fix(ipv6_filter): match fwmark

Otherwise IPv6 rpfilter will fail if using multiple routing tables. Fixes: firewalld#603
centreon-lab · Mar 12, 2021 · f250c2c · f250c2c
1 parent cbf8a60
commit f250c2c
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 5 deletions.
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
@@ -1489,10 +1489,11 @@ class ip6tables(ip4tables):
     def build_rpfilter_rules(self, log_denied=False):
         rules = []
         rules.append([ "-I", "PREROUTING", "-t", "mangle",
-                       "-m", "rpfilter", "--invert", "-j", "DROP" ])
+                       "-m", "rpfilter", "--invert", "--validmark",
+                       "-j", "DROP" ])
         if log_denied != "off":
             rules.append([ "-I", "PREROUTING", "-t", "mangle",
-                           "-m", "rpfilter", "--invert",
+                           "-m", "rpfilter", "--invert", "--validmark",
                            "-j", "LOG",
                            "--log-prefix", "rpfilter_DROP: " ])
         rules.append([ "-I", "PREROUTING", "-t", "mangle",

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
@@ -1568,7 +1568,7 @@ def build_rpfilter_rules(self, log_denied=False):
         expr_fragments = [{"match": {"left": {"meta": {"key": "nfproto"}},
                                      "op": "==",
                                      "right": "ipv6"}},
-                          {"match": {"left": {"fib": {"flags": ["saddr", "iif"],
+                          {"match": {"left": {"fib": {"flags": ["saddr", "iif", "mark"],
                                                       "result": "oif"}},
                                      "op": "==",
                                      "right": False}}]

diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
@@ -79,7 +79,7 @@ IF_HOST_SUPPORTS_NFT_FIB([
         table inet firewalld {
             chain filter_PREROUTING {
                 icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
-                meta nfproto ipv6 fib saddr . iif oif missing drop
+                meta nfproto ipv6 fib saddr . mark . iif oif missing drop
             }
         }
     ])
@@ -295,7 +295,7 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
 IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
     ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
     ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
-    DROP all ::/0 ::/0 rpfilter invert
+    DROP all ::/0 ::/0 rpfilter validmark invert
     PREROUTING_direct all ::/0 ::/0
     PREROUTING_POLICIES_pre all ::/0 ::/0
     PREROUTING_ZONES all ::/0 ::/0