project/firewall4.git
2 years agofw4: fix enabling NAT reflection rules for DNATs without explicit family
Jo-Philipp Wich [Thu, 3 Feb 2022 22:10:13 +0000 (23:10 +0100)]
fw4: fix enabling NAT reflection rules for DNATs without explicit family

Ref: https://forum.openwrt.org/t/x/119218
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset: fix undeclared variable access uncovered by strict mode
Jo-Philipp Wich [Fri, 28 Jan 2022 11:06:16 +0000 (12:06 +0100)]
ruleset: fix undeclared variable access uncovered by strict mode

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agotests: run testcases in strict mode
Jo-Philipp Wich [Fri, 28 Jan 2022 10:54:19 +0000 (11:54 +0100)]
tests: run testcases in strict mode

Since /sbin/fw4 invokes ucode in strict mode, we should do the same in
test cases.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset: remove redundant syn check
Jo-Philipp Wich [Fri, 28 Jan 2022 08:51:12 +0000 (09:51 +0100)]
ruleset: remove redundant syn check

The syn_flood chain entry is guarded by a TCP flags check in the calling
chain, so the syn_flood chain doesn't need to check packet flags again,
it only needs to count and potentially drop.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4: add RFC-8622 'Least Effort' (LE) DSCP mark
Jo-Philipp Wich [Fri, 28 Jan 2022 08:44:33 +0000 (09:44 +0100)]
fw4: add RFC-8622 'Least Effort' (LE) DSCP mark

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agotests: add test coverage for redirect rules
Jo-Philipp Wich [Thu, 27 Jan 2022 22:11:11 +0000 (23:11 +0100)]
tests: add test coverage for redirect rules

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4: fix address selection logic for DNAT reflection rules
Jo-Philipp Wich [Thu, 27 Jan 2022 15:23:23 +0000 (16:23 +0100)]
fw4: fix address selection logic for DNAT reflection rules

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4: fix redirect destination zone resolving
Jo-Philipp Wich [Thu, 27 Jan 2022 18:35:14 +0000 (19:35 +0100)]
fw4: fix redirect destination zone resolving

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4: fix potential crashes when parsing invalid redirect sections
Jo-Philipp Wich [Thu, 27 Jan 2022 18:34:19 +0000 (19:34 +0100)]
fw4: fix potential crashes when parsing invalid redirect sections

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset: support non-contiguous address masks
Jo-Philipp Wich [Wed, 26 Jan 2022 11:05:39 +0000 (12:05 +0100)]
ruleset: support non-contiguous address masks

Support non-contiguous address masks (such as `::1234/::ffff`) for zone
subnet and rule src_ip / dest_ip options and translate them into appropriate
bitwise & expressions internally.

Add appropriate logic to calculate permutations of inverted, non-inverted,
contiguous and non-contiguous address matches since bitwise calculation
expressions can not appear within sets which means that any non-inverted,
non-contiguous mask addresses must be put into separate rules while the
remaining addresses (if any) may be grouped into a common set.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agotests: update interface dump mock data
Jo-Philipp Wich [Thu, 27 Jan 2022 14:55:38 +0000 (15:55 +0100)]
tests: update interface dump mock data

Reorder and extend ubus interface dump mock. Ensure that the lan interface
has two IPv4 and IPv6 addresses each to cover address selection logic in
various fw4 parts.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4: fix family selection logic for redirect rules
Jo-Philipp Wich [Thu, 27 Jan 2022 12:44:33 +0000 (13:44 +0100)]
fw4: fix family selection logic for redirect rules

Only assume IPv4 family if the family is unspecified and src, dest or
rewrite addresses do not indicate otherwise.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset: properly render redirect targets without port
Jo-Philipp Wich [Thu, 27 Jan 2022 12:43:36 +0000 (13:43 +0100)]
ruleset: properly render redirect targets without port

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4: consolidate device grouping logic
Jo-Philipp Wich [Wed, 26 Jan 2022 22:41:43 +0000 (23:41 +0100)]
fw4: consolidate device grouping logic

Simplify the code for grouping devices into wildcard and non-wildcard
buckets and remove some redundancies along the way.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset: consolidate zone matches for raw_prerouting and raw_output chains
Jo-Philipp Wich [Wed, 26 Jan 2022 22:09:01 +0000 (23:09 +0100)]
ruleset: consolidate zone matches for raw_prerouting and raw_output chains

Instead of duplicating the zone match rule expressions, reuse the
`zone-match.uc` template emit the correct match expressions.

