Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This fixes an issue where policies could violate the rule "packets ingress one and only one zone". If source address ranges from different zones overlapped, then it was possible for packets to enter multiple zones in the policy dispatch. Example configuration: Old code generates these rules: table inet firewalld { chain filter_FORWARD_POLICIES_pre { ip saddr 10.10.10.0/24 oifname "dummy0" jump filter_FWD_policy_policy-1 ip saddr 10.0.0.0/8 oifname "dummy0" jump filter_FWD_policy_policy-1 ip saddr 10.10.0.0/16 oifname "dummy0" jump filter_FWD_policy_policy-2 } } In this example the packets may actually enter policy-1 twice; one for zone internal and one for zone trusted. Packets will also enter policy-2. This is a violation of zone concepts. The new rule layout adds explicit returns to prevent drifting between zones. It's an explicit return for every pair of the ingress zone's interface/sources and egress zone's interface/sources. New rules: table inet firewalld { chain filter_FORWARD_POLICIES_pre { ip saddr 10.0.0.0/8 ip daddr 10.0.0.0/8 return ip saddr 10.0.0.0/8 ip daddr 10.10.0.0/16 return ip saddr 10.0.0.0/8 ip daddr 10.10.10.0/24 return oifname "dummy0" ip saddr 10.0.0.0/8 jump filter_FWD_policy_policy-1 oifname "dummy0" ip saddr 10.0.0.0/8 return ip saddr 10.10.0.0/16 ip daddr 10.0.0.0/8 return ip saddr 10.10.0.0/16 ip daddr 10.10.0.0/16 return ip saddr 10.10.0.0/16 ip daddr 10.10.10.0/24 return oifname "dummy0" ip saddr 10.10.0.0/16 jump filter_FWD_policy_policy-2 oifname "dummy0" ip saddr 10.10.0.0/16 return ip saddr 10.10.10.0/24 ip daddr 10.0.0.0/8 return ip saddr 10.10.10.0/24 ip daddr 10.10.0.0/16 return ip saddr 10.10.10.0/24 ip daddr 10.10.10.0/24 return oifname "dummy0" ip saddr 10.10.10.0/24 jump filter_FWD_policy_policy-1 oifname "dummy0" ip saddr 10.10.10.0/24 return iifname "dummy0" ip daddr 10.0.0.0/8 return iifname "dummy0" ip daddr 10.10.0.0/16 return iifname "dummy0" ip daddr 10.10.10.0/24 return iifname "dummy0" oifname "dummy0" return } } Furthermore, policies ignored some long-standing rules about zone dispatch. - sources are always dispatched before interfaces - sources are sorted by zone name Those have also been addressed by this change. The sort order applies both on the ingress (iifname, ip saddr) and egress (oifname, ip daddr). Fixes: #797
- Loading branch information
Showing
6 changed files
with
2,023 additions
and
398 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.