diff mbox series

[1/6] firewall: Only check relevant bits for NAT fix rules

Message ID	20211004175222.9208-1-michael.tremer@ipfire.org
State	Accepted
Commit	ce31144c629354d32fcb41ea69f0dbc5e426eea7
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 1/6] firewall: Only check relevant bits for NAT fix rules Date: Mon, 4 Oct 2021 18:52:17 +0100 Message-Id: <20211004175222.9208-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[1/6] firewall: Only check relevant bits for NAT fix rules \| [1/6] firewall: Only check relevant bits for NAT fix rules [2/6] QoS: Use the two right hand bytes to mark packets [3/6] firewall: Always restore all connection marks [4/6] QoS: Drop support for hardcoded ACK rules [5/6] QoS: Make outgoing packet processing use CONNMARK [6/6] IPsec: Replace MARK 50 by 0x00800000

Commit Message

Michael Tremer Oct. 4, 2021, 5:52 p.m. UTC

  In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/firewall/rules.pl        | 11 +++++++----
 src/initscripts/system/firewall |  8 +++++---
 2 files changed, 12 insertions(+), 7 deletions(-)

diff mbox series

Patch

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 0dd1c9024..9d280045a 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -55,6 +55,9 @@  my @PRIVATE_NETWORKS = (
 	"100.64.0.0/10",
 );
 
+# MARK masks
+my $NAT_MASK = 0x0f000000;
+
 my %fwdfwsettings=();
 my %fwoptions = ();
 my %defaultNetworks=();
@@ -829,10 +832,8 @@  sub add_dnat_mangle_rules {
 	my $interface = shift;
 	my @options = @_;
 
-	my $mark = 0;
+	my $mark = 0x01000000;
 	foreach my $zone ("GREEN", "BLUE", "ORANGE") {
-		$mark++;
-
 		# Skip rule if not all required information exists.
 		next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
 		next unless (exists $defaultNetworks{$zone . "_NETMASK"});
@@ -845,9 +846,11 @@  sub add_dnat_mangle_rules {
 		$netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"};
 
 		push(@mangle_options, ("-s", $netaddress, "-d", $nat_address));
-		push(@mangle_options, ("-j", "MARK", "--set-mark", $mark));
+		push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK"));
 
 		run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
+
+		$mark <<= 1;
 	}
 }
 
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index baa39abe1..9d023a349 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -12,6 +12,8 @@  if [ -f /var/ipfire/red/device ]; then
 	DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
 fi
 
+NAT_MASK="0x0f000000"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -282,17 +284,17 @@  iptables_init() {
 
 	if [ -n "${GREEN_ADDRESS}" ]; then
 		iptables -t nat -A NAT_DESTINATION_FIX \
-			-m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
+			-m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}"
 	fi
 
 	if [ -n "${BLUE_ADDRESS}" ]; then
 		iptables -t nat -A NAT_DESTINATION_FIX \
-			-m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}"
+			-m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}"
 	fi
 
 	if [ -n "${ORANGE_ADDRESS}" ]; then
 		iptables -t nat -A NAT_DESTINATION_FIX \
-			-m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}"
+			-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
 	fi
 
 	# RED chain, used for the red interface