This simplifies the code somewhat and ensures that wildcard interfaces
are also properly handled for notrack/helper rules.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4: fix wrong `parse_network()` return value on `parse_subnet()` failure
Jo-Philipp Wich [Wed, 26 Jan 2022 11:00:21 +0000 (12:00 +0100)]
fw4: fix wrong `parse_network()` return value on `parse_subnet()` failure

Ref: https://forum.openwrt.org/t/x/118427
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4: fix parsing inverted numeric DSCP values
Jo-Philipp Wich [Wed, 26 Jan 2022 10:13:44 +0000 (11:13 +0100)]
fw4: fix parsing inverted numeric DSCP values

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset: emit AF specific rules for DSCP matches
Jo-Philipp Wich [Wed, 26 Jan 2022 10:00:44 +0000 (11:00 +0100)]
ruleset: emit AF specific rules for DSCP matches

Since nftables `dscp` matches are IP family specific we must emit
separate IPv4 and IPv6 rules in case DSCP matches are present.

Ref: https://bugs.openwrt.org/index.php?do=details&task_id=4240
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4: fix family comparisons
Jo-Philipp Wich [Wed, 26 Jan 2022 10:01:55 +0000 (11:01 +0100)]
fw4: fix family comparisons

The address family of an object might be either `0` or `null` so loosen
the checks to accomodate both.

Ref: https://github.com/jow-/ucode/commit/aa860a35252b4833a188f8b2f9c6a7d68963767d
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset: properly deal with wildcards in zone device selectors
Jo-Philipp Wich [Tue, 25 Jan 2022 22:12:20 +0000 (23:12 +0100)]
ruleset: properly deal with wildcards in zone device selectors

Translate iptables style wildcards (`name+`) to nftables ones (`name*`)
and ensure that such wildcards are not used as anonymous set items but
that they're tested by separate expressions.

Also move redundant zone device/subnet selection expressions into a common
template and include it where applicable.

Finally add a new testcase which covers various device name wildcard corner-
cases and rule permutation requirements.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset: fix chain selection for mark and dscp targets
Jo-Philipp Wich [Sat, 22 Jan 2022 19:36:29 +0000 (20:36 +0100)]
ruleset: fix chain selection for mark and dscp targets

Align the chain selection logic for mark and dscp targets with the one
implemented in firewall3 with commit https://git.openwrt.org/61db17e

Also add corresponding testcases to assert the correct selection logic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4.uc: handle zone masq6 option
Jo-Philipp Wich [Sat, 22 Jan 2022 18:16:19 +0000 (19:16 +0100)]
fw4.uc: handle zone masq6 option

The ruleset template and internal adress selection logc has been prepared
for IPv6 masquerading already but the toplevel option was not exposed
until now.

Also add some initial testcases for zone configuration while we're at it.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4.uc: handle interface zone option
Stijn Tintel [Thu, 6 Jan 2022 17:52:40 +0000 (19:52 +0200)]
fw4.uc: handle interface zone option

With firewall3 it is possible to specify the firewall zone in interface
sections in /etc/config/network. Handle this in firewall4 as well.

Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agotests: add test for unknown rule option
Stijn Tintel [Fri, 7 Jan 2022 12:56:16 +0000 (14:56 +0200)]
tests: add test for unknown rule option

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agotests: add test for deprecated rule option
Stijn Tintel [Fri, 7 Jan 2022 12:54:36 +0000 (14:54 +0200)]
tests: add test for deprecated rule option

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agotests: add test for unknown defaults option
Stijn Tintel [Fri, 7 Jan 2022 12:45:49 +0000 (14:45 +0200)]
tests: add test for unknown defaults option

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agotests: enable flow offloading in tests
Stijn Tintel [Fri, 7 Jan 2022 08:50:14 +0000 (10:50 +0200)]
tests: enable flow offloading in tests

As flow offloading is a popular feature, it makes sense to cover it in
the tests. This would have caught the issue fixed in b68cf6701945
("main.uc: fix device gathering").

