From patchwork Mon Oct 4 17:52:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4758 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HNSx111zRz3xCR for ; Mon, 4 Oct 2021 17:52:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HNSx029Cvz1qH; Mon, 4 Oct 2021 17:52:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HNSx00zp0z31s2; Mon, 4 Oct 2021 17:52:52 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HNSwz49WJz2x9h for ; Mon, 4 Oct 2021 17:52:51 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HNSwz1QM9zhl; Mon, 4 Oct 2021 17:52:51 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1633369971; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=yIncbeIUKlB/F5F4eNaZpV62vjw6w3Te1AJZtBdtH7Y=; b=0o4oHmbrfhOOj3ZH0+VDj6nhWN0Vq2jN9lDCEINMcvHxZX5I2C/Ic1/0OHDaMIPdN3o4WC jaq9xICyoaX130BA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1633369971; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=yIncbeIUKlB/F5F4eNaZpV62vjw6w3Te1AJZtBdtH7Y=; b=KKCa/V+SuXPpvw6k+wQ8L8sd9LBbpxrvtTwktO5QFFTKcqqM+sgzGAUhPm5mLJc0KdFtOw wDOW+NRwbZvCzDN2H3viT4dNL/buYp2SvTJK0hMI3znypnGoyQA3tTXwQEiAF/qGqne3ma 0sKWdFiM3QeY7RXCaI6Zng+VCqX2JbFnXqVAIXyEHX9Gaot1pSxN0ecFRhjMMq38vD3OlK eOs+d5Ton2nGUvgLi6KNDW4Y5/g9JOcixouZyMY9olW1MTkmhqJ6hnLMfPuXENW4LSA5qi cFZWmK5I7O8mNW6zqAA7jvRs68BGoKcvnF3hN9uWa8YJVFsQH4k+VLpCqeEa3Q== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/6] firewall: Only check relevant bits for NAT fix rules Date: Mon, 4 Oct 2021 18:52:17 +0100 Message-Id: <20211004175222.9208-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" In order to use the highest two bits for surciata bypass, we will need to make sure that whenever we compare any other marks, we do not care about anything else. Signed-off-by: Michael Tremer --- config/firewall/rules.pl | 11 +++++++---- src/initscripts/system/firewall | 8 +++++--- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 0dd1c9024..9d280045a 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -55,6 +55,9 @@ my @PRIVATE_NETWORKS = ( "100.64.0.0/10", ); +# MARK masks +my $NAT_MASK = 0x0f000000; + my %fwdfwsettings=(); my %fwoptions = (); my %defaultNetworks=(); @@ -829,10 +832,8 @@ sub add_dnat_mangle_rules { my $interface = shift; my @options = @_; - my $mark = 0; + my $mark = 0x01000000; foreach my $zone ("GREEN", "BLUE", "ORANGE") { - $mark++; - # Skip rule if not all required information exists. next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); next unless (exists $defaultNetworks{$zone . "_NETMASK"}); @@ -845,9 +846,11 @@ sub add_dnat_mangle_rules { $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"}; push(@mangle_options, ("-s", $netaddress, "-d", $nat_address)); - push(@mangle_options, ("-j", "MARK", "--set-mark", $mark)); + push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK")); run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); + + $mark <<= 1; } } diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index baa39abe1..9d023a349 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -12,6 +12,8 @@ if [ -f /var/ipfire/red/device ]; then DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` fi +NAT_MASK="0x0f000000" + function iptables() { /sbin/iptables --wait "$@" } @@ -282,17 +284,17 @@ iptables_init() { if [ -n "${GREEN_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" + -m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}" fi if [ -n "${BLUE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}" + -m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}" fi if [ -n "${ORANGE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}" + -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}" fi # RED chain, used for the red interface