section contains unknown options, the parse_options function will
return false, and based on that the entire section might be skipped.
For example, rules containing a _name option will be skipped. As this
option used to be added by LuCI in the past, we should not skip those
rules, as it might break existing configs for many users.
Add a new DEPRECATED flag to handle such options.
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 25 Nov 2021 03:41:16 +0000 (05:41 +0200)]
fw4.uc: do not skip defaults with invalid option
Skipping a defaults section because it contains invalid options can be a
security risk. If the user configures a default policy to DROP or
REJECT, this should always be applied. The user is warned about the
invalid option anyway.
This makes firewall4 behave like firewall3 with regards to defaults.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Sat, 6 Nov 2021 01:21:33 +0000 (03:21 +0200)]
treewide: support set timeout
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 14 Oct 2021 18:50:41 +0000 (20:50 +0200)]
treewide: support hardware flow offloading
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 14 Oct 2021 18:42:46 +0000 (20:42 +0200)]
treewide: support flow offloading
Flow offloading doesn't work if the devices aren't specified. Pass
interfaces used by enabled firewall zones to the ruleset renderer.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 11:12:37 +0000 (13:12 +0200)]
fw4.uc: filter duplicates in fw4.set
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Thu, 6 Jan 2022 09:00:52 +0000 (11:00 +0200)]
treewide: move executables to /sbin
In firewall3, the fw3 executable is installed in /sbin. As
luci-app-firewall looks for the fw3 executable in /sbin, the firewall
menu is hidden when firewall4 is installed. Move both executables to
/sbin so the firewall app will show when firewall4 is installed.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Thomas Weißschuh [Sun, 24 Oct 2021 08:59:57 +0000 (10:59 +0200)]
fw4.uc: Do not quote port ranges
This fixes the translation of rules like the following:
config rule
...
option dest_port '67:68'
Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
Thomas Weißschuh [Sun, 24 Oct 2021 08:59:56 +0000 (10:59 +0200)]
tests: adapt test to new ICMP print logic
Fixes: 35f5120afcf158e445062fdb5072684ed24d91d0
Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
Jo-Philipp Wich [Sun, 17 Oct 2021 09:16:27 +0000 (11:16 +0200)]
rule.uc: always format ICMP type/code list as set
Ensure that the concatenated type . code list values are always formatted
as anonymous set, even if the list just contains one item. Fixes the
following nftables error when parsing such a rule:
Error: Use concatenations with sets and maps, not singleton values
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 1 Sep 2021 13:31:22 +0000 (15:31 +0200)]
treewide: convert deprecated syntax
- `local` has been deprecated in favor to `let`
- `delete(obj, "prop")` has been depracted in favor to `delete obj.prop`
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 1 Sep 2021 13:27:21 +0000 (15:27 +0200)]
tests: adapt to latest ucode
- Environment must be set before preloading and executing modules
- Caching of fs module must be inhibited
- Mocklib class object should be returned
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 31 Mar 2021 20:09:01 +0000 (22:09 +0200)]
tests: expand testing
- Rewrite test framework
- Add initial rule test coverage
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 31 Mar 2021 19:55:08 +0000 (21:55 +0200)]
fw4.uc: fix family test functions
Rewrite the family test functions as arrow functions since ucode HEAD does
implicitly return the last function value expression as result anymore for
ordinary functions.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 31 Mar 2021 19:05:56 +0000 (21:05 +0200)]
fw4.uc: fix parsing boolean "0" values
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 31 Mar 2021 19:05:11 +0000 (21:05 +0200)]
rule.uc: fix redundant whitespace in rules without target
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 31 Mar 2021 17:45:46 +0000 (19:45 +0200)]
ruleset.uc: reduce empty lines in output
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 31 Mar 2021 17:45:22 +0000 (19:45 +0200)]
fw4.uc: gracefully handle missing defaults section
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 30 Mar 2021 13:10:00 +0000 (15:10 +0200)]
treewide: remove ucode module preloading
Instead of preloading ucode modules via the cmdline, require the modules
as needed. This simplifies test case constructions since mock modules
can be injected by modifying the search path.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 29 Mar 2021 12:06:01 +0000 (14:06 +0200)]
fw4.uc: remove upvalue caching
Now that ucode HEAD inherits the global scope in include() by default, we
do not need to cache our used functions anymore.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 19 Mar 2021 18:26:04 +0000 (19:26 +0100)]
Initial commit
Signed-off-by: Jo-Philipp Wich <jo@mein.io>