Discussion of explicit congestion notification's impact on the Internet
 help / color / mirror / Atom feed
* [Ecn-sane] Fwd: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation
       [not found] <42251FB1-B5B8-4249-86DC-CD8810ED4264@redfish-solutions.com>
@ 2021-03-22 12:58 ` Rich Brown
  0 siblings, 0 replies; only message in thread
From: Rich Brown @ 2021-03-22 12:58 UTC (permalink / raw)
  To: ecn-sane

[-- Attachment #1: Type: text/plain, Size: 6598 bytes --]

From the OpenWrt-devel mailing list...

Dunno if a) you're aware of this, or b) if this is actually relevant...

Rich

> Begin forwarded message:
> 
> From: Philip Prindeville <philipp_subx@redfish-solutions.com>
> Subject: Re: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation
> Date: March 21, 2021 at 11:23:04 PM EDT
> To: Tony Ambardar <itugrok@yahoo.com>
> Cc: openwrt-devel@lists.openwrt.org
> Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
> 
> Are you aware that many open source apps already do DSCP marking?
> 
> I submitted the changes to Firefox, Thunderbird, Cyrus, Proftpd, Sendmail, Postfix, Curl, Wget, Apache... and this was more than 15 years ago.
> 
> Why would you want to overwrite marking if it's already present?
> 
> 
>> On Mar 21, 2021, at 7:06 PM, Tony Ambardar via openwrt-devel <openwrt-devel@lists.openwrt.org> wrote:
>> 
>> The sender domain has a DMARC Reject/Quarantine policy which disallows
>> sending mailing list messages using the original "From" header.
>> 
>> To mitigate this problem, the original message has been wrapped
>> automatically by the mailing list software.
>> From: Tony Ambardar <itugrok@yahoo.com>
>> Subject: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation
>> Date: March 21, 2021 at 7:06:17 PM MDT
>> To: openwrt-devel@lists.openwrt.org
>> Cc: Jo-Philipp Wich <jo@mein.io>, Tony Ambardar <itugrok@yahoo.com>
>> 
>> 
>> Currently, fw3 places all DSCP/MARK target rules into the PREROUTING chain,
>> and accepts but ignores a src device. This behaviour is impractical for
>> most common applications (e.g. QOS setup), since rules are applied to all
>> devices and in all directions. Fix this generally by honouring src/dest
>> device selection and placing the rules into the appropriate chain of the
>> mangle table. 
>> 
>> These changes revealed the process of resolving zones to devices can add
>> duplicates due to the presence of aliased interfaces. Fix this by filtering
>> the fw3_zone->devices list during creation.
>> 
>> Thanks go to Jo-Philipp Wich <jo@mein.io> for sharing proof of concept code
>> on IRC and providing additional review afterwards.
>> 
>> Tony Ambardar (2):
>> zone: avoid duplicates in devices list
>> rules: fix device and chain usage for DSCP/MARK targets
>> 
>> rules.c | 68 ++++++++++++++++++++++++++++++++++++---------------------
>> zones.c |  9 +++++++-
>> 2 files changed, 51 insertions(+), 26 deletions(-)
>> 
>> Testing
>> =======
>> 
>> Regression testing was done to confirm the default OpenWrt firewall rules
>> are unchanged before and after this patch.
>> 
>> Functional testing was carried out using the UCI firewall rules below. This
>> set of test cases would normally yield the following incorrect iptables
>> rules (from iptables-save, sorted by test):
>> 
>> -A PREROUTING -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
>> -A PREROUTING -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
>> -A PREROUTING -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
>> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30
>> 
>> After this change, the resulting iptables rules use the expected devices
>> and chains:
>> 
>> -A PREROUTING -i br-lan -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
>> -A FORWARD -i br-lan -o eth0 -p udp -m udp --dport 1950 -m comment --comment "!fw3: Test-2-Zone-Zone-FORW" -j DSCP --set-dscp 0x08
>> -A POSTROUTING -o eth0 -p tcp -m tcp --dport 1955 -m comment --comment "!fw3: Test-3-Any-Zone-POST" -j MARK --set-xmark 0x3/0xff
>> -A FORWARD -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
>> -A INPUT -i br-lan -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
>> -A OUTPUT -o eth0 -p tcp -m tcp --dport 1970 -m comment --comment "!fw3: Test-6-Dev-Zone-OUT" -j MARK --set-xmark 0xf/0xff
>> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30
>> 
>> UCI FW Rules
>> ------------
>> 
>> config rule
>>       option enabled '1'
>>       option target 'DSCP'
>>       option set_dscp 'BE'
>>       option proto 'udp'
>>       option dest_port '1945'
>>       option name 'Test-1-Zone-Any-PRE'
>>       option src 'lan'
>>       option dest '*'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'DSCP'
>>       option set_dscp 'CS1'
>>       option proto 'udp'
>>       option dest_port '1950'
>>       option name 'Test-2-Zone-Zone-FORW'
>>       option src 'lan'
>>       option dest 'wan'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'MARK'
>>       option set_mark '0x03/0xff'
>>       option proto 'tcp'
>>       option dest_port '1955'
>>       option name 'Test-3-Any-Zone-POST'
>>       option src '*'
>>       option dest 'wan'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'MARK'
>>       option set_mark '0x07/0xff'
>>       option proto 'tcp'
>>       option dest_port '1960'
>>       option name 'Test-4-Any-Any-FORW'
>>       option src '*'
>>       option dest '*'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'DSCP'
>>       option set_dscp 'EF'
>>       option proto 'udp'
>>       option dest_port '1965'
>>       option name 'Test-5-Zone-Dev-IN'
>>       option src 'lan'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'MARK'
>>       option set_mark '0x0f/0xff'
>>       option proto 'tcp'
>>       option dest_port '1970'
>>       option name 'Test-6-Dev-Zone-OUT'
>>       option dest 'wan'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'DSCP'
>>       option set_dscp 'CS6'
>>       option proto 'udp'
>>       option dest_port '1975'
>>       option name 'Test-7-Dev-Dev-OUT'
>> 
>> -- 
>> 2.25.1
>> 
>> 
>> 
>> 
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel@lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[-- Attachment #2: Type: text/html, Size: 12893 bytes --]

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2021-03-22 12:58 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <42251FB1-B5B8-4249-86DC-CD8810ED4264@redfish-solutions.com>
2021-03-22 12:58 ` [Ecn-sane] Fwd: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation Rich Brown

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox