From: Stijn Tintel Date: Mon, 13 Jun 2022 15:00:26 +0000 (+0300) Subject: ruleset: fix conntrack helpers X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=a063317d96c6c85e4c909eab017ef2813f93ff05;p=project%2Ffirewall4.git ruleset: fix conntrack helpers In nftables, helper assignments need to be performed after the conntrack lookup has completed. Using the raw priority results in the assignment being done before the conntrack lookup, which breaks conntrack helpers. Fix this by moving the jumps helper rule chains to a new toplevel `prerouting` and the existing `output` chain respectively. Signed-off-by: Stijn Tintel [new toplevel `prerouting` chain + reuse existing `output` chain] Signed-off-by: Jo-Philipp Wich --- diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index faf8bed..9d3be7f 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -1,4 +1,7 @@ -{% let flowtable_devices = fw4.resolve_offload_devices(); -%} +{% + let flowtable_devices = fw4.resolve_offload_devices(); + let available_helpers = filter(fw4.helpers(), h => h.available); +-%} table inet fw4 flush table inet fw4 @@ -20,6 +23,21 @@ table inet fw4 { {% endif %} } +{% endif %} +{% if (length(available_helpers)): %} + # + # CT helper definitions + # + +{% for (let helper in available_helpers): %} +{% for (let proto in helper.proto): %} + ct helper {{ helper.name }} { + type {{ fw4.quote(helper.name, true) }} protocol {{ proto.name }}; + } + +{% endfor %} +{% endfor %} + {% endif %} # # Set definitions @@ -123,14 +141,44 @@ table inet fw4 { {% for (let rule in fw4.rules("output")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} -{% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %} +{% for (let zone in fw4.zones()): %} +{% for (let rule in zone.match_rules): %} +{% if (zone.dflags.helper): %} +{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, true); %} +{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, true); %} +{% if (devices_pos || subnets_pos): %} + {%+ if (rule.family): -%} + meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} + {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%} + jump helper_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} CT helper assignment" +{% endif %} +{% endif %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "output" }) %} -{% endfor; endfor %} +{% endfor %} +{% endfor %} {% if (fw4.output_policy() == "reject"): %} jump handle_reject {% endif %} } + chain prerouting { + type filter hook prerouting priority filter; policy accept; +{% for (let zone in fw4.zones()): %} +{% if (zone.dflags.helper): %} +{% for (let rule in zone.match_rules): %} +{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, false); %} +{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, false); %} +{% if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %} + {%+ if (rule.family): -%} + meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} + {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%} + jump helper_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} CT helper assignment" +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} + } + chain handle_reject { meta l4proto tcp reject with {{ (fw4.default_option("tcp_reject_code") != "tcp-reset") @@ -183,6 +231,14 @@ table inet fw4 { jump {{ zone.forward }}_to_{{ zone.name }} } +{% if (zone.dflags.helper): %} + chain helper_{{ zone.name }} { +{% for (let rule in fw4.rules(`helper_${zone.name}`)): %} + {%+ include("rule.uc", { fw4, rule }) %} +{% endfor %} + } + +{% endif %} {% for (let verdict in ["accept", "reject", "drop"]): %} {% if (zone.sflags[verdict]): %} chain {{ verdict }}_from_{{ zone.name }} { @@ -266,74 +322,54 @@ table inet fw4 { {% endfor %} # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { type filter hook prerouting priority raw; policy accept; -{% for (let target in ["helper", "notrack"]): %} -{% for (let zone in fw4.zones()): %} -{% if (zone.dflags[target]): %} -{% for (let rule in zone.match_rules): %} -{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, false); %} -{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, false); %} -{% if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %} +{% for (let zone in fw4.zones()): %} +{% if (zone.dflags["notrack"]): %} +{% for (let rule in zone.match_rules): %} +{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, false); %} +{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, false); %} +{% if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %} {%+ if (rule.family): -%} meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%} - jump {{ target }}_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{ - (target == "helper") ? "CT helper assignment" : "CT bypass" - }}" -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} + jump notrack_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} CT bypass" +{% endif %} +{% endfor %} +{% endif %} {% endfor %} } chain raw_output { type filter hook output priority raw; policy accept; -{% for (let target in ["helper", "notrack"]): %} -{% for (let zone in fw4.zones()): %} -{% if (zone.dflags[target]): %} -{% for (let rule in zone.match_rules): %} -{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, true); %} -{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, true); %} -{% if (devices_pos || subnets_pos): %} +{% for (let zone in fw4.zones()): %} +{% if (zone.dflags["notrack"]): %} +{% for (let rule in