From patchwork Wed Oct 19 15:00:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Baptiste Jonglez X-Patchwork-Id: 1692047 X-Patchwork-Delegate: baptiste@bitsofnetworks.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=xbnYozdU; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MsvX22Nh6z23jk for ; Thu, 20 Oct 2022 02:18:57 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=1Jx9oCrMbswtOJLSesnEFE9kE4hYPxAFBpZe5gJeHbQ=; b=xbnYozdUW4WNv1 8b731oZCBgP9ulVlidyJLMASwOgQtTOx4luOakXTzMUFzQiODzT+Zq1aBNoiHaMFA4Y7PlLE3Czkb IzLhTWVTYEdqL004Tm/vlbTQEFXgHt+t06gXpy2+tw1Nk80jPMWNUn+gJ0yIBkuZocExet9XwI6W9 Fs7Dii5JvVFUPprqSGNMYcH1sgoEbbMv3IIhH3J8Goql6NUq9xquCLg1qr8PRXQ6mLY+puoGCtA1M ++u0P1eby89xw2WmUweNH0vr7PKXD3bH5psr1QJA1/9IEl43Ft98la1IU2M0EidHQy1wydchAl+WT XEQ4qFmu1bmaro6xCWSQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1olAlO-0037RW-40; Wed, 19 Oct 2022 15:13:47 +0000 Received: from mails.bitsofnetworks.org ([2a10:a080:1101:2900::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1olAYr-002ytM-Tp for openwrt-devel@lists.openwrt.org; Wed, 19 Oct 2022 15:00:52 +0000 Received: from [2a00:5881:4008:0:976b:9cdb:5428:f155] (helo=fedic.lan) by mails.bitsofnetworks.org with esmtp (Exim 4.94.2) (envelope-from ) id 1olAYf-00CbKh-Nj; Wed, 19 Oct 2022 17:00:37 +0200 From: Baptiste Jonglez To: openwrt-devel@lists.openwrt.org Cc: jo@mein.io, Baptiste Jonglez Subject: [PATCH] firewall: config: drop input traffic by default Date: Wed, 19 Oct 2022 17:00:03 +0200 Message-Id: <20221019150003.3829141-1-baptiste@bitsofnetworks.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221019_080050_001313_1B2F4CF8 X-CRM114-Status: UNSURE ( 8.63 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Baptiste Jonglez This is necessary with firewall4 to avoid a hard-to-diagnose race condition during boot, causing DNAT rules not to be taken into account correctly. The root cause is that, during boot, the ruleset is mostly empty, and interface-related rules (including DNAT rules) are added incrementally. If a packet hits the input chain before the DNAT rules are [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Baptiste Jonglez This is necessary with firewall4 to avoid a hard-to-diagnose race condition during boot, causing DNAT rules not to be taken into account correctly. The root cause is that, during boot, the ruleset is mostly empty, and interface-related rules (including DNAT rules) are added incrementally. If a packet hits the input chain before the DNAT rules are setup, it can create buggy conntrack entries that will persist indefinitely. This new default should be safe because firewall4 explicitly accepts authorized traffic and rejects the rest. Thus, in normal operations, the default policy is not used. Fixes: #10749 Ref: https://github.com/openwrt/openwrt/issues/10749 Signed-off-by: Baptiste Jonglez --- package/network/config/firewall/files/firewall.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config index 61cfe665e4..b90ac7af0a 100644 --- a/package/network/config/firewall/files/firewall.config +++ b/package/network/config/firewall/files/firewall.config @@ -1,6 +1,6 @@ config defaults option syn_flood 1 - option input ACCEPT + option input REJECT option output ACCEPT option forward REJECT # Uncomment this line to disable ipv6 rules