From the OpenWrt-devel mailing list...

Dunno if a) you're aware of this, or b) if this is actually relevant...

Rich

Begin forwarded message:

From: Philip Prindeville <philipp_subx@redfish-solutions.com>
Subject: Re: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation
Date: March 21, 2021 at 11:23:04 PM EDT
To: Tony Ambardar <itugrok@yahoo.com>
Cc: openwrt-devel@lists.openwrt.org
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>

Are you aware that many open source apps already do DSCP marking?

I submitted the changes to Firefox, Thunderbird, Cyrus, Proftpd, Sendmail, Postfix, Curl, Wget, Apache... and this was more than 15 years ago.

Why would you want to overwrite marking if it's already present?


On Mar 21, 2021, at 7:06 PM, Tony Ambardar via openwrt-devel <openwrt-devel@lists.openwrt.org> wrote:

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
From: Tony Ambardar <itugrok@yahoo.com>
Subject: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation
Date: March 21, 2021 at 7:06:17 PM MDT
To: openwrt-devel@lists.openwrt.org
Cc: Jo-Philipp Wich <jo@mein.io>, Tony Ambardar <itugrok@yahoo.com>


Currently, fw3 places all DSCP/MARK target rules into the PREROUTING chain,
and accepts but ignores a src device. This behaviour is impractical for
most common applications (e.g. QOS setup), since rules are applied to all
devices and in all directions. Fix this generally by honouring src/dest
device selection and placing the rules into the appropriate chain of the
mangle table.

These changes revealed the process of resolving zones to devices can add
duplicates due to the presence of aliased interfaces. Fix this by filtering
the fw3_zone->devices list during creation.

Thanks go to Jo-Philipp Wich <jo@mein.io> for sharing proof of concept code
on IRC and providing additional review afterwards.

Tony Ambardar (2):
zone: avoid duplicates in devices list
rules: fix device and chain usage for DSCP/MARK targets

rules.c | 68 ++++++++++++++++++++++++++++++++++++---------------------
zones.c |  9 +++++++-
2 files changed, 51 insertions(+), 26 deletions(-)

Testing
=======

Regression testing was done to confirm the default OpenWrt firewall rules
are unchanged before and after this patch.

Functional testing was carried out using the UCI firewall rules below. This
set of test cases would normally yield the following incorrect iptables
rules (from iptables-save, sorted by test):

-A PREROUTING -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
-A PREROUTING -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
-A PREROUTING -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30

After this change, the resulting iptables rules use the expected devices
and chains:

-A PREROUTING -i br-lan -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
-A FORWARD -i br-lan -o eth0 -p udp -m udp --dport 1950 -m comment --comment "!fw3: Test-2-Zone-Zone-FORW" -j DSCP --set-dscp 0x08
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 1955 -m comment --comment "!fw3: Test-3-Any-Zone-POST" -j MARK --set-xmark 0x3/0xff
-A FORWARD -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
-A INPUT -i br-lan -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
-A OUTPUT -o eth0 -p tcp -m tcp --dport 1970 -m comment --comment "!fw3: Test-6-Dev-Zone-OUT" -j MARK --set-xmark 0xf/0xff
-A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30

UCI FW Rules
------------

config rule
      option enabled '1'
      option target 'DSCP'
      option set_dscp 'BE'
      option proto 'udp'
      option dest_port '1945'
      option name 'Test-1-Zone-Any-PRE'
      option src 'lan'
      option dest '*'

config rule
      option enabled '1'
      option target 'DSCP'
      option set_dscp 'CS1'
      option proto 'udp'
      option dest_port '1950'
      option name 'Test-2-Zone-Zone-FORW'
      option src 'lan'
      option dest 'wan'

config rule
      option enabled '1'
      option target 'MARK'
      option set_mark '0x03/0xff'
      option proto 'tcp'
      option dest_port '1955'
      option name 'Test-3-Any-Zone-POST'
      option src '*'
      option dest 'wan'

config rule
      option enabled '1'
      option target 'MARK'
      option set_mark '0x07/0xff'
      option proto 'tcp'
      option dest_port '1960'
      option name 'Test-4-Any-Any-FORW'
      option src '*'
      option dest '*'

config rule
      option enabled '1'
      option target 'DSCP'
      option set_dscp 'EF'
      option proto 'udp'
      option dest_port '1965'
      option name 'Test-5-Zone-Dev-IN'
      option src 'lan'

config rule
      option enabled '1'
      option target 'MARK'
      option set_mark '0x0f/0xff'
      option proto 'tcp'
      option dest_port '1970'
      option name 'Test-6-Dev-Zone-OUT'
      option dest 'wan'

config rule
      option enabled '1'
      option target 'DSCP'
      option set_dscp 'CS6'
      option proto 'udp'
      option dest_port '1975'
      option name 'Test-7-Dev-Dev-OUT'

--
2.25.1




_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel