Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FW4 forward chains jump to wrong chain by default #43

Open
StarryLifeRedoArtisan opened this issue Jan 17, 2025 · 4 comments
Open

FW4 forward chains jump to wrong chain by default #43

StarryLifeRedoArtisan opened this issue Jan 17, 2025 · 4 comments

Comments

@StarryLifeRedoArtisan
Copy link

in "/usr/share/firewall4/templates/ruleset.uc" line 252 creates wrong last rule for all forward chains. For example forward_lan chain jumps to reject_to_lan or accept_to_lan. As this traffic is coming from lan, these rules are wrong.

Expected behaviour:
jump to chain handling traffic coming from zone

Current behaviour:
jump to chain handling traffic going to zone

Possible solution:
-jump {{ zone.forward }}to{{ zone.name }}
+jump {{ zone.forward }}from{{ zone.name }}

Noticed and tested on OpenWrt 24.10.0-rc5

jump {{ zone.forward }}_to_{{ zone.name }}

@dave14305
Copy link

This rule is meant to control traffic among interfaces in the same zone. This jump determines if traffic from an interface in the zone is allowed to go back out to any other interface in the zone. In my opinion, the naming is correct.

@StarryLifeRedoArtisan
Copy link
Author

Hi. Thank you for your replies. Id like to know if I am misunderstanding something here.

If I create following rule (in LuCI):

config rule
	option name 'Accept-sntp-LAN_to_WAN'
	option src 'lan'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'
	list proto 'udp'

it shows up in nft rules like this:

chain forward_lan {
	udp dport 123 counter packets xx bytes xx jump accept_to_wan comment "!fw4: Accept-sntp-LAN_to_WAN"
	jump reject_to_lan
}

My understanding is that lan and wan in this case are different zones, so chain forward_lan is not controlling only traffic among interfaces in the same zone.

I have set forwarding lan to wan to reject.
My sntp traffic works fine, all other traffic to wan is rejected
reject_to_lan has oif "br-lan" which does not match any of the packets
reject_from_lan has iif "br-lan" which does match the packets

@dave14305
Copy link

forward_lan already only gets traffic from the forward chain if the input interface is from LAN. It allows your ntp traffic, then drops any traffic going back to the LAN zone. But now look at the policy in the hookstatement in forward. What is that policy? No need to explicitly drop or reject if the calling chain will do it by default.

If you had a LAN to WAN forward, there would be a jump accept_to_wan rule in forward_wan, but there isn’t in your case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants