firewall: Only check relevant bits for NAT fix rules

In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 0dd1c9024816781cad4ac696364791e24b4e1595..9d280045adf6dcbaa72df3d45b4f09e22107825b 100644 (file)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -55,6 +55,9 @@ my @PRIVATE_NETWORKS = (
        "100.64.0.0/10",
 );
 
+# MARK masks
+my $NAT_MASK = 0x0f000000;
+
 my %fwdfwsettings=();
 my %fwoptions = ();
 my %defaultNetworks=();
@@ -829,10 +832,8 @@ sub add_dnat_mangle_rules {
        my $interface = shift;
        my @options = @_;
 
-       my $mark = 0;
+       my $mark = 0x01000000;
        foreach my $zone ("GREEN", "BLUE", "ORANGE") {
-               $mark++;
-
                # Skip rule if not all required information exists.
                next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
                next unless (exists $defaultNetworks{$zone . "_NETMASK"});
@@ -845,9 +846,11 @@ sub add_dnat_mangle_rules {
                $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"};
 
                push(@mangle_options, ("-s", $netaddress, "-d", $nat_address));
-               push(@mangle_options, ("-j", "MARK", "--set-mark", $mark));
+               push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK"));
 
                run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
+
+               $mark <<= 1;
        }
 }
 

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index baa39abe13b00461b1f11e2e83b8ecebd3a54a9e..9d023a349b98b3752608e41fcc71eeeb846fe43b 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -12,6 +12,8 @@ if [ -f /var/ipfire/red/device ]; then
        DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
 fi
 
+NAT_MASK="0x0f000000"
+
 function iptables() {
        /sbin/iptables --wait "$@"
 }
@@ -282,17 +284,17 @@ iptables_init() {
 
        if [ -n "${GREEN_ADDRESS}" ]; then
                iptables -t nat -A NAT_DESTINATION_FIX \
-                       -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
+                       -m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}"
        fi
 
        if [ -n "${BLUE_ADDRESS}" ]; then
                iptables -t nat -A NAT_DESTINATION_FIX \
-                       -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}"
+                       -m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}"
        fi
 
        if [ -n "${ORANGE_ADDRESS}" ]; then
                iptables -t nat -A NAT_DESTINATION_FIX \
-                       -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}"
+                       -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
        fi
 
        # RED chain, used for the red interface