From ce31144c629354d32fcb41ea69f0dbc5e426eea7 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 4 Oct 2021 18:52:17 +0100 Subject: [PATCH] firewall: Only check relevant bits for NAT fix rules In order to use the highest two bits for surciata bypass, we will need to make sure that whenever we compare any other marks, we do not care about anything else. Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter --- config/firewall/rules.pl | 11 +++++++---- src/initscripts/system/firewall | 8 +++++--- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 0dd1c90248..9d280045ad 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -55,6 +55,9 @@ my @PRIVATE_NETWORKS = ( "100.64.0.0/10", ); +# MARK masks +my $NAT_MASK = 0x0f000000; + my %fwdfwsettings=(); my %fwoptions = (); my %defaultNetworks=(); @@ -829,10 +832,8 @@ sub add_dnat_mangle_rules { my $interface = shift; my @options = @_; - my $mark = 0; + my $mark = 0x01000000; foreach my $zone ("GREEN", "BLUE", "ORANGE") { - $mark++; - # Skip rule if not all required information exists. next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); next unless (exists $defaultNetworks{$zone . "_NETMASK"}); @@ -845,9 +846,11 @@ sub add_dnat_mangle_rules { $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"}; push(@mangle_options, ("-s", $netaddress, "-d", $nat_address)); - push(@mangle_options, ("-j", "MARK", "--set-mark", $mark)); + push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK")); run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); + + $mark <<= 1; } } diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index baa39abe13..9d023a349b 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -12,6 +12,8 @@ if [ -f /var/ipfire/red/device ]; then DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` fi +NAT_MASK="0x0f000000" + function iptables() { /sbin/iptables --wait "$@" } @@ -282,17 +284,17 @@ iptables_init() { if [ -n "${GREEN_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" + -m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}" fi if [ -n "${BLUE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}" + -m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}" fi if [ -n "${ORANGE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}" + -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}" fi # RED chain, used for the red interface -- 2.39.2