zone.match_rules): %} +{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, true); %} +{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, true); %} +{% if (devices_pos || subnets_pos): %} {%+ if (rule.family): -%} meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%} - jump {{ target }}_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{ - (target == "helper") ? "CT helper assignment" : "CT bypass" - }}" -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} -{% endfor %} - } - -{% for (let helper in fw4.helpers()): %} -{% if (helper.available): %} -{% for (let proto in helper.proto): %} - ct helper {{ helper.name }} { - type {{ fw4.quote(helper.name, true) }} protocol {{ proto.name }}; - } - + jump notrack_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} CT bypass" +{% endif %} {% endfor %} {% endif %} {% endfor %} -{% for (let target in ["helper", "notrack"]): %} -{% for (let zone in fw4.zones()): %} -{% if (zone.dflags[target]): %} - chain {{ target }}_{{ zone.name }} { -{% for (let rule in fw4.rules(`${target}_${zone.name}`)): %} + } + +{% for (let zone in fw4.zones()): %} +{% if (zone.dflags.notrack): %} + chain notrack_{{ zone.name }} { +{% for (let rule in fw4.rules(`notrack_${zone.name}`)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} } {% endif %} -{% endfor %} {% endfor %} # diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index 8621993..cd32edc 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -30,6 +30,59 @@ table inet fw4 { flags offload; } + # + # CT helper definitions + # + + ct helper amanda { + type "amanda" protocol udp; + } + + ct helper ftp { + type "ftp" protocol tcp; + } + + ct helper RAS { + type "RAS" protocol udp; + } + + ct helper Q.931 { + type "Q.931" protocol tcp; + } + + ct helper irc { + type "irc" protocol tcp; + } + + ct helper netbios-ns { + type "netbios-ns" protocol udp; + } + + ct helper pptp { + type "pptp" protocol tcp; + } + + ct helper sane { + type "sane" protocol tcp; + } + + ct helper sip { + type "sip" protocol udp; + } + + ct helper snmp { + type "snmp" protocol udp; + } + + ct helper tftp { + type "tftp" protocol udp; + } + + ct helper rtsp { + type "rtsp" protocol tcp; + } + + # # Set definitions # @@ -87,6 +140,11 @@ table inet fw4 { oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment" + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -110,6 +168,21 @@ table inet fw4 { jump accept_to_lan } + chain helper_lan { + meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto" + meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking" + meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking" + meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking" + meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking" + meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking" + meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking" + meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking" + meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking" + meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking" + meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" + meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking" + } + chain accept_from_lan { iifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic" } @@ -173,81 +246,17 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { type filter hook prerouting priority raw; policy accept; - iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment" } chain raw_output { type filter hook output priority raw; policy accept; } - ct helper amanda { - type "amanda" protocol udp; - } - - ct helper ftp { - type "ftp" protocol tcp; - } - - ct helper RAS { - type "RAS" protocol udp; - } - - ct helper Q.931 { - type "Q.931" protocol tcp; - } - - ct helper irc { - type "irc" protocol tcp; - } - - ct helper netbios-ns { - type "netbios-ns" protocol udp; - } - - ct helper pptp { - type "pptp" protocol tcp; - } - - ct helper sane { - type "sane" protocol tcp; - } - - ct helper sip { - type "sip" protocol udp; - } - - ct helper snmp { - type "snmp" protocol udp; - } - - ct helper tftp { - type "tftp" protocol udp; - } - - ct helper rtsp { - type "rtsp" protocol tcp; - } - - chain helper_lan { - meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto" - meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking" - meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking" - meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking" - meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking" - meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking" - meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking" - meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking" - meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking" - meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking" - meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" - meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking" - } - # # Mangle rules diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order index 860989a..fd37adf 100644 --- a/tests/01_configuration/02_rule_order +++ b/tests/01_configuration/02_rule_order @@ -119,6 +119,10 @@ table inet fw4 { oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -186,7 +190,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies index 3660893..86c2910 100644 --- a/tests/02_zones/01_policies +++ b/tests/02_zones/01_policies @@ -120,6 +120,13 @@ table