[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 2b44044bcf6d4aebcccc223390cf553c68d62eab

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 2b44044bcf6d4aebcccc223390cf553c68d62eab
@ 2022-02-14 19:46 Arne Fitzenreiter
  0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2022-02-14 19:46 UTC (permalink / raw)
  To: ipfire-scm

[-- Attachment #1: Type: text/plain, Size: 4685 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  2b44044bcf6d4aebcccc223390cf553c68d62eab (commit)
      from  ea72759c97e051dc3ca42a4aded55f28a9df7f49 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2b44044bcf6d4aebcccc223390cf553c68d62eab
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Mon Feb 14 17:32:27 2022 +0100

    firewall: Revert strict martian check on loopback interface
    
    If the firewall is talking to itself using one of its private IP
    addresses (e.g. the primary green interface IP address), it will use the
    loopback interface.
    
    This is due to the local routing table which will be looked up first:
    
      [root(a)ipfire ~]# ip rule
      0:      from all lookup local
      128:    from all lookup 220
      220:    from all lookup 220
      32765:  from all lookup static
      32766:  from all lookup main
      32767:  from all lookup default
    
    It contains:
    
      [root(a)ipfire ~]# ip route show table local
      local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x
      local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
      local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
      broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
      local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1
      broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1
    
    Any lookup for the green IP address will show this:
    
      local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0
          cache <local>
    
    A test ping shows this in tcpdump:
    
      [root(a)ipfire ~]# tcpdump -i any icmp -nn
      tcpdump: data link type LINUX_SLL2
      tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
      listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
      17:24:22.864293 lo    In  IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 10420, seq 1, length 64
      17:24:22.864422 lo    In  IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 10420, seq 1, length 64
      17:24:29.162021 lo    In  IP 192.168.x.1 > 192.168.x.1: ICMP echo request, id 1555, seq 1, length 64
      17:24:29.162201 lo    In  IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, id 1555, seq 1, length 64
    
    For this reason, we will have to accept any source and destination IP
    address on the loopback interface, which is what this patch does.
    
    We can however, continue to check whether we received any packets with
    the loopback address on any other interface.
    
    This regression was introduced in commit a36cd34e.
    
    Fixes: #12776 - New spoofed or martian filter block
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 src/initscripts/system/firewall | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

Difference in files:
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 48653ff57..fc355cd5d 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -200,14 +200,10 @@ iptables_init() {
 	iptables -A INPUT -j ICMPINPUT
 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
 
-	# Accept everything on loopback if source/destination is loopback space...
+	# Accept everything on loopback
 	iptables -N LOOPBACK
-	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
-	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
-
-	# ... and drop everything else on the loopback interface, since no other traffic should appear there
-	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
-	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
+	iptables -A LOOPBACK -i lo -j ACCEPT
+	iptables -A LOOPBACK -o lo -j ACCEPT
 
 	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
 	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN


hooks/post-receive
--
IPFire 2.x development tree

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-02-14 19:46 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-14 19:46 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 2b44044bcf6d4aebcccc223390cf553c68d62eab Arne Fitzenreiter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox