Firewall rules: ipset reference not removed when modifying input rule

gsanchietti commented 4 days ago

Steps to reproduce

Create an input rule (e.g., ssh access) with the source limited to a domain set.
Modify the rule by limiting the source to only the IP address 1.1.1.1.
Check the chain input_wan to see if the reference to the ipset is removed.

The uci configuration before modification:

firewall.ns_2cb6a34d=rule
firewall.ns_2cb6a34d.name='allow-ssh'
firewall.ns_2cb6a34d.src='wan'
firewall.ns_2cb6a34d.target='ACCEPT'
firewall.ns_2cb6a34d.ns_service='ssh'
firewall.ns_2cb6a34d.dest_port='22'
firewall.ns_2cb6a34d.enabled='1'
firewall.ns_2cb6a34d.log='0'
firewall.ns_2cb6a34d.ipset='tutto src'
firewall.ns_2cb6a34d.proto='tcp' 'udp'

The uci configuration after modification:

firewall.ns_2cb6a34d=rule
firewall.ns_2cb6a34d.name='allow-ssh'
firewall.ns_2cb6a34d.src='wan'
firewall.ns_2cb6a34d.target='ACCEPT'
firewall.ns_2cb6a34d.ns_service='ssh'
firewall.ns_2cb6a34d.dest_port='22'
firewall.ns_2cb6a34d.enabled='1'
firewall.ns_2cb6a34d.log='0'
firewall.ns_2cb6a34d.ipset='tutto src'
firewall.ns_2cb6a34d.src_ip='1.1.1.1'
firewall.ns_2cb6a34d.proto='tcp' 'udp'

Expected behavior

The reference to the ipset should be removed from the chain input_wan once the source is changed to a specific IP address.

Actual behavior

The reference to the ipset remains in the chain input_wan even after changing the source to a specific IP address.
When changing the source to 'any', the ipset reference remains as @tutto.
Verify if the issue is present inside output and forward rules

Components NethSecurity version: 8-23.05.5-ns.1.3.0

Tbaile commented 1 day ago

Image: 23.05.5-ns.1.3.0-52-ge672f104

Since the importance of the fix, a thorough QA is provided.

Forward 1.1 Create a new forward rule with just manual addresses 1.2 Ensure that in the Changes section there's no ipset defined for the rule. 1.3 Edit the rule, add a domain set as a source and save 1.4 Ensure that ipset is defined 1.5 Edit the rule and set a static IP as a source, make sure that ipset has been deleted from the rule 1.6 Repeat the steps 1.3 and 1.5 for the destination
Input 2.1 Create a new input rule with just a manual address 2.2 Edit such rule and set a domain set as source 2.3 Verify that ipset is defined 2.4 Edit the rule again and set a static IP as a source 2.5 Ensure that ipset is not defined
Output 3.1 Create a new output rule with just a manual address 3.2 Edit such rule and set a domain set as destination 3.3 Verify that ipset is defined 3.4 Edit the rule again and set a static IP as a destination 3.5 Ensure that ipset is not defined

cotosso commented 19 hours ago

Test Case 1 : Verified Test Case 2 : Verified Test Case 3 : Verified

In all cases, when ipsets are substituted with ip adresses they are not present anymore in the related firewall db rules.

Ipset definition still continues to be present in nft rules, e.g.

      set nethesis {
                type ipv4_addr
                timeout 30m
                elements = { 35.214.216.68 expires 29m53s500ms }
        }

but correctly not used in any rule.

NethServer / nethsecurity

Firewall rules: ipset reference not removed when modifying input rule #919