From patchwork Tue Apr 3 13:31:12 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Alin_N=C4=83stac?= X-Patchwork-Id: 894597 X-Patchwork-Delegate: blogic@openwrt.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="C7EGxc1S"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="dTwJLozL"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40FqqX1Nrjz9s4c for ; Tue, 3 Apr 2018 23:36:08 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:Message-Id: Date:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=DXcIfH/IN/N7yj+2oa3tSKNXlFjrdWlRolCtFR4LR2A=; b=C7EGxc1ScZpPIp f6YdIaA4laLy95kXvIhF6ZS/0K5x+Ldl+JE4WazdU2PBweZqyIfiQryny9Lcv6S8vPK3kjEkEPjyR ONntiKR+UBfopjoBoAsrlWl1p79qegag8+0D3nuGuKUBPPLl756RYDt0tFlK/rcYKa3mxvb90oRVw Aq+YTZaYVieDcB94H4VvXMwK85DLIczpHQIT76Vtbq40tOxLavUbfxetcpjNE0UhwQTdw0akVjIXJ Hqm2t8FwjlUTfl32q4mikCzLhHDF/lrtzIIbnjx1zK6fioVLuXV/wOQ+uofw26QHTBAv10GIrjE9+ GmKprouY+vWU3j7T7xZg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1f3M6I-00050r-PT; Tue, 03 Apr 2018 13:35:50 +0000 Received: from mail-wr0-x242.google.com ([2a00:1450:400c:c0c::242]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1f3M28-0001R1-0s for lede-dev@lists.infradead.org; Tue, 03 Apr 2018 13:31:44 +0000 Received: by mail-wr0-x242.google.com with SMTP id c24so18752809wrc.6 for ; Tue, 03 Apr 2018 06:31:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=/SZp5WMl9JG/eLBxG4YQAVdmto5Y8hdRcs04g+MsVMg=; b=dTwJLozL2IhyLRlHxAaJMIkDHewv6rfHRcJ01kwVX28dwLize0EfKk7PKEKJOBZocB 2kgbMp15zopL5sFXm6m8GVDxGfNmA6FSX+IJHHD48ZQa+rrtk+r/Uf2OYiuiFCqiokwn t39ylwxEPqBQu1OA0+EBVVQEeAGOUxOmw+J78KlWVTg1pFZsPcSvKjj0SS/lF7XVT+m3 1RnFEImsSjnrt/sq0n52Uy9JAx5BkiRxImje73U5aREKsa9I1rQZCpGlAjS1CBj/YiYO tuZzX+/7pO0GviE/tr9CYAmRiHXtszbIYUHq0eL/vuGjiTFhZRBpNWFjRFsIzX3Sl3pN QcyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=/SZp5WMl9JG/eLBxG4YQAVdmto5Y8hdRcs04g+MsVMg=; b=NHwBI+BKGlRcqNmB1DE/qg16eCuu2I6fdnV3H/Vr4U4q9woeAb89OiZ7xfDw+0aK1Q Zl1OMvp+zLRgtTf5zHS9nCfoC4DIadxkfVtHv9NPPwPiWkxDPZ2Ii5zOPeyLi/7xxBX0 r5Jtj60c7Q8buRr+HInlmMAVMDnE5wUCF+PnO1k+u2aym2wzkNxm3MGtjlttWA0T2Znn UImo233QChtOiUPsfAV6yiRPQY6kgTSHJW19ZJX6lXdV2iCd54Yy+JrSfGuAc1dQ8+D/ /yllGHEKCkt93//sKqVQB5ZyD0S5vnr2bo62vP/Zz0ahZanpQzHAhHn0frJ9WtvbOSBZ flkQ== X-Gm-Message-State: AElRT7FWhqLbG7Uy9LbkAcHl/7wNIt+p6auSxFt4D+2naazAPho4t1Tt E3R4IuWZSVD2b26C051j+UMnCA== X-Google-Smtp-Source: AIpwx4/MY5hRarhgg5UZj6k/clPkZyLf8NNbf3WCd5XUHexSIsWOKKT0RQXg/o2eX+OjiLqkl6VT0w== X-Received: by 10.223.144.227 with SMTP id i90mr9795213wri.100.1522762279334; Tue, 03 Apr 2018 06:31:19 -0700 (PDT) Received: from cplx1037.edegem.eu.thmulti.com ([2001:4158:f012:37a0:2a10:7bff:fec5:6f08]) by smtp.gmail.com with ESMTPSA id p14sm1761559wre.85.2018.04.03.06.31.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 03 Apr 2018 06:31:18 -0700 (PDT) From: Alin Nastac To: Jo-Philipp Wich Date: Tue, 3 Apr 2018 15:31:12 +0200 Message-Id: <1522762272-27393-1-git-send-email-alin.nastac@gmail.com> X-Mailer: git-send-email 2.7.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180403_063132_132134_BD6B8DA6 X-CRM114-Status: GOOD ( 13.70 ) X-Spam-Score: -0.1 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:400c:c0c:0:0:0:242 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (alin.nastac[at]gmail.com) -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Subject: [LEDE-DEV] [PATCH] firewall: fix logging of dropped & rejected packets X-BeenThere: lede-dev@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: lede-dev@lists.infradead.org MIME-Version: 1.0 Sender: "Lede-dev" Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Reproduction scenario: - use 3 interfaces with 3 different zones - lan, wan and guest - configure firewall to allow forwarding from lan to wan - add DROP rule to prevent forwarding from lan to guest - although packets are forwarded from lan to wan, "DROP(dest guest)" traces are generated by zone_guest_dest_DROP chain Signed-off-by: Alin Nastac --- zones.