inet fw4 { oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + iifname "zone1" jump helper_test1 comment "!fw4: test1 IPv4/IPv6 CT helper assignment" + iifname "zone2" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment" + iifname "zone3" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment" + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -137,6 +144,9 @@ table inet fw4 { jump accept_to_test1 } + chain helper_test1 { + } + chain accept_from_test1 { iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic" } @@ -157,6 +167,9 @@ table inet fw4 { jump drop_to_test2 } + chain helper_test2 { + } + chain drop_from_test2 { iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" } @@ -177,6 +190,9 @@ table inet fw4 { jump reject_to_test3 } + chain helper_test3 { + } + chain reject_from_test3 { iifname "zone3" counter jump handle_reject comment "!fw4: reject test3 IPv4/IPv6 traffic" } @@ -200,29 +216,17 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { type filter hook prerouting priority raw; policy accept; - iifname "zone1" jump helper_test1 comment "!fw4: test1 IPv4/IPv6 CT helper assignment" - iifname "zone2" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment" - iifname "zone3" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment" } chain raw_output { type filter hook output priority raw; policy accept; } - chain helper_test1 { - } - - chain helper_test2 { - } - - chain helper_test3 { - } - # # Mangle rules diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq index 0612a71..e789fde 100644 --- a/tests/02_zones/02_masq +++ b/tests/02_zones/02_masq @@ -124,6 +124,10 @@ table inet fw4 { oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -220,7 +224,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions index 8e2fcce..9129c60 100644 --- a/tests/02_zones/03_masq_src_dest_restrictions +++ b/tests/02_zones/03_masq_src_dest_restrictions @@ -146,6 +146,10 @@ table inet fw4 { oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -216,7 +220,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices index 125bc27..8695594 100644 --- a/tests/02_zones/04_wildcard_devices +++ b/tests/02_zones/04_wildcard_devices @@ -161,6 +161,18 @@ table inet fw4 { oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + iifname "/never/" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment" + iifname "test*" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment" + iifname "foo*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment" + iifname "bar*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment" + iifname { "test1", "test2" } jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment" + iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment" + iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment" + iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment" + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -178,6 +190,9 @@ table inet fw4 { jump drop_to_test1 } + chain helper_test1 { + } + chain drop_from_test1 { counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic" } @@ -198,6 +213,9 @@ table inet fw4 { jump drop_to_test2 } + chain helper_test2 { + } + chain drop_from_test2 { iifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" } @@ -218,6 +236,9 @@ table inet fw4 { jump drop_to_test3 } + chain helper_test3 { + } + chain drop_from_test3 { iifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic" } @@ -238,6 +259,9 @@ table inet fw4 { jump drop_to_test4 } + chain helper_test4 { + } + chain drop_from_test4 { iifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" iifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" @@ -262,6 +286,9 @@ table inet fw4 { jump drop_to_test5 } + chain helper_test5 { + } + chain drop_from_test5 { iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic" iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic" @@ -289,40 +316,17 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { type filter hook prerouting priority raw; policy accept; - iifname "/never/" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment" - iifname "test*" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment" - iifname "foo*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment" - iifname "bar*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment" - iifname { "test1", "test2" } jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment" - iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment" - iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment" - iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment" } chain raw_output { type filter hook output priority raw; policy accept; } - chain helper_test1 { - } - - chain helper_test2 { - } - - chain helper_test3 { - } - - chain helper_test4 { - } - - chain helper_test5 { - } - # # Mangle rules diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches index f4cbc30..2910800 100644 --- a/tests/02_zones/05_subnet_mask_matches +++ b/tests/02_zones/05_subnet_mask_matches @@ -110,6 +110,13 @@ table inet fw4 { meta nfproto ipv6 ip6 daddr { ::3, ::4 } ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment" + meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment" + meta nfproto ipv6 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment" + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -127,6 +134,9 @@ table inet fw4 { jump drop_to_test1 } + chain helper_test1 { + } + chain drop_from_test1 { meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 counter drop comment "!fw4: drop test1 IPv6 traffic" } @@ -147,6 +157,9 @@ table inet fw4 { jump drop_to_test2 } + chain helper_test2 { + } + chain drop_from_test2 { meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic" @@ -174,26 +187,17 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { type filter hook prerouting priority raw; policy accept; - meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment" - meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment" - meta nfproto ipv6 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment" } chain raw_output { type filter hook output priority raw; policy accept; } - chain helper_test1 { - } - - chain helper_test2 { - } - # # Mangle rules diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections index 9b4d5d7..29af97d 100644 --- a/tests/02_zones/06_family_selections +++ b/tests/02_zones/06_family_selections @@ -132,6 +132,10 @@ table inet fw4 { meta nfproto ipv6 oifname "eth0" jump output_test5 comment "!fw4: Handle test5 IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -252,7 +256,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers index 3da8312..c6f68de 100644 --- a/tests/02_zones/07_helpers +++ b/tests/02_zones/07_helpers @@ -82,6 +82,59 @@ table inet fw4 flush table inet fw4 table inet fw4 { + # + # CT helper definitions + # + + ct helper amanda { + type "amanda" protocol udp; + } + + ct helper ftp { + type "ftp" protocol tcp; + } + + ct helper RAS { + type "RAS" protocol udp; + } + + ct helper Q.931 { + type "Q.931" protocol tcp; + } + + ct helper irc { + type "irc" protocol tcp; + } + + ct helper netbios-ns { + type "netbios-ns" protocol udp; + } + + ct helper pptp { + type "pptp" protocol tcp; + } + + ct helper sane { + type "sane" protocol tcp; + } + + ct helper sip { + type "sip" protocol udp; + } + + ct helper snmp { + type "snmp" protocol udp; + } + + ct helper tftp { + type "tftp" protocol udp; + } + + ct helper rtsp { + type "rtsp" protocol tcp; + } + + # # Set definitions # @@ -141,6 +194,14 @@ table inet fw4 { oifname "zone4" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + iifname "zone1" jump helper_test1 comment "!fw4: test1 IPv4/IPv6 CT helper assignment" + iifname "zone2" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment" + iifname "zone3" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment" + iifname "zone4" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment" + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -158,6 +219,10 @@ table inet fw4 { jump drop_to_test1 } + chain helper_test1 { + meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" + } + chain drop_from_test1 { iifname "zone1" counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic" } @@ -178,6 +243,10 @@ table inet fw4 { jump drop_to_test2 } + chain helper_test2 { + meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" + } + chain drop_from_test2 { iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" } @@ -198,6 +267,10 @@ table inet fw4 { jump drop_to_test3 } + chain helper_test3 { + meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" + } + chain drop_from_test3 { iifname "zone3" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic" } @@ -218,6 +291,21 @@ table inet fw4 { jump drop_to_test4 } + chain helper_test4 { + meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto" + meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking" + meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking" + meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking" + meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking" + meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking" + meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking" + meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking" + meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking" + meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking" + meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" + meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking" + } + chain drop_from_test4 { iifname "zone4" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" } @@ -251,96 +339,17 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { type filter hook prerouting priority raw; policy accept; - iifname "zone1" jump helper_test1 comment "!fw4: test1 IPv4/IPv6 CT helper assignment" - iifname "zone2" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment" - iifname "zone3" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment" - iifname "zone4" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment" } chain raw_output { type filter hook output priority raw; policy accept; } - ct helper amanda { - type "amanda" protocol udp; - } - - ct helper ftp { - type "ftp" protocol tcp; - } - - ct helper RAS { - type "RAS" protocol udp; - } - - ct helper Q.931 { - type "Q.931" protocol tcp; - } - - ct helper irc { - type "irc" protocol tcp; - } - - ct helper netbios-ns { - type "netbios-ns" protocol udp; - } - - ct helper pptp { - type "pptp" protocol tcp; - } - - ct helper sane { - type "sane" protocol tcp; - } - - ct helper sip { - type "sip" protocol udp; - } - - ct helper snmp { - type "snmp" protocol udp; - } - - ct helper tftp { - type "tftp" protocol udp; - } - - ct helper rtsp { - type "rtsp" protocol tcp; - } - - chain helper_test1 { - meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" - } - - chain