webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: Only check relevant bits for NAT fix rules

Browse Source 
In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This commit is contained in:
Michael Tremer
2021-10-04 18:52:17 +01:00
committed by Arne Fitzenreiter
parent 5c372259e3
commit ce31144c62
2 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
config/firewall/rules.pl
View File

@@ -55,6 +55,9 @@ my @PRIVATE_NETWORKS = (
"100.64.0.0/10",
);
# MARK masks
my $NAT_MASK = 0x0f000000;
my %fwdfwsettings=();
my %fwoptions = ();
my %defaultNetworks=();
@@ -829,10 +832,8 @@ sub add_dnat_mangle_rules {
my $interface = shift;
my @options = @_;
my $mark = 0;
my $mark = 0x01000000;
foreach my $zone ("GREEN", "BLUE", "ORANGE") {
$mark++;
# Skip rule if not all required information exists.
next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
next unless (exists $defaultNetworks{$zone . "_NETMASK"});
@@ -845,9 +846,11 @@ sub add_dnat_mangle_rules {
$netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"};
push(@mangle_options, ("-s", $netaddress, "-d", $nat_address));
push(@mangle_options, ("-j", "MARK", "--set-mark", $mark));
push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK"));
run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
$mark <<= 1;
}
}

8
src/initscripts/system/firewall
View File

@@ -12,6 +12,8 @@ if [ -f /var/ipfire/red/device ]; then
DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
fi
NAT_MASK="0x0f000000"
function iptables() {
/sbin/iptables --wait "$@"
}
@@ -282,17 +284,17 @@ iptables_init() {
if [ -n "${GREEN_ADDRESS}" ]; then
iptables -t nat -A NAT_DESTINATION_FIX \
-m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
-m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}"
fi
if [ -n "${BLUE_ADDRESS}" ]; then
iptables -t nat -A NAT_DESTINATION_FIX \
-m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}"
-m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}"
fi
if [ -n "${ORANGE_ADDRESS}" ]; then
iptables -t nat -A NAT_DESTINATION_FIX \
-m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}"
-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
fi
# RED chain, used for the red interface