From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 9DA113B29E for ; Mon, 22 Mar 2021 08:58:32 -0400 (EDT) Received: by mail-qk1-x72d.google.com with SMTP id y5so8791083qkl.9 for ; Mon, 22 Mar 2021 05:58:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:references:to:date; bh=gAfpgINryR4gBQvUOSjyCrcvbH8sLZ+2/0aKgbBEU1c=; b=dtsrkiurj+otOHPJexoSfcUgMdm143N8f4D20OIyBZsRiL2aO1yQZwH/qEf68meG6g BR8QBV/FJ+8/YBuVo4+kEgVodeoe9BJ+lechMg3Siy2X0n5IVjj3x93Gr4OmkVl3hytW ILg+ttD5K+Mls92ubbhKZwDXprRB9P4O4pDdxYnUYEuUbk7MWMET3P210yjhuPd3ljQr u7Ws3DsWu6NjOFrbWCmP45XVGT5YLgec79xjDS1uo+Ca9CNoXHMc4UqzX0efCtxoeFBv BlT81nDRyhtT0jEVodbgAiYgHy+MJ18TsMEi588I4ygE/xTbuR2XuR50i4hVKI+mNqJu vmoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:references :to:date; bh=gAfpgINryR4gBQvUOSjyCrcvbH8sLZ+2/0aKgbBEU1c=; b=WMmZIZrzF+PfwfrTyEe+OEO1B4ea84gPQusFrSDZXH4IJOVlYEG+Q7ssJD9rsfXxJl /AV8LHzDjR37TkeCTTPb4PmRLIIhzuYjtkFDR2Lqi7EIr1W4zj2wvSmxIbrz7+QNjbTf dViSZinjuwKwvOYzWbSAypZ2DIzCUynZP5ve3phlXy9f9YxoRWUU7NMfb28QxB4fWzMc h2ITJJjwZ+Yxs8l5zCJQwz/4895VhWhVBO50YvS8HtZayOTdeKghkV3OGe6zh5xM3tIW EasNreYhg02Bueird5fsyBnqB1a0qIBRQ/JVeXbq2VhVFQf1nhWjxFOY0g2GZnYeK7P+ NMFw== X-Gm-Message-State: AOAM530QtwpAFWH4SkKJDh7dDEM2MSJRUowVO9KpqEcQ84h9zRdqNcrD 8lPBv5V1+fDcWjvQr6XpTRO1Nt0uVcoDAw== X-Google-Smtp-Source: ABdhPJwnGqQIvpiQDH/Ny9Vh+GFi86SAfZ2MQSXRxHEecK1I6KG2Gx6KOC3TvAnvRTFEoQ/+2FQ5LQ== X-Received: by 2002:a05:620a:1679:: with SMTP id d25mr10777211qko.102.1616417911890; Mon, 22 Mar 2021 05:58:31 -0700 (PDT) Received: from richs-mbp-pro.lan ([198.55.239.109]) by smtp.gmail.com with ESMTPSA id j26sm8974317qtp.30.2021.03.22.05.58.30 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Mar 2021 05:58:31 -0700 (PDT) From: Rich Brown Content-Type: multipart/alternative; boundary="Apple-Mail=_2BDDC7E8-DED5-4333-922E-142D214B8374" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Message-Id: <0CAFD5F7-5E8C-4F38-A518-F275222F3284@gmail.com> References: <42251FB1-B5B8-4249-86DC-CD8810ED4264@redfish-solutions.com> To: ecn-sane@lists.bufferbloat.net Date: Mon, 22 Mar 2021 08:58:30 -0400 X-Mailer: Apple Mail (2.3608.120.23.2.4) Subject: [Ecn-sane] Fwd: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation X-BeenThere: ecn-sane@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussion of explicit congestion notification's impact on the Internet List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Mar 2021 12:58:32 -0000 --Apple-Mail=_2BDDC7E8-DED5-4333-922E-142D214B8374 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii =46rom the OpenWrt-devel mailing list... Dunno if a) you're aware of this, or b) if this is actually relevant... Rich > Begin forwarded message: >=20 > From: Philip Prindeville > Subject: Re: [PATCH firewall3 v1 0/2] fix DSCP/MARK target = implementation > Date: March 21, 2021 at 11:23:04 PM EDT > To: Tony Ambardar > Cc: openwrt-devel@lists.openwrt.org > Sender: "openwrt-devel" >=20 > Are you aware that many open source apps already do DSCP marking? >=20 > I submitted the changes to Firefox, Thunderbird, Cyrus, Proftpd, = Sendmail, Postfix, Curl, Wget, Apache... and this was more than 15 years = ago. >=20 > Why would you want to overwrite marking if it's already present? >=20 >=20 >> On Mar 21, 2021, at 7:06 PM, Tony Ambardar via openwrt-devel = wrote: >>=20 >> The sender domain has a DMARC Reject/Quarantine policy which = disallows >> sending mailing list messages using the original "From" header. >>=20 >> To mitigate this problem, the original message has been wrapped >> automatically by the mailing list software. >> From: Tony Ambardar >> Subject: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation >> Date: March 21, 2021 at 7:06:17 PM MDT >> To: openwrt-devel@lists.openwrt.org >> Cc: Jo-Philipp Wich , Tony Ambardar >>=20 >>=20 >> Currently, fw3 places all DSCP/MARK target rules into the PREROUTING = chain, >> and accepts but ignores a src device. This behaviour is impractical = for >> most common applications (e.g. QOS setup), since rules are applied to = all >> devices and in all directions. Fix this generally by honouring = src/dest >> device selection and placing the rules into the appropriate chain of = the >> mangle table.=20 >>=20 >> These changes revealed the process of resolving zones to devices can = add >> duplicates due to the presence of aliased interfaces. Fix this by = filtering >> the fw3_zone->devices list during creation. >>=20 >> Thanks go to Jo-Philipp Wich for sharing proof of = concept code >> on IRC and providing additional review afterwards. >>=20 >> Tony Ambardar (2): >> zone: avoid duplicates in devices list >> rules: fix device and chain usage for DSCP/MARK targets >>=20 >> rules.c | 68 = ++++++++++++++++++++++++++++++++++++--------------------- >> zones.c | 9 +++++++- >> 2 files changed, 51 insertions(+), 26 deletions(-) >>=20 >> Testing >> =3D=3D=3D=3D=3D=3D=3D >>=20 >> Regression testing was done to confirm the default OpenWrt firewall = rules >> are unchanged before and after this patch. >>=20 >> Functional testing was carried out using the UCI firewall rules = below. This >> set of test cases would normally yield the following incorrect = iptables >> rules (from iptables-save, sorted by test): >>=20 >> -A PREROUTING -p udp -m udp --dport 1945 -m comment --comment "!fw3: = Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00 >> -A PREROUTING -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: = Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff >> -A PREROUTING -p udp -m udp --dport 1965 -m comment --comment "!fw3: = Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e >> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: = Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30 >>=20 >> After this change, the resulting iptables rules use the expected = devices >> and chains: >>=20 >> -A PREROUTING -i br-lan -p udp -m udp --dport 1945 -m comment = --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00 >> -A FORWARD -i br-lan -o eth0 -p udp -m udp --dport 1950 -m comment = --comment "!fw3: Test-2-Zone-Zone-FORW" -j DSCP --set-dscp 0x08 >> -A POSTROUTING -o eth0 -p tcp -m tcp --dport 1955 -m comment = --comment "!fw3: Test-3-Any-Zone-POST" -j MARK --set-xmark 0x3/0xff >> -A FORWARD -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: = Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff >> -A INPUT -i br-lan -p udp -m udp --dport 1965 -m comment --comment = "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e >> -A OUTPUT -o eth0 -p tcp -m tcp --dport 1970 -m comment --comment = "!fw3: Test-6-Dev-Zone-OUT" -j MARK --set-xmark 0xf/0xff >> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: = Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30 >>=20 >> UCI FW Rules >> ------------ >>=20 >> config rule >> option enabled '1' >> option target 'DSCP' >> option set_dscp 'BE' >> option proto 'udp' >> option dest_port '1945' >> option name 'Test-1-Zone-Any-PRE' >> option src 'lan' >> option dest '*' >>=20 >> config rule >> option enabled '1' >> option target 'DSCP' >> option set_dscp 'CS1' >> option proto 'udp' >> option dest_port '1950' >> option name 'Test-2-Zone-Zone-FORW' >> option src 'lan' >> option dest 'wan' >>=20 >> config rule >> option enabled '1' >> option target 'MARK' >> option set_mark '0x03/0xff' >> option proto 'tcp' >> option dest_port '1955' >> option name 'Test-3-Any-Zone-POST' >> option src '*' >> option dest 'wan' >>=20 >> config rule >> option enabled '1' >> option target 'MARK' >> option set_mark '0x07/0xff' >> option proto 'tcp' >> option dest_port '1960' >> option name 'Test-4-Any-Any-FORW' >> option src '*' >> option dest '*' >>=20 >> config rule >> option enabled '1' >> option target 'DSCP' >> option set_dscp 'EF' >> option proto 'udp' >> option dest_port '1965' >> option name 'Test-5-Zone-Dev-IN' >> option src 'lan' >>=20 >> config rule >> option enabled '1' >> option target 'MARK' >> option set_mark '0x0f/0xff' >> option proto 'tcp' >> option dest_port '1970' >> option name 'Test-6-Dev-Zone-OUT' >> option dest 'wan' >>=20 >> config rule >> option enabled '1' >> option target 'DSCP' >> option set_dscp 'CS6' >> option proto 'udp' >> option dest_port '1975' >> option name 'Test-7-Dev-Dev-OUT' >>=20 >> --=20 >> 2.25.1 >>=20 >>=20 >>=20 >>=20 >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >=20 >=20 > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel --Apple-Mail=_2BDDC7E8-DED5-4333-922E-142D214B8374 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
=46rom the OpenWrt-devel mailing list...

