[FS#920] Final (default) rule in user defined zones wrong
LEDE Bugs
lede-bugs at lists.infradead.org
Thu Jul 20 11:26:33 PDT 2017
A new Flyspray task has been opened. Details are below.
User who did this - Arjen de Korte (arjendekorte)
Attached to Project - LEDE Project
Summary - Final (default) rule in user defined zones wrong
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To -
Operating System - All
Severity - Laag
Priority - Normaal
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - package concerned: firewall - 2017-05-27-a4d98aea-1
The final rule for user defined zones (in the below example the dmz zone) is wrong. See the below excerpt from the rules emitted:
-A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_dmz_forward
OK, everything receive on interface eth0.3 received in the FORWARD chain goes to zone_dmz_forward. Good.
-A zone_dmz_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_dmz_rule
-A zone_dmz_forward -m comment --comment "!fw3: forwarding dmz -> wan" -j zone_wan_dest_ACCEPT
-A zone_dmz_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_dmz_forward -m comment --comment "!fw3" -j zone_dmz_dest_REJECT
The zone_dmz_dest_REJECT rule in this block above however can never match. See below:
-A zone_dmz_dest_REJECT -o eth0.3 -m comment --comment "!fw3" -j reject
We received a packet in the FORWARD chain on input eth0.3, so it can never end up in the output of eth0.3 as it wouldn't be in the FORWARD chain then. This is clearly wrong. Expected behavior is something like the following in the final action in FORWARD chain:
-A FORWARD -m comment --comment "!fw3" -j reject
Something similar happens in the user defined zone_*_input and zone_*_output chains, but in these chains the input and output interface will be the same, so this will not lead to unexpected behavior (although the zone_*_src_ or zone_*_dest_ here is equally wrong, since the final action should be applied unconditionally in any chain).
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=920
More information about the lede-bugs
mailing list