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset.uc: don't trim newline before comment sign
Stijn Tintel [Fri, 7 Jan 2022 08:45:50 +0000 (10:45 +0200)]
ruleset.uc: don't trim newline before comment sign

When flow offloading is enabled, the comment block is inserted in the
ruleset like this:

table inet fw4 { #
# Flowtable
#

This is due to the trimming of newlines which was done to avoid having
to modify all the test files. A better solution is to just add an extra
newline in the template.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agoruleset.uc: consolidate ip and ip6 offload
Stijn Tintel [Fri, 7 Jan 2022 08:24:54 +0000 (10:24 +0200)]
ruleset.uc: consolidate ip and ip6 offload

Remove the space before the comma while at it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agomain.uc: fix device gathering
Stijn Tintel [Thu, 6 Jan 2022 14:27:37 +0000 (16:27 +0200)]
main.uc: fix device gathering

While reworking the render_ruleset function to address review comments,
the devices variable should have been changed to an array. Fix that.

Fixes: 85b74f35e4a7 ("treewide: support flow offloading")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2 years agofw4.uc: allow use of cidr in ipsets
Stijn Tintel [Sat, 6 Nov 2021 00:29:37 +0000 (02:29 +0200)]
fw4.uc: allow use of cidr in ipsets

Sets of type ipv4_addr or ipv6_addr support entries in CIDR notation.
However, the parse_ipsetentry ignores them. Fix this by using
parse_subnet instead of iptoarr.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4.uc: don't fail on unknown options
Stijn Tintel [Thu, 6 Jan 2022 09:52:02 +0000 (11:52 +0200)]
fw4.uc: don't fail on unknown options

Warn the user when a section contains invalid options, but do not stop
processing the section, like firewall3.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4.uc: add _name as deprecated option
Stijn Tintel [Thu, 25 Nov 2021 04:15:15 +0000 (06:15 +0200)]
fw4.uc: add _name as deprecated option

Add _name as deprecated option for rules and redirects, as this might
have been added by LuCI at some point.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4.uc: introduce DEPRECATED flag
Stijn Tintel [Thu, 25 Nov 2021 04:01:51 +0000 (06:01 +0200)]
fw4.uc: introduce DEPRECATED flag

When a section contains unknown options, the parse_options function will
return false, and based on that the entire section might be skipped.
For example, rules containing a _name option will be skipped. As this
option used to be added by LuCI in the past, we should not skip those
rules, as it might break existing configs for many users.

Add a new DEPRECATED flag to handle such options.

Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4.uc: do not skip defaults with invalid option
Stijn Tintel [Thu, 25 Nov 2021 03:41:16 +0000 (05:41 +0200)]
fw4.uc: do not skip defaults with invalid option

Skipping a defaults section because it contains invalid options can be a
security risk. If the user configures a default policy to DROP or
REJECT, this should always be applied. The user is warned about the
invalid option anyway.

This makes firewall4 behave like firewall3 with regards to defaults.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agotreewide: support set timeout
Stijn Tintel [Sat, 6 Nov 2021 01:21:33 +0000 (03:21 +0200)]
treewide: support set timeout

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agotreewide: support hardware flow offloading
Stijn Tintel [Thu, 14 Oct 2021 18:50:41 +0000 (20:50 +0200)]
treewide: support hardware flow offloading

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agotreewide: support flow offloading
Stijn Tintel [Thu, 14 Oct 2021 18:42:46 +0000 (20:42 +0200)]
treewide: support flow offloading

Flow offloading doesn't work if the devices aren't specified. Pass
interfaces used by enabled firewall zones to the ruleset renderer.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agofw4.uc: filter duplicates in fw4.set
Stijn Tintel [Thu, 6 Jan 2022 11:12:37 +0000 (13:12 +0200)]
fw4.uc: filter duplicates in fw4.set

Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2 years agotreewide: move executables to /sbin
Stijn Tintel [Thu, 6 Jan 2022 09:00:52 +0000 (11:00 +0200)]
treewide: move executables to /sbin

