Allow forwarding of all DHCP traffic

Recently we added iptables rule to prevent forwarding of non-app traffic (so that attacker cannot use EVE to hop from one network to another). This rule is based on connection tracking and differentiating between host and app traffic using marks. However, app-initiated DHCP requests can match the same conntrack entry as was created for DHCP requests sent by the DHCP client of EVE. This is because source/destination IPs are undefined or broadcast: [72]: udp 17 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0xa This means that application DHCP traffic may get mark "in_dhcp" (as opposed to "app_dhcp") and forwarding will not be allowed. This is particularly problem for switch NI. Lets create an exception rule, allowing forwarding of DHCP traffic even if it has in_dhcp mark, given that the same mark can be accidentally assigned also to an application DHCP request. Signed-off-by: Milan Lenco <[email protected]> (cherry picked from commit 080afbf)
milan-zededa · Jun 13, 2024 · 432d402 · 432d402
1 parent 93b84ad
commit 432d402
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/pkg/pillar/dpcreconciler/linux.go b/pkg/pillar/dpcreconciler/linux.go
@@ -1846,6 +1846,27 @@ func (r *LinuxDpcReconciler) getIntendedACLs(
 	intendedIPv4ACLs.PutItem(denyNonAppForwarding, nil)
 	denyNonAppForwarding.ForIPv6 = true
 	intendedIPv6ACLs.PutItem(denyNonAppForwarding, nil)
+	// Allow forwarding of all DHCP traffic.
+	// Application-initiated DHCP requests can match the same conntrack entry
+	// as was created for DHCP requests sent by the DHCP client of EVE.
+	// This is because source/destination IPs are undefined or broadcast:
+	//  [72]: udp 17 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67
+	//        src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0xa
+	// However, this means that the application DHCP traffic may get mark "in_dhcp"
+	// (as opposed to "app_dhcp") and denyNonAppForwarding would match it with
+	// the nonAppMark filter and forbid forwarding (which is problem particularly
+	// for switch NI).
+	allowDHCPForwarding := iptables.Rule{
+		RuleLabel: "Allow DHCP forwarding",
+		Table:     "mangle",
+		ChainName: "FORWARD" + iptables.DeviceChainSuffix,
+		MatchOpts: []string{"--match", "connmark", "--mark",
+			controlProtoMark("in_dhcp")},
+		Target:        "ACCEPT",
+		AppliedBefore: []string{denyNonAppForwarding.RuleLabel},
+		Description:   "Allow forwarding of all DHCP traffic",
+	}
+	intendedIPv4ACLs.PutItem(allowDHCPForwarding, nil)
 
 	// Mark all un-marked local traffic generated by local services.
 	outputRules := []iptables.Rule{

diff --git a/pkg/pillar/dpcreconciler/linux_test.go b/pkg/pillar/dpcreconciler/linux_test.go
@@ -158,8 +158,8 @@ func TestReconcileWithEmptyArgs(test *testing.T) {
 	t.Expect(itemCountWithType(linux.LocalIPRuleTypename)).To(Equal(1))
 	t.Expect(itemCountWithType(iptables.ChainV4Typename)).To(Equal(12))
 	t.Expect(itemCountWithType(iptables.ChainV6Typename)).To(Equal(12))
-	t.Expect(itemCountWithType(iptables.RuleV4Typename)).To(Equal(32))
-	t.Expect(itemCountWithType(iptables.RuleV6Typename)).To(Equal(31)) // without markDhcp
+	t.Expect(itemCountWithType(iptables.RuleV4Typename)).To(Equal(33))
+	t.Expect(itemCountWithType(iptables.RuleV6Typename)).To(Equal(31)) // without markDhcp & allowDHCPForwarding
 	t.Expect(itemIsCreatedWithLabel("Block SSH")).To(BeTrue())
 
 	// Enable SSH access