From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 10 Feb 2022 18:52:00 +0000 (+0100)
Subject: fw4: only stage reflection rules if all required addrs are known
X-Git-Url: http://git.openwrt.org/openwrt/svn-archive.git?a=commitdiff_plain;h=1a94915b5d38c9f17b27481add5a0a62341da627;p=project%2Ffirewall4.git

fw4: only stage reflection rules if all required addrs are known

Do not stage reflection rules if any of the internal, external or
rewrite IP addrs cannot be determined. Also emit a warning in this
case and extend the redirect test case to cover this.

Fixes: #5067
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 5135ef1..fa65a46 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2756,7 +2756,16 @@ return {
 									}
 								}
 
-								if (snat_addr) {
+								if (!snat_addr) {
+									this.warn_section(data, (redir.reflection_src || "external") + " rewrite IP cannot be determined, disabling reflection");
+								}
+								else if (!length(iaddrs[i])) {
+									this.warn_section(data, "internal address range cannot be determined, disabling reflection");
+								}
+								else if (!length(eaddrs[i])) {
+									this.warn_section(data, "external address range cannot be determined, disabling reflection");
+								}
+								else {
 									refredir.src = rzone;
 									refredir.dest = null;
 									refredir.target = "dnat";
diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect
index 5af1418..276d451 100644
--- a/tests/03_rules/07_redirect
+++ b/tests/03_rules/07_redirect
@@ -30,6 +30,12 @@ Test various address selection rules in redirect rules.
 			"name": "lan",
 			"network": "lan",
 			"auto_helper": 0
+		},
+		{
+			"name": "noaddr",
+			"network": [ "noaddr" ],
+			"masq": 1,
+			"masq6": 1
 		}
 	],
 	"redirect": [
@@ -70,6 +76,15 @@ Test various address selection rules in redirect rules.
 			"src_dport": "23",
 			"dest_ip": "192.168.26.100",
 			"reflection_src": "external"
+		},
+		{
+			".description": "Ensure that reflection is disabled if external address cannot be determined",
+			"name": "Redirect test #5",
+			"src": "noaddr",
+			"dest": "lan",
+			"proto": "tcp",
+			"src_dport": "24",
+			"dest_ip": "192.168.26.100"
 		}
 	]
 }
@@ -78,6 +93,7 @@ Test various address selection rules in redirect rules.
 -- Expect stderr --
 [!] Section @redirect[2] (Redirect test #3) does not specify a destination, assuming 'lan'
 [!] Section @redirect[3] (Redirect test #4) does not specify a destination, assuming 'lan'
+[!] Section @redirect[4] (Redirect test #5) external address range cannot be determined, disabling reflection
 -- End --
 
 -- Expect stdout --
@@ -98,6 +114,7 @@ table inet fw4 {
 	define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
 	define lan_devices = { "br-lan" }
 	define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+	define noaddr_devices = { "wwan0" }
 
 	#
 	# User includes
@@ -118,6 +135,7 @@ table inet fw4 {
 		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
 		iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
 		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
+		iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic"
 	}
 
 	chain forward {
@@ -126,6 +144,7 @@ table inet fw4 {
 		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
 		iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
 		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
+		iifname "wwan0" jump forward_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 forward traffic"
 	}
 
 	chain output {
@@ -136,6 +155,7 @@ table inet fw4 {
 		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
 		oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
 		oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
+		oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic"
 	}
 
 	chain handle_reject {
@@ -191,6 +211,28 @@ table inet fw4 {
 		oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
 	}
 
+	chain input_noaddr {
+		ct status dnat accept comment "!fw4: Accept port redirections"
+		jump drop_from_noaddr
+	}
+
+	chain output_noaddr {
+		jump drop_to_noaddr
+	}
+
+	chain forward_noaddr {
+		ct status dnat accept comment "!fw4: Accept port forwards"
+		jump drop_to_noaddr
+	}
+
+	chain drop_from_noaddr {
+		iifname "wwan0" counter drop comment "!fw4: drop noaddr IPv4/IPv6 traffic"
+	}
+
+	chain drop_to_noaddr {
+		oifname "wwan0" counter drop comment "!fw4: drop noaddr IPv4/IPv6 traffic"
+	}
+
 
 	#
 	# NAT rules
@@ -200,12 +242,14 @@ table inet fw4 {
 		type nat hook prerouting priority dstnat; policy accept;
 		iifname "eth1" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
 		iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
+		iifname "wwan0" jump dstnat_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 dstnat traffic"
 	}
 
 	chain srcnat {
 		type nat hook postrouting priority srcnat; policy accept;
 		oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
 		oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
+		oifname "wwan0" jump srcnat_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 srcnat traffic"
 	}
 
 	chain dstnat_wan {
@@ -230,6 +274,15 @@ table inet fw4 {
 		ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 192.168.26.100 tcp dport 23 snat 10.11.12.194 comment "!fw4: Redirect test #4 (reflection)"
 	}
 
+	chain dstnat_noaddr {
+		meta nfproto ipv4 tcp dport 24 counter dnat 192.168.26.100:24 comment "!fw4: Redirect test #5"
+	}
+
+	chain srcnat_noaddr {
+		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 noaddr traffic"
+		meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 noaddr traffic"
+	}
+
 
 	#
 	# Raw rules (notrack & helper)
diff --git a/tests/mocks/ubus/network.interface~dump.json b/tests/mocks/ubus/network.interface~dump.json
index 4f6f4eb..f4d3264 100644
--- a/tests/mocks/ubus/network.interface~dump.json
+++ b/tests/mocks/ubus/network.interface~dump.json
@@ -405,6 +405,71 @@
 			},
 			"data": {
 
+			}
+		},
+		{
+			"interface": "noaddr",
+			"up": true,
+			"pending": false,
+			"available": true,
+			"autostart": true,
+			"dynamic": false,
+			"uptime": 89940,
+			"l3_device": "wwan0",
+			"proto": "static",
+			"device": "wwan0",
+			"updated": [
+
+			],
+			"metric": 0,
+			"dns_metric": 0,
+			"delegation": true,
+			"ipv4-address": [
+
+			],
+			"ipv6-address": [
+
+			],
+			"ipv6-prefix": [
+
+			],
+			"ipv6-prefix-assignment": [
+
+			],
+			"route": [
+
+			],
+			"dns-server": [
+
+			],
+			"dns-search": [
+
+			],
+			"neighbors": [
+
+			],
+			"inactive": {
+				"ipv4-address": [
+
+				],
+				"ipv6-address": [
+
+				],
+				"route": [
+
+				],
+				"dns-server": [
+
+				],
+				"dns-search": [
+
+				],
+				"neighbors": [
+
+				]
+			},
+			"data": {
+
 			}
 		}
 	]