Dunno if a) you're aware of this, or b) = if this is actually relevant...

Rich

Begin forwarded = message:

From: = Philip Prindeville <philipp_subx@redfish-solutions.com>
Subject: = Re: [PATCH = firewall3 v1 0/2] fix DSCP/MARK target implementation
Date: = March 21, 2021 at 11:23:04 PM = EDT
To: = Tony Ambardar <itugrok@yahoo.com>
Cc: = openwrt-devel@lists.openwrt.org
Sender: = "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>

Are= you aware that many open source apps already do DSCP marking?

I submitted the changes to Firefox, = Thunderbird, Cyrus, Proftpd, Sendmail, Postfix, Curl, Wget, Apache... = and this was more than 15 years ago.

Why = would you want to overwrite marking if it's already present?


On Mar 21, 2021, at 7:06 PM, Tony Ambardar via openwrt-devel = <openwrt-devel@lists.openwrt.org> wrote:

The sender domain has a DMARC = Reject/Quarantine policy which disallows
sending mailing = list messages using the original "From" header.

To mitigate this problem, the original message has been = wrapped
automatically by the mailing list software.
From: Tony Ambardar <itugrok@yahoo.com>
Subject: [PATCH = firewall3 v1 0/2] fix DSCP/MARK target implementation
Date: = March 21, 2021 at 7:06:17 PM MDT
To: openwrt-devel@lists.openwrt.org
Cc: = Jo-Philipp Wich <jo@mein.io>, Tony Ambardar <itugrok@yahoo.com>


Currently, fw3 places all = DSCP/MARK target rules into the PREROUTING chain,
and = accepts but ignores a src device. This behaviour is impractical for
most common applications (e.g. QOS setup), since rules are = applied to all
devices and in all directions. Fix this = generally by honouring src/dest
device selection and = placing the rules into the appropriate chain of the
mangle = table.

These changes revealed the process = of resolving zones to devices can add
duplicates due to = the presence of aliased interfaces. Fix this by filtering
the fw3_zone->devices list during creation.

