From 756f1e21ed77f2c0b3fc2c8128c808704f2cf61b Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 14 Oct 2022 17:01:44 +0200 Subject: [PATCH] ruleset: fix emitting set_mark/set_xmark rules with masks Fix a bad variable access when emitting set_mark/set_xmark rules with masks and add test coverage for the various mark target variants. Fixes: #10965 Signed-off-by: Jo-Philipp Wich --- root/usr/share/firewall4/templates/rule.uc | 8 +- tests/03_rules/12_mark | 184 +++++++++++++++++++++ 2 files changed, 188 insertions(+), 4 deletions(-) create mode 100644 tests/03_rules/12_mark diff --git a/root/usr/share/firewall4/templates/rule.uc b/root/usr/share/firewall4/templates/rule.uc index d2c31b1..439d0fc 100644 --- a/root/usr/share/firewall4/templates/rule.uc +++ b/root/usr/share/firewall4/templates/rule.uc @@ -78,12 +78,12 @@ (rule.set_xmark.mask == 0xFFFFFFFF) ? fw4.hex(rule.set_xmark.mark) : (rule.set_xmark.mark == 0) - ? 'mark and ' + fw4.hex(~rule.set_xmark.mask & 0xFFFFFFFF) + ? `mark and ${fw4.hex(~rule.set_xmark.mask & 0xFFFFFFFF)}` : (rule.set_xmark.mark == rule.set_xmark.mask) - ? 'mark or ' + fw4.hex(rule.set_xmark.mark) + ? `mark or ${fw4.hex(rule.set_xmark.mark)}` : (rule.set_xmark.mask == 0) - ? 'mark xor ' + fw4.hex(rule.set_xmark.mark) - : 'mark and ' + fw4.hex(~r.set_xmark.mask & 0xFFFFFFFF) + ' xor ' + fw4.hex(r.set_xmark.mark) + ? `mark xor ${fw4.hex(rule.set_xmark.mark)}` + : `mark and ${fw4.hex(~rule.set_xmark.mask & 0xFFFFFFFF)} xor ${fw4.hex(rule.set_xmark.mark)}` }} {%+ elif (rule.target == "dscp"): -%} {{ fw4.ipproto(rule.family) }} dscp set {{ fw4.hex(rule.set_dscp.dscp) }} {%+ diff --git a/tests/03_rules/12_mark b/tests/03_rules/12_mark new file mode 100644 index 0000000..67e2a0c --- /dev/null +++ b/tests/03_rules/12_mark @@ -0,0 +1,184 @@ +Testing various MARK rules. + +-- Testcase -- +{% + include("./root/usr/share/firewall4/main.uc", { + getenv: function(varname) { + switch (varname) { + case 'ACTION': + return 'print'; + } + } + }) +%} +-- End -- + +-- File uci/helpers.json -- +{} +-- End -- + +-- File uci/firewall.json -- +{ + "rule": [ + { + ".description": "Test setting mark", + "name": "Mark rule #1", + "proto": "all", + "src": "*", + "target": "MARK", + "set_mark": "0xaa" + }, + { + ".description": "Test setting mark with mask", + "name": "Mark rule #2", + "proto": "all", + "src": "*", + "target": "MARK", + "set_mark": "0xab/0xff00" + }, + { + ".description": "Test setting xor mark", + "name": "Mark rule #3", + "proto": "all", + "src": "*", + "target": "MARK", + "set_xmark": "0xac" + }, + { + ".description": "Test setting xor mark with mask", + "name": "Mark rule #4", + "proto": "all", + "src": "*", + "target": "MARK", + "set_xmark": "0xad/0xff00" + }, + { + ".description": "Test ANDing bits (set xmark 0/~bits)", + "name": "Mark rule #5", + "proto": "all", + "src": "*", + "target": "MARK", + "set_xmark": "0/0xffffff51" + }, + { + ".description": "Test ORing bits (set xmark bits/bits)", + "name": "Mark rule #6", + "proto": "all", + "src": "*", + "target": "MARK", + "set_xmark": "0xaf/0xaf" + } + ] +} +-- End -- + +-- Expect stdout -- +table inet fw4 +flush table inet fw4 + +table inet fw4 { + # + # Defines + # + + + # + # User includes + # + + include "/etc/nftables.d/*.nft" + + + # + # Filter rules + # + + chain input { + type filter hook input priority filter; policy drop; + + iifname "lo" accept comment "!fw4: Accept traffic from loopback" + + ct state established,related accept comment "!fw4: Allow inbound established and related flows" + } + + chain forward { + type filter hook forward priority filter; policy drop; + + ct state established,related accept comment "!fw4: Allow forwarded established and related flows" + } + + chain output { + type filter hook output priority filter; policy drop; + + oifname "lo" accept comment "!fw4: Accept traffic towards loopback" + + ct state established,related accept comment "!fw4: Allow outbound established and related flows" + } + + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + + chain handle_reject { + meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" + reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" + } + + + # + # NAT rules + # + + chain dstnat { + type nat hook prerouting priority dstnat; policy accept; + } + + chain srcnat { + type nat hook postrouting priority srcnat; policy accept; + } + + + # + # Raw rules (notrack) + # + + chain raw_prerouting { + type filter hook prerouting priority raw; policy accept; + } + + chain raw_output { + type filter hook output priority raw; policy accept; + } + + + # + # Mangle rules + # + + chain mangle_prerouting { + type filter hook prerouting priority mangle; policy accept; + } + + chain mangle_postrouting { + type filter hook postrouting priority mangle; policy accept; + } + + chain mangle_input { + type filter hook input priority mangle; policy accept; + counter meta mark set 0xaa comment "!fw4: Mark rule #1" + counter meta mark set mark and 0xffff0054 xor 0xab comment "!fw4: Mark rule #2" + counter meta mark set 0xac comment "!fw4: Mark rule #3" + counter meta mark set mark and 0xffff00ff xor 0xad comment "!fw4: Mark rule #4" + counter meta mark set mark and 0xae comment "!fw4: Mark rule #5" + counter meta mark set mark or 0xaf comment "!fw4: Mark rule #6" + } + + chain mangle_output { + type route hook output priority mangle; policy accept; + } + + chain mangle_forward { + type filter hook forward priority mangle; policy accept; + } +} +-- End -- -- 2.30.2