Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of both src_ip and ipset in a rule is unclear #48

Open
brianjmurrell opened this issue Feb 13, 2025 · 4 comments
Open

Use of both src_ip and ipset in a rule is unclear #48

brianjmurrell opened this issue Feb 13, 2025 · 4 comments

Comments

@brianjmurrell
Copy link

If I create a rule:

config rule
	option name 'Brians PC and server to OPC network for SSH'
	option proto 'tcp'
	option dest 'opc_network'
	option src 'lan'
	list src_ip 'fd31:aeb1:48df:0:3b14:e643:83d8:7017'
	list src_ip '2001:123:4567:0:90cc:a629:cf42:5877'
	list src_ip '10.75.22.247'
	list src_ip 'fd31:aeb1:48df::2'
	list src_ip '2001:0123:4567::2'
	option dest_port '22'
	option target 'ACCEPT'
	option ipset 'Brians-trusted-hosts'

I end up with an NFTables rule of:

ip saddr 10.75.22.247 tcp dport 22 ether saddr @Brians-trusted-hosts counter packets 0 bytes 0 jump accept_to_opc_network

It's unclear to me with any certainty whether that's an or or an and in NFTables, but my testing of that rule appears to make me believe it's an and because the rule does not match when either of 10.75.22.247 @Brians-trusted-hosts try to ssh to the destination. Remove the ipset from the rule and it will match when 10.75.22.247 tries to ssh to the destination.

The results of this mixing of ip_src and the ipset are ambiguous at best and surprising at worst. I have not come across any OpenWRT and/or firewall4 documentation that indicates the result of such a combination.

My feeling is that given that you can list multiple src_ips as an or'd list that adding a (i.e. source mac) ipset should also be an or and result in:

ether saddr @Brians-trusted-hosts tcp dport 22 counter packets 1 bytes 80 jump accept_to_opc_network # handle 40125
ip saddr 10.75.22.247 tcp dport 22 counter packets 1 bytes 60 jump accept_to_opc_network # handle 40124
@brada4
Copy link

brada4 commented Feb 13, 2025

Waitasec ip6 saddr rule was not henerated?

@brianjmurrell
Copy link
Author

Indeed. That was the other side effect I forgot to mention.

@brada4
Copy link

brada4 commented Feb 13, 2025

dup of #45 which also includes workaround - double rule.
ip6 address omission is dictated by ether addr set misinterpreted as ip4.

@brada4
Copy link

brada4 commented Feb 13, 2025
edited
Loading

Can you check if this solves the problem: (just copy file downloaded as raw over one in /usr/share/... in the router, original file is in /rom/usr/share/... if something goes foul.
#35
(and add 1-2 sentence "positive review" about your test)
There could be extra code path with similar defect, i am not very certain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brianjmurrell @brada4