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 62 insertions(+), 12 deletions(-) diff --git a/zones.c b/zones.c index e00d527..1f55aa6 100644 --- a/zones.c +++ b/zones.c @@ -20,6 +20,8 @@ #include "ubus.h" #include "helpers.h" +#define filter_target(t) \ + ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t]) #define C(f, tbl, tgt, fmt) \ { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_FLAG_##tgt, fmt } @@ -401,6 +403,19 @@ print_zone_chain(struct fw3_ipt_handle *handle, struct fw3_state *state, set(zone->flags, handle->family, handle->table); } +static const char* +jump_target(enum fw3_flag t, bool src, struct fw3_zone *zone, char *buf, size_t size) +{ + if ((zone->log & FW3_ZONE_LOG_FILTER) && t > FW3_FLAG_ACCEPT) + { + snprintf(buf, size, "%s_%s_%s", fw3_flag_names[t], + src ? "src" : "dest", zone->name); + return buf; + } + + return filter_target(t); +} + static void print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, bool reload, struct fw3_zone *zone, @@ -420,9 +435,6 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, "forward", "FORWARD", }; -#define jump_target(t) \ - ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t]) - if (handle->table == FW3_TABLE_FILTER) { for (t = FW3_FLAG_ACCEPT; t <= FW3_FLAG_DROP; t++) @@ -430,7 +442,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, if (has(zone->flags, handle->family, fw3_to_src_target(t))) { r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL); - fw3_ipt_rule_target(r, jump_target(t)); + fw3_ipt_rule_target(r, jump_target(t, true, zone, buf, sizeof(buf))); fw3_ipt_rule_extra(r, zone->extra_src); if (t == FW3_FLAG_ACCEPT && !state->defaults.drop_invalid) @@ -455,7 +467,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, } r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub); - fw3_ipt_rule_target(r, jump_target(t)); + fw3_ipt_rule_target(r, jump_target(t, false, zone, buf, sizeof(buf))); fw3_ipt_rule_extra(r, zone->extra_dest); fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name, fw3_flag_names[t]); @@ -503,7 +515,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, { if (zone->log & FW3_ZONE_LOG_MANGLE) { - snprintf(buf, sizeof(buf) - 1, "MSSFIX(%s): ", zone->name); + snprintf(buf, sizeof(buf), "MSSFIX(%s): ", zone->name); r = fw3_ipt_rule_create(handle, &tcp, NULL, dev, NULL, sub); fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST"); @@ -640,30 +652,46 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, { if (has(zone->flags, handle->family, fw3_to_src_target(t))) { + fw3_ipt_create_chain(handle, "%s_src_%s", + fw3_flag_names[t], zone->name); + r = fw3_ipt_rule_new(handle); - snprintf(buf, sizeof(buf) - 1, "%s(src %s)", + snprintf(buf, sizeof(buf), "%s(src %s)", fw3_flag_names[t], zone->name); fw3_ipt_rule_limit(r, &zone->log_limit); fw3_ipt_rule_target(r, "LOG"); fw3_ipt_rule_addarg(r, false, "--log-prefix", buf); - fw3_ipt_rule_append(r, "zone_%s_src_%s", - zone->name, fw3_flag_names[t]); + fw3_ipt_rule_append(r, "%s_src_%s", + fw3_flag_names[t], zone->name); + + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_target(r, filter_target(t)); + fw3_ipt_rule_append(r, "%s_src_%s", + fw3_flag_names[t], zone->name); } if (has(zone->flags, handle->family, t)) { + fw3_ipt_create_chain(handle, "%s_dest_%s", + fw3_flag_names[t], zone->name); + r = fw3_ipt_rule_new(handle); - snprintf(buf, sizeof(buf) - 1, "%s(dest %s)", + snprintf(buf, sizeof(buf), "%s(dest %s)", fw3_flag_names[t], zone->name); fw3_ipt_rule_limit(r, &zone->log_limit); fw3_ipt_rule_target(r, "LOG"); fw3_ipt_rule_addarg(r, false, "--log-prefix", buf); - fw3_ipt_rule_append(r, "zone_%s_dest_%s", - zone->name, fw3_flag_names[t]); + fw3_ipt_rule_append(r, "%s_dest_%s", + fw3_flag_names[t], zone->name); + + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_target(r, filter_target(t)); + fw3_ipt_rule_append(r, "%s_dest_%s", + fw3_flag_names[t], zone->name); } } } @@ -758,6 +786,7 @@ fw3_flush_zones(struct fw3_ipt_handle *handle, struct fw3_state *state, struct fw3_zone *z, *tmp; const struct fw3_chain_spec *c; char chain[32]; + enum fw3_flag t; list_for_each_entry_safe(z, tmp, &state->zones, list) { @@ -790,6 +819,27 @@ fw3_flush_zones(struct fw3_ipt_handle *handle, struct fw3_state *state, fw3_ipt_delete_chain(handle, chain); } + if (z->log & FW3_ZONE_LOG_FILTER) + { + for (t = FW3_FLAG_REJECT; t <= FW3_FLAG_DROP; t++) + { + if (has(z->flags, handle->family, fw3_to_src_target(t))) + { + snprintf(chain, sizeof(chain), "%s_src_%s", + fw3_flag_names[t], z->name); + fw3_ipt_flush_chain(handle, chain); + fw3_ipt_delete_chain(handle, chain); + } + if (has(z->flags, handle->family, t)) + { + snprintf(chain, sizeof(chain), "%s_dest_%s", + fw3_flag_names[t], z->name); + fw3_ipt_flush_chain(handle, chain); + fw3_ipt_delete_chain(handle, chain); + } + } + } + del(z->flags, handle->family, handle->table); } }