From 6443ec7805295de07f6051662065a16b4a194f19 Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Wed, 2 Nov 2022 16:06:47 +0100 Subject: [PATCH] config: drop input traffic by default This is necessary with firewall4 to avoid a hard-to-diagnose race condition during boot, causing DNAT rules not to be taken into account correctly. The root cause is that, during boot, the ruleset is mostly empty, and interface-related rules (including DNAT rules) are added incrementally. If a packet hits the input chain before the DNAT rules are setup, it can create buggy conntrack entries that will persist indefinitely. This new default should be safe because firewall4 explicitly accepts authorized traffic and rejects the rest. Thus, in normal operations, the default policy is not used. Fixes: #10749 Ref: https://github.com/openwrt/openwrt/issues/10749 Signed-off-by: Baptiste Jonglez --- root/etc/config/firewall | 2 +- tests/01_configuration/01_ruleset | 3 ++- tests/mocks/uci/firewall.json | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/root/etc/config/firewall b/root/etc/config/firewall index b9a4647..d78a00c 100644 --- a/root/etc/config/firewall +++ b/root/etc/config/firewall @@ -1,6 +1,6 @@ config defaults option syn_flood 1 - option input ACCEPT + option input REJECT option output ACCEPT option forward REJECT # Uncomment this line to disable ipv6 rules diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index c4fd5b4..43ed9df 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -107,7 +107,7 @@ table inet fw4 { # chain input { - type filter hook input priority filter; policy accept; + type filter hook input priority filter; policy drop; iifname "lo" accept comment "!fw4: Accept traffic from loopback" @@ -115,6 +115,7 @@ table inet fw4 { tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" + jump handle_reject } chain forward { diff --git a/tests/mocks/uci/firewall.json b/tests/mocks/uci/firewall.json index a22cbf4..90a309c 100644 --- a/tests/mocks/uci/firewall.json +++ b/tests/mocks/uci/firewall.json @@ -3,7 +3,7 @@ "flow_offloading": "1", "flow_offloading_hw": "1", "forward": "REJECT", - "input": "ACCEPT", + "input": "REJECT", "output": "ACCEPT", "syn_flood": "1", "unknown_defaults_option": "foo" -- 2.30.2