From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/6] firewall: Only check relevant bits for NAT fix rules
Date: Mon, 04 Oct 2021 18:52:17 +0100 [thread overview]
Message-ID: <20211004175222.9208-1-michael.tremer@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2819 bytes --]
In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/firewall/rules.pl | 11 +++++++----
src/initscripts/system/firewall | 8 +++++---
2 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 0dd1c9024..9d280045a 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -55,6 +55,9 @@ my @PRIVATE_NETWORKS = (
"100.64.0.0/10",
);
+# MARK masks
+my $NAT_MASK = 0x0f000000;
+
my %fwdfwsettings=();
my %fwoptions = ();
my %defaultNetworks=();
@@ -829,10 +832,8 @@ sub add_dnat_mangle_rules {
my $interface = shift;
my @options = @_;
- my $mark = 0;
+ my $mark = 0x01000000;
foreach my $zone ("GREEN", "BLUE", "ORANGE") {
- $mark++;
-
# Skip rule if not all required information exists.
next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
next unless (exists $defaultNetworks{$zone . "_NETMASK"});
@@ -845,9 +846,11 @@ sub add_dnat_mangle_rules {
$netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"};
push(@mangle_options, ("-s", $netaddress, "-d", $nat_address));
- push(@mangle_options, ("-j", "MARK", "--set-mark", $mark));
+ push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK"));
run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
+
+ $mark <<= 1;
}
}
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index baa39abe1..9d023a349 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -12,6 +12,8 @@ if [ -f /var/ipfire/red/device ]; then
DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
fi
+NAT_MASK="0x0f000000"
+
function iptables() {
/sbin/iptables --wait "$@"
}
@@ -282,17 +284,17 @@ iptables_init() {
if [ -n "${GREEN_ADDRESS}" ]; then
iptables -t nat -A NAT_DESTINATION_FIX \
- -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
+ -m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}"
fi
if [ -n "${BLUE_ADDRESS}" ]; then
iptables -t nat -A NAT_DESTINATION_FIX \
- -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}"
+ -m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}"
fi
if [ -n "${ORANGE_ADDRESS}" ]; then
iptables -t nat -A NAT_DESTINATION_FIX \
- -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}"
+ -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
fi
# RED chain, used for the red interface
--
2.31.0
next reply other threads:[~2021-10-04 17:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 17:52 Michael Tremer [this message]
2021-10-04 17:52 ` [PATCH 2/6] QoS: Use the two right hand bytes to mark packets Michael Tremer
2021-10-04 17:52 ` [PATCH 3/6] firewall: Always restore all connection marks Michael Tremer
2021-10-04 17:52 ` [PATCH 4/6] QoS: Drop support for hardcoded ACK rules Michael Tremer
2021-10-04 17:52 ` [PATCH 5/6] QoS: Make outgoing packet processing use CONNMARK Michael Tremer
2021-10-04 17:52 ` [PATCH 6/6] IPsec: Replace MARK 50 by 0x00800000 Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211004175222.9208-1-michael.tremer@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox