[PATCH] rules: Prevent empty rule rejecting everything

Sun, 27 Oct 2024 06:33:55 -0700 

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
--- Begin Message --- 
Previously if the config file contained any empty rule (like a duplicate
'config rule' line), the firewall understood it as rejecting all output
traffic (TCP+UDP).  The router was therefore functioning properly, but
was unable to answer DHCP requests (because they are not ESTABLISHED nor
RELATED) nor send any upstream packets, which was hard to diagnose.
The change now requires every rule to contain at least one of zone,
protocol or target.

Signed-off-by: Arkadiusz Kozdra <fl...@arusekk.pl>
---
 rules.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/rules.c b/rules.c
index d506a96..bbd9c37 100644
--- a/rules.c
+++ b/rules.c
@@ -104,6 +104,8 @@ alloc_rule(struct fw3_state *state)
 static bool
 check_rule(struct fw3_state *state, struct fw3_rule *r, struct uci_element *e)
 {
+       int guessed = 0;
+
        if (!r->enabled)
                return false;
 
@@ -194,23 +196,35 @@ check_rule(struct fw3_state *state, struct fw3_rule *r, 
struct uci_element *e)
        {
                warn_section("rule", r, e, "has neither a source nor a 
destination zone assigned "
                                "- assuming an output rule");
+               guessed++;
        }
 
        if (list_empty(&r->proto))
        {
                warn_section("rule", r, e, "does not specify a protocol, 
assuming TCP+UDP");
                fw3_parse_protocol(&r->proto, "tcpudp", true);
+               guessed++;
        }
 
        if (r->target == FW3_FLAG_UNSPEC)
        {
                warn_section("rule", r, e, "has no target specified, defaulting 
to REJECT");
                r->target = FW3_FLAG_REJECT;
+               guessed++;
        }
        else if (r->target > FW3_FLAG_DSCP)
        {
                warn_section("rule", r, e, "has invalid target specified, 
defaulting to REJECT");
                r->target = FW3_FLAG_REJECT;
+               guessed++;
+       }
+
+       if (guessed > 2)
+       {
+               /* empty config rule would reject all output TCP+UDP */
+               warn_section("rule", r, e, "must specify at least one valid 
value of "
+                                          "source/destination zone, protocol 
and target");
+               return false;
        }
 
        /* NB: r family... */
-- 
2.47.0

--- End Message ---
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to