From 2816a82821befde0e4aa16d2f50215f04a4bbef4 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 26 Apr 2022 14:27:41 +0200 Subject: [PATCH] ruleset: ensure that family-agnostic ICMP rules cover ICMPv6 as well Fixes: #9765 Ref: https://github.com/openwrt/openwrt/issues/9765 Signed-off-by: Jo-Philipp Wich --- root/usr/share/firewall4/templates/rule.uc | 4 +--- root/usr/share/ucode/fw4.uc | 16 ++++++++++++++++ tests/03_rules/04_icmp | 4 ++-- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/root/usr/share/firewall4/templates/rule.uc b/root/usr/share/firewall4/templates/rule.uc index 417bef7..d90595d 100644 --- a/root/usr/share/firewall4/templates/rule.uc +++ b/root/usr/share/firewall4/templates/rule.uc @@ -1,9 +1,7 @@ {%+ if (rule.family && !rule.has_addrs): -%} meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} {%+ if (!rule.proto.any && !rule.has_ports && !rule.icmp_types && !rule.icmp_codes): -%} - meta l4proto {{ - (rule.proto.name == 'icmp' && rule.family == 6) ? 'ipv6-icmp' : rule.proto.name - }} {%+ endif -%} + meta l4proto {{ fw4.l4proto(rule.family, rule.proto) }} {%+ endif -%} {%+ if (rule.iifnames): -%} iifname {{ fw4.set(rule.iifnames) }} {%+ endif -%} {%+ if (rule.oifnames): -%} diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index b725459..28865cd 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -1616,6 +1616,22 @@ return { } }, + l4proto: function(family, proto) { + switch (proto.name) { + case 'icmp': + switch (family ?? 0) { + case 0: + return this.set(['icmp', 'ipv6-icmp']); + + case 6: + return 'ipv6-icmp'; + } + + default: + return proto.name; + } + }, + datetime: function(stamp) { return sprintf('"%04d-%02d-%02d %02d:%02d:%02d"', stamp.year, stamp.month, stamp.day, diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp index d3c97db..a4e1346 100644 --- a/tests/03_rules/04_icmp +++ b/tests/03_rules/04_icmp @@ -21,7 +21,7 @@ Testing handling of ICMP related options. { "rule": [ { - ".description": "Proto 'icmp' maps to IPv4 and IPv6 rules", + ".description": "Proto 'icmp' maps to a single IPv4 and IPv6 rule", "proto": "icmp", "name": "ICMP rule #1" }, @@ -97,7 +97,7 @@ table inet fw4 { oifname "lo" accept comment "!fw4: Accept traffic towards loopback" ct state established,related accept comment "!fw4: Allow outbound established and related flows" - meta l4proto icmp counter comment "!fw4: ICMP rule #1" + meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3" meta nfproto ipv4 icmp type . icmp code { 12 . 0 } counter comment "!fw4: ICMP rule #4" -- 2.30.2