Thanks go to Jo-Philipp Wich <jo@mein.io> for sharing = proof of concept code
on IRC and providing additional = review afterwards.

Tony Ambardar (2):
zone: avoid duplicates in devices list
rules: = fix device and chain usage for DSCP/MARK targets

rules.c | 68 = ++++++++++++++++++++++++++++++++++++---------------------
zones.c |  9 +++++++-
2 files changed, 51 = insertions(+), 26 deletions(-)

Testing
=3D=3D=3D=3D=3D=3D=3D

Regression = testing was done to confirm the default OpenWrt firewall rules
are unchanged before and after this patch.

Functional testing was carried out using the UCI firewall = rules below. This
set of test cases would normally yield = the following incorrect iptables
rules (from = iptables-save, sorted by test):

-A = PREROUTING -p udp -m udp --dport 1945 -m comment --comment "!fw3: = Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
-A PREROUTING = -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: = Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
-A = PREROUTING -p udp -m udp --dport 1965 -m comment --comment "!fw3: = Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
-A OUTPUT -p = udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" = -j DSCP --set-dscp 0x30

After this change, = the resulting iptables rules use the expected devices
and = chains:

-A PREROUTING -i br-lan -p udp -m = udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j = DSCP --set-dscp 0x00
-A FORWARD -i br-lan -o eth0 -p udp = -m udp --dport 1950 -m comment --comment "!fw3: Test-2-Zone-Zone-FORW" = -j DSCP --set-dscp 0x08
-A POSTROUTING -o eth0 -p tcp -m = tcp --dport 1955 -m comment --comment "!fw3: Test-3-Any-Zone-POST" -j = MARK --set-xmark 0x3/0xff
-A FORWARD -p tcp -m tcp --dport = 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK = --set-xmark 0x7/0xff
-A INPUT -i br-lan -p udp -m udp = --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP = --set-dscp 0x2e
-A OUTPUT -o eth0 -p tcp -m tcp --dport = 1970 -m comment --comment "!fw3: Test-6-Dev-Zone-OUT" -j MARK = --set-xmark 0xf/0xff
-A OUTPUT -p udp -m udp --dport 1975 = -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp = 0x30

UCI FW Rules
------------

config rule
      option enabled '1'
      option target 'DSCP'
      option set_dscp 'BE'
      option proto 'udp'
      option dest_port = '1945'
      option name = 'Test-1-Zone-Any-PRE'
=       option src 'lan'
=       option dest '*'

config rule
=       option enabled '1'
=       option target 'DSCP'
=       option set_dscp 'CS1'
=       option proto 'udp'
=       option dest_port '1950'
=       option name = 'Test-2-Zone-Zone-FORW'
=       option src 'lan'
=       option dest 'wan'

config rule
=       option enabled '1'
=       option target 'MARK'
=       option set_mark '0x03/0xff'
      option proto 'tcp'
      option dest_port = '1955'
      option name = 'Test-3-Any-Zone-POST'
=       option src '*'
=       option dest 'wan'

config rule
=       option enabled '1'
=       option target 'MARK'
=       option set_mark '0x07/0xff'
      option proto 'tcp'
      option dest_port = '1960'
      option name = 'Test-4-Any-Any-FORW'
=       option src '*'
=       option dest '*'

config rule
=       option enabled '1'
=       option target 'DSCP'
=       option set_dscp 'EF'
=       option proto 'udp'
=       option dest_port '1965'
=       option name 'Test-5-Zone-Dev-IN'
      option src 'lan'

config rule
=       option enabled '1'
=       option target 'MARK'
=       option set_mark '0x0f/0xff'
      option proto 'tcp'
      option dest_port = '1970'
      option name = 'Test-6-Dev-Zone-OUT'
=       option dest 'wan'

config rule
=       option enabled '1'
=       option target 'DSCP'
=       option set_dscp 'CS6'
=       option proto 'udp'
=       option dest_port '1975'
=       option name 'Test-7-Dev-Dev-OUT'

--
2.25.1




_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

= --Apple-Mail=_2BDDC7E8-DED5-4333-922E-142D214B8374--