In firewall3, the fw3 executable is installed in /sbin. As
luci-app-firewall looks for the fw3 executable in /sbin, the firewall
menu is hidden when firewall4 is installed. Move both executables to
/sbin so the firewall app will show when firewall4 is installed.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
3 years agofw4.uc: Do not quote port ranges
Thomas Weißschuh [Sun, 24 Oct 2021 08:59:57 +0000 (10:59 +0200)]
fw4.uc: Do not quote port ranges

This fixes the translation of rules like the following:

config rule
        ...
        option dest_port '67:68'

Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
3 years agotests: adapt test to new ICMP print logic
Thomas Weißschuh [Sun, 24 Oct 2021 08:59:56 +0000 (10:59 +0200)]
tests: adapt test to new ICMP print logic

Fixes: 35f5120afcf158e445062fdb5072684ed24d91d0
Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
3 years agorule.uc: always format ICMP type/code list as set
Jo-Philipp Wich [Sun, 17 Oct 2021 09:16:27 +0000 (11:16 +0200)]
rule.uc: always format ICMP type/code list as set

Ensure that the concatenated type . code list values are always formatted
as anonymous set, even if the list just contains one item. Fixes the
following nftables error when parsing such a rule:

  Error: Use concatenations with sets and maps, not singleton values

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agotreewide: convert deprecated syntax
Jo-Philipp Wich [Wed, 1 Sep 2021 13:31:22 +0000 (15:31 +0200)]
treewide: convert deprecated syntax

 - `local` has been deprecated in favor to `let`
 - `delete(obj, "prop")` has been depracted in favor to `delete obj.prop`

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agotests: adapt to latest ucode
Jo-Philipp Wich [Wed, 1 Sep 2021 13:27:21 +0000 (15:27 +0200)]
tests: adapt to latest ucode

 - Environment must be set before preloading and executing modules
 - Caching of fs module must be inhibited
 - Mocklib class object should be returned

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agotests: expand testing
Jo-Philipp Wich [Wed, 31 Mar 2021 20:09:01 +0000 (22:09 +0200)]
tests: expand testing

 - Rewrite test framework
 - Add initial rule test coverage

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agofw4.uc: fix family test functions
Jo-Philipp Wich [Wed, 31 Mar 2021 19:55:08 +0000 (21:55 +0200)]
fw4.uc: fix family test functions

Rewrite the family test functions as arrow functions since ucode HEAD does
implicitly return the last function value expression as result anymore for
ordinary functions.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agofw4.uc: fix parsing boolean "0" values
Jo-Philipp Wich [Wed, 31 Mar 2021 19:05:56 +0000 (21:05 +0200)]
fw4.uc: fix parsing boolean "0" values

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agorule.uc: fix redundant whitespace in rules without target
Jo-Philipp Wich [Wed, 31 Mar 2021 19:05:11 +0000 (21:05 +0200)]
rule.uc: fix redundant whitespace in rules without target

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agoruleset.uc: reduce empty lines in output
Jo-Philipp Wich [Wed, 31 Mar 2021 17:45:46 +0000 (19:45 +0200)]
ruleset.uc: reduce empty lines in output

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agofw4.uc: gracefully handle missing defaults section
Jo-Philipp Wich [Wed, 31 Mar 2021 17:45:22 +0000 (19:45 +0200)]
fw4.uc: gracefully handle missing defaults section

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agotreewide: remove ucode module preloading
Jo-Philipp Wich [Tue, 30 Mar 2021 13:10:00 +0000 (15:10 +0200)]
treewide: remove ucode module preloading

Instead of preloading ucode modules via the cmdline, require the modules
as needed. This simplifies test case constructions since mock modules
can be injected by modifying the search path.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agofw4.uc: remove upvalue caching
Jo-Philipp Wich [Mon, 29 Mar 2021 12:06:01 +0000 (14:06 +0200)]
fw4.uc: remove upvalue caching

Now that ucode HEAD inherits the global scope in include() by default, we
do not need to cache our used functions anymore.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3 years agoInitial commit
Jo-Philipp Wich [Fri, 19 Mar 2021 18:26:04 +0000 (19:26 +0100)]
Initial commit

Signed-off-by: Jo-Philipp Wich <jo@mein.io>