Procd : where is the config?

SharkScout · April 19, 2021, 11:27am

I am experimenting with https-dns-proxy.

At some point, the code is doing this:

                json_add_array firewall
                for c in $forceDNSPorts; do
                        if netstat -tuln | grep 'LISTEN' | grep ":${c}" >/dev/null 2>&1 || [ "$c" = "53" ]; then
                                json_add_object ""
                                json_add_string type redirect
                                json_add_string target DNAT
                                json_add_string src lan
                                json_add_string proto "tcp udp"
                                json_add_string src_dport "$c"
                                json_add_string dest_port "$c"
                                json_add_boolean reflection 0
                                json_close_object
                        else
                                json_add_object ""
                                json_add_string type rule
                                json_add_string src lan
                                json_add_string dest "*"
                                json_add_string proto "tcp udp"
                                json_add_string dest_port "$c"
                                json_add_string target REJECT
                                json_close_object
                        fi
                done
                json_close_array
                procd_close_data
                procd_close_instance

I am completely unfamiliar with procd and jshn, but my guess is that this creates a json object, fills it in, and then somehow adds it to the firewall config.

What is the command that actually adds this json firewall array to the fw3 config?

Also, because I have no lan network, when I do a fw3 print I see this:

Warning: Warning: ubus rule (ubus:https-dns-proxy[main] rule 1) refers to not existing zone 'lan'
Warning: Warning: ubus redirect (ubus:https-dns-proxy[main] redirect 0) refers to not existing zone 'lan'

The warning makes sense, however I cannot find the added config in /etc/config/firewall which is where it would be if it had been added by something like uci add.

Where does the config added by https-dns-proxy actually live?

Finally, it seems wrong to me that https-dns-proxy hardcodes lan. It means users that have created another internal subnet will have the force_dns option of https-dns-proxy fail silently.
In other words a client on a subnet other than lan will be able to bypass the dns resolver, which will run contrary to user expectations.

vgaetera · April 20, 2021, 11:15am

Apparently fw3/ubus provide an API to customize the runtime configuration independently from UCI.
You can file an issue against https-dns-proxy to support custom LAN interfaces.
Or just disable the automatic redirects/rules and create manual ones instead:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

SharkScout · April 20, 2021, 11:43am

Thanks, yes, my plan is to unselect "force-dns" and manually add the dns hijacking rules myself.

That's my conclusion as well, but I do not know how to visualize or even remove the (incorrect) fw3 rules that have been sent via ubus. Do you have any pointer on that?

vgaetera · April 20, 2021, 1:29pm

The scope for CLI interaction with the firewall JSON objects appears to be limited to the procd environment, so you can see the customization if you run json_dump inside the https-dns-proxy init sctipt.

SharkScout · April 20, 2021, 1:32pm

Ok, thanks, I'll give that a go.

vgaetera · April 20, 2021, 1:39pm

Actually you can call it with ubus from CLI outside the init script scope:

ubus call service get_data "{'name':'https-dns-proxy'}"

SharkScout · April 20, 2021, 2:34pm

Ah well done, that is indeed where the configuration is!

root@OpenWrt:~# ubus call service get_data "{'name':'https-dns-proxy'}"
{
	"https-dns-proxy": {
		"main": {
			"firewall": [
				{
					"type": "redirect",
					"target": "DNAT",
					"src": "lan",
					"proto": "tcp udp",
					"src_dport": "53",
					"dest_port": "53",
					"reflection": false
				},
				{
					"type": "rule",
					"src": "lan",
					"dest": "*",
					"proto": "tcp udp",
					"dest_port": "853",
					"target": "REJECT"
				}
			]
		}
	}
}

Ok, so now I just need to figure out how to flush all ubus data. I'll look into the doc, thanks for your help.

vgaetera · April 20, 2021, 2:48pm

You can simply prevent creating the automatic redirects/rules by disabling this option:

SharkScout · April 20, 2021, 3:04pm

Ah right indeed. I was aware of this option, but did not realize this would "flush" the ubus data. Thanks!

system · April 30, 2021, 3:04pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.