diff options
| author | Jo-Philipp Wich | 2022-04-26 12:27:41 +0000 |
|---|---|---|
| committer | Jo-Philipp Wich | 2022-04-26 12:41:59 +0000 |
| commit | 2816a82821befde0e4aa16d2f50215f04a4bbef4 (patch) | |
| tree | d2626eee7a5d22ac51c94b6ec9ed2613b13fdf4e | |
| parent | 2379c3d117ea6f8651957652672e758d7aa240ec (diff) | |
| download | firewall4-2816a82821befde0e4aa16d2f50215f04a4bbef4.tar.gz | |
ruleset: ensure that family-agnostic ICMP rules cover ICMPv6 as well
Fixes: #9765
Ref: https://github.com/openwrt/openwrt/issues/9765
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
| -rw-r--r-- | root/usr/share/firewall4/templates/rule.uc | 4 | ||||
| -rw-r--r-- | root/usr/share/ucode/fw4.uc | 16 | ||||
| -rw-r--r-- | tests/03_rules/04_icmp | 4 |
3 files changed, 19 insertions, 5 deletions
diff --git a/root/usr/share/firewall4/templates/rule.uc b/root/usr/share/firewall4/templates/rule.uc index 417bef7..d90595d 100644 --- a/root/usr/share/firewall4/templates/rule.uc +++ b/root/usr/share/firewall4/templates/rule.uc @@ -1,9 +1,7 @@ {%+ if (rule.family && !rule.has_addrs): -%} meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} {%+ if (!rule.proto.any && !rule.has_ports && !rule.icmp_types && !rule.icmp_codes): -%} - meta l4proto {{ - (rule.proto.name == 'icmp' && rule.family == 6) ? 'ipv6-icmp' : rule.proto.name - }} {%+ endif -%} + meta l4proto {{ fw4.l4proto(rule.family, rule.proto) }} {%+ endif -%} {%+ if (rule.iifnames): -%} iifname {{ fw4.set(rule.iifnames) }} {%+ endif -%} {%+ if (rule.oifnames): -%} diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index b725459..28865cd 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -1616,6 +1616,22 @@ return { } }, + l4proto: function(family, proto) { + switch (proto.name) { + case 'icmp': + switch (family ?? 0) { + case 0: + return this.set(['icmp', 'ipv6-icmp']); + + case 6: + return 'ipv6-icmp'; + } + + default: + return proto.name; + } + }, + datetime: function(stamp) { return sprintf('"%04d-%02d-%02d %02d:%02d:%02d"', stamp.year, stamp.month, stamp.day, diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp index d3c97db..a4e1346 100644 --- a/tests/03_rules/04_icmp +++ b/tests/03_rules/04_icmp @@ -21,7 +21,7 @@ Testing handling of ICMP related options. { "rule": [ { - ".description": "Proto 'icmp' maps to IPv4 and IPv6 rules", + ".description": "Proto 'icmp' maps to a single IPv4 and IPv6 rule", "proto": "icmp", "name": "ICMP rule #1" }, @@ -97,7 +97,7 @@ table inet fw4 { oifname "lo" accept comment "!fw4: Accept traffic towards loopback" ct state established,related accept comment "!fw4: Allow outbound established and related flows" - meta l4proto icmp counter comment "!fw4: ICMP rule #1" + meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3" meta nfproto ipv4 icmp type . icmp code { 12 . 0 } counter comment "!fw4: ICMP rule #4" |