fw4: when ipset matches MAC, allow set family to 'any' #35

zsien · 2024-07-27T13:55:51Z

When filtering by MAC address, it is usually necessary to filter both IPv4 and IPv6.
If it is not allowed to set the family of ipset to any, it will be necessary to create a separate, identical ipset for both IPv4 and IPv6.

Fixes: #16

When filtering by MAC address, it is usually necessary to filter both IPv4 and IPv6. If it is not allowed to set the family of ipset to any, it will be necessary to create a separate, identical ipset for both IPv4 and IPv6. Fixes: openwrt#16

brada4

Does what it says.

f00b4r0 · 2025-02-06T11:40:28Z

So I just stumbled upon this PR while looking again at #16 and after testing it I don't see how it "fixes" anything.

The meta nfproto ipv4 match is still emitted by fw4 for every rule that refers to the set. Sure you can add an option family 'any' to the ipset configuration, it will not emit a warning but it changes nothing.

zsien · 2025-02-15T12:23:03Z

So I just stumbled upon this PR while looking again at #16* and after testing it I don't see how it "fixes" anything.

The meta nfproto ipv4 match is still emitted by fw4 for every rule that refers to the set. Sure you can add an option family 'any' to the ipset configuration, it will not emit a warning but it changes nothing.

@f00b4r0 To maintain compatibility with the configuration, the default value for the ipset family is still ipv4.

I tested the configuration from #16 as follows:

config rule
  option name 'Forward-auth-captive'
  option src 'lan'
  option dest 'wan'
  option proto 'any'
  option target 'ACCEPT'
  option ipset 'captive'

config ipset
  option name 'captive'
  option family 'any'
  list match 'src_mac'

The generated nftables rules are:

set captive {
  type ether_addr
}
...
chain forward_lan {
  ...
  ether saddr @captive counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: Forward-auth-captive"
  ...
}

It can be seen that this modification is effective.

brada4 · 2025-02-15T12:54:04Z

I know, it duly prints warning when that is employed.

f00b4r0 · 2025-02-16T11:03:08Z

@zsien unfortunately while the test you performed works, this one doesn't:

config redirect
        option name 'Redirect-unauth-captive'
        option src 'lan'
        option src_dport '80'
        option proto 'tcp'    
        option target 'DNAT'   
        option reflection '0'
        option ipset '!captive'

config ipset
        option name 'captive'
        option family 'any'
        list match 'src_mac'

It fails to load the firewall with:

/dev/stdin:236:35-36: Error: syntax error, unexpected !=, expecting newline or semicolon
		meta nfproto ipv4 tcp dport 80  != @captive counter redirect to 80 comment "!fw4: Redirect-unauth-captive"
		                                ^^

meta nftproto ipv4 is still emitted and ether saddr is missing.
It's likely that other corner cases are thus broken by your change.

I also don't think that src_mac ipsets should still default to ipv4, but that's left to the maintainer's appreciation.

HTH

brada4 approved these changes Aug 6, 2024

View reviewed changes

This was referenced Feb 8, 2025

MAC address ipsets should not be limited to a single family #45

Open

Use of both src_ip and ipset in a rule is unclear #48

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fw4: when ipset matches MAC, allow set family to 'any' #35

fw4: when ipset matches MAC, allow set family to 'any' #35

zsien commented Jul 27, 2024

brada4 left a comment

f00b4r0 commented Feb 6, 2025

zsien commented Feb 15, 2025

brada4 commented Feb 15, 2025

f00b4r0 commented Feb 16, 2025

fw4: when ipset matches MAC, allow set family to 'any' #35

Are you sure you want to change the base?

fw4: when ipset matches MAC, allow set family to 'any' #35

Conversation

zsien commented Jul 27, 2024

brada4 left a comment

Choose a reason for hiding this comment

f00b4r0 commented Feb 6, 2025

zsien commented Feb 15, 2025

brada4 commented Feb 15, 2025

f00b4r0 commented Feb 16, 2025