From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 29 Apr 2022 12:29:39 +0000 (+0200)
Subject: fw4: fix emitting device jump rules for family restricted zones
X-Git-Url: http://git.openwrt.org/%22https:/collectd.org///%22https:/collectd.org/?a=commitdiff_plain;h=05995f13d30aeee7ed03397eae2ad76e22cde785;p=project%2Ffirewall4.git

fw4: fix emitting device jump rules for family restricted zones

Ref: https://forum.openwrt.org/t/22-03-0-rc1-first-rc/126045/80
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 05e8646..f7a88a6 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2023,11 +2023,11 @@ return {
 
 				// we need to emit one or two AF specific rules
 				else {
-					if (family_is_ipv4(zone) && length(match_subnets[0]))
+					if (!family || family == 4)
 						for (let subnets in subnets_group_by_masking(match_subnets[0]))
 							add_rule(4, devgroup, subnets, zone);
 
-					if (family_is_ipv6(zone) && length(match_subnets[1]))
+					if (!family || family == 6)
 						for (let subnets in subnets_group_by_masking(match_subnets[1]))
 							add_rule(6, devgroup, subnets, zone);
 				}
diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections
index ae7c296..ab65763 100644
--- a/tests/02_zones/06_family_selections
+++ b/tests/02_zones/06_family_selections
@@ -25,35 +25,40 @@ specified or not.
 			".description": "Family any with IPv4 subnet should emit only IPv4 rules",
 			"name": "test1",
 			"family": "any",
-			"subnet": [ "10.0.0.0/8" ]
+			"subnet": [ "10.0.0.0/8" ],
+			"auto_helper": 0
 		},
 
 		{
 			".description": "Family any with IPv6 subnet should emit only IPv6 rules",
 			"name": "test2",
 			"family": "any",
-			"subnet": [ "2001:db8:1234::1/64" ]
+			"subnet": [ "2001:db8:1234::1/64" ],
+			"auto_helper": 0
 		},
 
 		{
 			".description": "Family IPv6 with IPv6 subnet should emit only IPv6 rules",
 			"name": "test3",
 			"family": "ipv6",
-			"subnet": [ "2001:db8:1234::1/64" ]
+			"subnet": [ "2001:db8:1234::1/64" ],
+			"auto_helper": 0
 		},
 
 		{
 			".description": "Family IPv6 with IPv4 subnet should emit no rules",
 			"name": "test4",
 			"family": "ipv6",
-			"subnet": [ "2001:db8:1234::1/64" ]
+			"subnet": [ "2001:db8:1234::1/64" ],
+			"auto_helper": 0
 		},
 
 		{
 			".description": "Family IPv6 with no subnets should emit only IPv6 rules",
 			"name": "test5",
 			"family": "ipv6",
-			"device": [ "eth0" ]
+			"device": [ "eth0" ],
+			"auto_helper": 0
 		}
 	]
 }
@@ -100,6 +105,7 @@ table inet fw4 {
 		meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
 		meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic"
 		meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test4 comment "!fw4: Handle test4 IPv6 input traffic"
+		meta nfproto ipv6 iifname "eth0" jump input_test5 comment "!fw4: Handle test5 IPv6 input traffic"
 	}
 
 	chain forward {
@@ -110,6 +116,7 @@ table inet fw4 {
 		meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
 		meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test3 comment "!fw4: Handle test3 IPv6 forward traffic"
 		meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test4 comment "!fw4: Handle test4 IPv6 forward traffic"
+		meta nfproto ipv6 iifname "eth0" jump forward_test5 comment "!fw4: Handle test5 IPv6 forward traffic"
 	}
 
 	chain output {
@@ -122,6 +129,7 @@ table inet fw4 {
 		meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
 		meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic"
 		meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test4 comment "!fw4: Handle test4 IPv6 output traffic"
+		meta nfproto ipv6 oifname "eth0" jump output_test5 comment "!fw4: Handle test5 IPv6 output traffic"
 	}
 
 	chain handle_reject {
@@ -222,9 +230,11 @@ table inet fw4 {
 	}
 
 	chain drop_from_test5 {
+		meta nfproto ipv6 iifname "eth0" counter drop comment "!fw4: drop test5 IPv6 traffic"
 	}
 
 	chain drop_to_test5 {
+		meta nfproto ipv6 oifname "eth0" counter drop comment "!fw4: drop test5 IPv6 traffic"
 	}
 
 
@@ -247,31 +257,12 @@ table inet fw4 {
 
 	chain raw_prerouting {
 		type filter hook prerouting priority raw; policy accept;
-		meta nfproto ipv4 ip saddr 10.0.0.0/8 jump helper_test1 comment "!fw4: test1 IPv4 CT helper assignment"
-		meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment"
-		meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump helper_test3 comment "!fw4: test3 IPv6 CT helper assignment"
-		meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump helper_test4 comment "!fw4: test4 IPv6 CT helper assignment"
 	}
 
 	chain raw_output {
 		type filter hook output priority raw; policy accept;
 	}
 
-	chain helper_test1 {
-	}
-
-	chain helper_test2 {
-	}
-
-	chain helper_test3 {
-	}
-
-	chain helper_test4 {
-	}
-
-	chain helper_test5 {
-	}
-
 
 	#
 	# Mangle rules