diff mbox series

[OpenWrt-Devel] zones: enforce forward policy with zone_NAME_src_POLICY

Message ID 20191213070559.50319-1-yszhou4tech@gmail.com
State Rejected, archived
Headers show
Series [OpenWrt-Devel] zones: enforce forward policy with zone_NAME_src_POLICY | expand

Commit Message

Yousong Zhou Dec. 13, 2019, 7:05 a.m. UTC 
E.g. traffic entering zone_lan_forward must match "-i br-lan".  That is,
forward policy of zone X applies to those traffics from zone X and to be
forwarded to other zones The iptables target for zone policy enforcement
should be zone_NAME_src_POLICY to match "-i br-lan", not
zone_NAME_dest_POLICY that matches "-o br-lan"

Fixes FS#2525

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
 zones.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Jo-Philipp Wich Dec. 13, 2019, 8:58 a.m. UTC | #1 
Hi,

per definition, zone forward policies were only ever meant to apply to
traffic between interfaces within the same zone *not* to traffic
anywhere else.

Your patch would break that assumption as far as I can see.

~ Jo
Yousong Zhou Dec. 13, 2019, 9:28 a.m. UTC | #2 
On Fri, 13 Dec 2019 at 16:58, Jo-Philipp Wich <jo@mein.io> wrote:
>
> Hi,
>
> per definition, zone forward policies were only ever meant to apply to
> traffic between interfaces within the same zone *not* to traffic
> anywhere else.
>
> Your patch would break that assumption as far as I can see.
>
> ~ Jo

I see.  I always thought that wan forward policy being REJECT by
default was for not forwarding traffic _from_ wan.  Hah,
embarrassing...  Please just ignore this one and take over FS#2525
from here.

Regards,
                yousong
diff mbox series

Patch

diff --git a/zones.c b/zones.c
index 310583d..f268615 100644
--- a/zones.c
+++ b/zones.c
@@ -317,11 +317,11 @@  fw3_load_zones(struct fw3_state *state, struct uci_package *p)
 		resolve_cthelpers(state, e, zone);
 
 		fw3_setbit(zone->flags[0], fw3_to_src_target(zone->policy_input));
-		fw3_setbit(zone->flags[0], zone->policy_forward);
+		fw3_setbit(zone->flags[0], fw3_to_src_target(zone->policy_forward));
 		fw3_setbit(zone->flags[0], zone->policy_output);
 
 		fw3_setbit(zone->flags[1], fw3_to_src_target(zone->policy_input));
-		fw3_setbit(zone->flags[1], zone->policy_forward);
+		fw3_setbit(zone->flags[1], fw3_to_src_target(zone->policy_forward));
 		fw3_setbit(zone->flags[1], zone->policy_output);
 
 		list_add_tail(&zone->list, &state->zones);
@@ -659,7 +659,7 @@  print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 		fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
 
 		r = fw3_ipt_rule_new(handle);
-		fw3_ipt_rule_target(r, "zone_%s_dest_%s", zone->name,
+		fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name,
 		                     fw3_flag_names[zone->policy_forward]);
 		fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);