NAT leakage on 22.03 [fw4]

filippocarletti · October 25, 2022, 4:52pm

UCI Firewall option masq_allow_invalid seems to be ignored by fw4.
The nft ruleset doesn't change when the option is enabled and packets are leaked, regardless of the setting.

OpenWrt 22.03.0 r19685-512e76967f / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd
firewall4 - 2022-10-14-4fbf6d75-1

I used tcpdump on wan to see packets leaving to the internet (tcpdump -nnpi eth1 src net 192.168.1.0/24)

To stop the leakage I added a rule:

nft insert rule inet fw4 accept_to_wan ct state invalid drop

I can move this thread to a github issue and provide more details.

jow · October 25, 2022, 7:08pm

If possible, please try the following patch:

gist.github.com

https://gist.github.com/jow-/a2486ed07414fc8fa2e1149fe3ee2cc6

0001-ruleset-drop-ctstate-invalid-traffic-for-masq-enable.patch

From e1fac75857f5f9ee0e9461c4f16a10dcb3b5dc71 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Tue, 25 Oct 2022 21:03:00 +0200
Subject: [PATCH] ruleset: drop ctstate invalid traffic for masq-enabled zones

For NAT enabled zones, stage rules to drop forwarded traffic with conntrack
state "invalid" and honor `masq_allow_invalid` option to inhibit those
rules.

This ports the corresponding firewall3 logic to firewall4.

This file has been truncated. show original

filippocarletti · October 26, 2022, 12:47pm

AFAIK, nft accepts "ct state" (with a space), not "ctstate".

root@OpenWrt:~# service firewall restart
/dev/stdin:120:36-42: Error: No symbol type information
		meta nfproto ipv4 oifname "eth1" ctstate invalid counter drop comment "!fw4: Prevent NAT leakage"
		                                 ^^^^^^^
The rendered ruleset contains errors, not doing firewall restart.

Fixing accordingly zone-drop-invalid.uc the leakage disappears.
Thank you.

jow · October 26, 2022, 1:47pm

Thank you for the test feedback. I fixed the spelling and pushed the change to firewall4.git, the next package bump will include this fix then.