[Ecn-sane] Fwd: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation

Rich Brown richb.hanover at gmail.com
Mon Mar 22 08:58:30 EDT 2021 

From the OpenWrt-devel mailing list...

Dunno if a) you're aware of this, or b) if this is actually relevant...

Rich

> Begin forwarded message:
> 
> From: Philip Prindeville <philipp_subx at redfish-solutions.com>
> Subject: Re: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation
> Date: March 21, 2021 at 11:23:04 PM EDT
> To: Tony Ambardar <itugrok at yahoo.com>
> Cc: openwrt-devel at lists.openwrt.org
> Sender: "openwrt-devel" <openwrt-devel-bounces at lists.openwrt.org>
> 
> Are you aware that many open source apps already do DSCP marking?
> 
> I submitted the changes to Firefox, Thunderbird, Cyrus, Proftpd, Sendmail, Postfix, Curl, Wget, Apache... and this was more than 15 years ago.
> 
> Why would you want to overwrite marking if it's already present?
> 
> 
>> On Mar 21, 2021, at 7:06 PM, Tony Ambardar via openwrt-devel <openwrt-devel at lists.openwrt.org> wrote:
>> 
>> The sender domain has a DMARC Reject/Quarantine policy which disallows
>> sending mailing list messages using the original "From" header.
>> 
>> To mitigate this problem, the original message has been wrapped
>> automatically by the mailing list software.
>> From: Tony Ambardar <itugrok at yahoo.com>
>> Subject: [PATCH firewall3 v1 0/2] fix DSCP/MARK target implementation
>> Date: March 21, 2021 at 7:06:17 PM MDT
>> To: openwrt-devel at lists.openwrt.org
>> Cc: Jo-Philipp Wich <jo at mein.io>, Tony Ambardar <itugrok at yahoo.com>
>> 
>> 
>> Currently, fw3 places all DSCP/MARK target rules into the PREROUTING chain,
>> and accepts but ignores a src device. This behaviour is impractical for
>> most common applications (e.g. QOS setup), since rules are applied to all
>> devices and in all directions. Fix this generally by honouring src/dest
>> device selection and placing the rules into the appropriate chain of the
>> mangle table. 
>> 
>> These changes revealed the process of resolving zones to devices can add
>> duplicates due to the presence of aliased interfaces. Fix this by filtering
>> the fw3_zone->devices list during creation.
>> 
>> Thanks go to Jo-Philipp Wich <jo at mein.io> for sharing proof of concept code
>> on IRC and providing additional review afterwards.
>> 
>> Tony Ambardar (2):
>> zone: avoid duplicates in devices list
>> rules: fix device and chain usage for DSCP/MARK targets
>> 
>> rules.c | 68 ++++++++++++++++++++++++++++++++++++---------------------
>> zones.c |  9 +++++++-
>> 2 files changed, 51 insertions(+), 26 deletions(-)
>> 
>> Testing
>> =======
>> 
>> Regression testing was done to confirm the default OpenWrt firewall rules
>> are unchanged before and after this patch.
>> 
>> Functional testing was carried out using the UCI firewall rules below. This
>> set of test cases would normally yield the following incorrect iptables
>> rules (from iptables-save, sorted by test):
>> 
>> -A PREROUTING -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
>> -A PREROUTING -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
>> -A PREROUTING -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
>> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30
>> 
>> After this change, the resulting iptables rules use the expected devices
>> and chains:
>> 
>> -A PREROUTING -i br-lan -p udp -m udp --dport 1945 -m comment --comment "!fw3: Test-1-Zone-Any-PRE" -j DSCP --set-dscp 0x00
>> -A FORWARD -i br-lan -o eth0 -p udp -m udp --dport 1950 -m comment --comment "!fw3: Test-2-Zone-Zone-FORW" -j DSCP --set-dscp 0x08
>> -A POSTROUTING -o eth0 -p tcp -m tcp --dport 1955 -m comment --comment "!fw3: Test-3-Any-Zone-POST" -j MARK --set-xmark 0x3/0xff
>> -A FORWARD -p tcp -m tcp --dport 1960 -m comment --comment "!fw3: Test-4-Any-Any-FORW" -j MARK --set-xmark 0x7/0xff
>> -A INPUT -i br-lan -p udp -m udp --dport 1965 -m comment --comment "!fw3: Test-5-Zone-Dev-IN" -j DSCP --set-dscp 0x2e
>> -A OUTPUT -o eth0 -p tcp -m tcp --dport 1970 -m comment --comment "!fw3: Test-6-Dev-Zone-OUT" -j MARK --set-xmark 0xf/0xff
>> -A OUTPUT -p udp -m udp --dport 1975 -m comment --comment "!fw3: Test-7-Dev-Dev-OUT" -j DSCP --set-dscp 0x30
>> 
>> UCI FW Rules
>> ------------
>> 
>> config rule
>>       option enabled '1'
>>       option target 'DSCP'
>>       option set_dscp 'BE'
>>       option proto 'udp'
>>       option dest_port '1945'
>>       option name 'Test-1-Zone-Any-PRE'
>>       option src 'lan'
>>       option dest '*'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'DSCP'
>>       option set_dscp 'CS1'
>>       option proto 'udp'
>>       option dest_port '1950'
>>       option name 'Test-2-Zone-Zone-FORW'
>>       option src 'lan'
>>       option dest 'wan'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'MARK'
>>       option set_mark '0x03/0xff'
>>       option proto 'tcp'
>>       option dest_port '1955'
>>       option name 'Test-3-Any-Zone-POST'
>>       option src '*'
>>       option dest 'wan'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'MARK'
>>       option set_mark '0x07/0xff'
>>       option proto 'tcp'
>>       option dest_port '1960'
>>       option name 'Test-4-Any-Any-FORW'
>>       option src '*'
>>       option dest '*'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'DSCP'
>>       option set_dscp 'EF'
>>       option proto 'udp'
>>       option dest_port '1965'
>>       option name 'Test-5-Zone-Dev-IN'
>>       option src 'lan'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'MARK'
>>       option set_mark '0x0f/0xff'
>>       option proto 'tcp'
>>       option dest_port '1970'
>>       option name 'Test-6-Dev-Zone-OUT'
>>       option dest 'wan'
>> 
>> config rule
>>       option enabled '1'
>>       option target 'DSCP'
>>       option set_dscp 'CS6'
>>       option proto 'udp'
>>       option dest_port '1975'
>>       option name 'Test-7-Dev-Dev-OUT'
>> 
>> -- 
>> 2.25.1
>> 
>> 
>> 
>> 
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/ecn-sane/attachments/20210322/03f9419f/attachment.html>

More information about the Ecn-sane mailing list