zones: drop outgoing invalid traffic in masqueraded zones

Install conntrack state invalid drop rules to catch outgoing, un-natted
traffic in zones with enabled masquerading.

Also introduce a new option "masq_allow_invalid" it inhibit this new
drop rules.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/options.h b/options.h
index 089242fdb7c7d70d9808c7ea08201df447935c9b..6edd174819b59aa8ef82b1907892b823a7e4dc97 100644 (file)
--- a/options.h
+++ b/options.h
@@ -304,6 +304,7 @@ struct fw3_zone
        const char *extra_dest;
 
        bool masq;
+       bool masq_allow_invalid;
        struct list_head masq_src;
        struct list_head masq_dest;
 

diff --git a/zones.c b/zones.c
index 520d00cf1e2775b9e3ab0b022b6fe3aace4db824..26f6215b22b77a793aa73061b29f2abbbaf17cc9 100644 (file)
--- a/zones.c
+++ b/zones.c
@@ -66,6 +66,7 @@ const struct fw3_option fw3_zone_opts[] = {
        FW3_OPT("output",              target,   zone,     policy_output),
 
        FW3_OPT("masq",                bool,     zone,     masq),
+       FW3_OPT("masq_allow_invalid",  bool,     zone,     masq_allow_invalid),
        FW3_LIST("masq_src",           network,  zone,     masq_src),
        FW3_LIST("masq_dest",          network,  zone,     masq_dest),
 
@@ -354,6 +355,17 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 
                        if (has(zone->flags, handle->family, t))
                        {
+                               if (t == FW3_FLAG_ACCEPT &&
+                                   zone->masq && !zone->masq_allow_invalid)
+                               {
+                                       r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
+                                       fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID");
+                                       fw3_ipt_rule_comment(r, "Prevent NAT leakage");
+                                       fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_DROP]);
+                                       fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
+                                                            fw3_flag_names[t]);
+                               }
+
                                r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
                                fw3_ipt_rule_target(r, jump_target(t));
                                fw3_ipt_rule_extra(r, zone->extra_dest);