helper_test2 { - meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" - } - - chain helper_test3 { - meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" - } - - chain helper_test4 { - meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto" - meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking" - meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking" - meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking" - meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking" - meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking" - meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking" - meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking" - meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking" - meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking" - meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" - meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking" - } - # # Mangle rules diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction index ba6bfdc..4c33868 100644 --- a/tests/03_rules/01_direction +++ b/tests/03_rules/01_direction @@ -97,6 +97,10 @@ table inet fw4 { counter comment "!fw4: @rule[2]" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -117,7 +121,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled index 64dbb1c..f9eb3bf 100644 --- a/tests/03_rules/02_enabled +++ b/tests/03_rules/02_enabled @@ -92,6 +92,10 @@ table inet fw4 { counter comment "!fw4: Explicitly enabled" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -112,7 +116,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints index f92ef27..51b1ab9 100644 --- a/tests/03_rules/03_constraints +++ b/tests/03_rules/03_constraints @@ -128,6 +128,10 @@ table inet fw4 { meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -145,6 +149,9 @@ table inet fw4 { jump drop_to_lan } + chain helper_lan { + } + chain drop_from_lan { } @@ -166,7 +173,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { @@ -177,9 +184,6 @@ table inet fw4 { type filter hook output priority raw; policy accept; } - chain helper_lan { - } - # # Mangle rules diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp index d50b8f3..0c615a7 100644 --- a/tests/03_rules/04_icmp +++ b/tests/03_rules/04_icmp @@ -104,6 +104,10 @@ table inet fw4 { meta nfproto ipv6 icmpv6 type . icmpv6 code { 136 . 0 } counter comment "!fw4: ICMP rule #5" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -124,7 +128,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle index 9cd7b9f..79ae8ec 100644 --- a/tests/03_rules/05_mangle +++ b/tests/03_rules/05_mangle @@ -202,6 +202,12 @@ table inet fw4 { oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + iifname { "eth0", "eth1" } jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment" + iifname { "eth2", "eth3" } jump helper_wan comment "!fw4: wan IPv4/IPv6 CT helper assignment" + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -219,6 +225,9 @@ table inet fw4 { jump drop_to_lan } + chain helper_lan { + } + chain drop_from_lan { iifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" } @@ -239,6 +248,9 @@ table inet fw4 { jump drop_to_wan } + chain helper_wan { + } + chain drop_from_wan { iifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic" } @@ -262,25 +274,17 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { type filter hook prerouting priority raw; policy accept; - iifname { "eth0", "eth1" } jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment" - iifname { "eth2", "eth3" } jump helper_wan comment "!fw4: wan IPv4/IPv6 CT helper assignment" } chain raw_output { type filter hook output priority raw; policy accept; } - chain helper_lan { - } - - chain helper_wan { - } - # # Mangle rules diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index 458fefb..c5b90bd 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -172,6 +172,10 @@ table inet fw4 { oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -288,7 +292,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index 6beeafb..471b043 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -192,6 +192,10 @@ table inet fw4 { oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -324,7 +328,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance index 605c74b..b33d01f 100644 --- a/tests/03_rules/08_family_inheritance +++ b/tests/03_rules/08_family_inheritance @@ -220,6 +220,10 @@ table inet fw4 { meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -275,7 +279,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time index c3610be..e7c55db 100644 --- a/tests/03_rules/09_time +++ b/tests/03_rules/09_time @@ -173,6 +173,10 @@ table inet fw4 { meta day { "Monday", "Tuesday", "Wednesday", "Sunday", "Thursday" } counter accept comment "!fw4: Time rule #12" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -193,7 +197,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting { diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections index 194d35a..f936286 100644 --- a/tests/04_forwardings/01_family_selections +++ b/tests/04_forwardings/01_family_selections @@ -117,6 +117,10 @@ table inet fw4 { oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" } + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + chain handle_reject { meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" @@ -207,7 +211,7 @@ table inet fw4 { # - # Raw rules (notrack & helper) + # Raw rules (notrack) # chain raw_prerouting {