aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/config/firewall
Commit message (Collapse)AuthorAgeFilesLines
* firewall: link iptables extensions dynamicallyJo-Philipp Wich2015-05-261-7/+2
| | | | | | | | | | | | | | Use shared libipt{,4,6}ext.so libraries instead of statically linking the userspace matches into the fw3 executable. As a side effect the match initialization is extremely simplified compared to the weak function pointer juggling performed before. This also fixes the initialization of the multiport match. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@45764 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: Allow IGMP and MLD input on WANSteven Barth2015-05-051-0/+19
| | | | | | | | | | | | The WAN port should at least respond to IGMP and MLD queries as otherwise a snooping bridge/switch might drop traffic. RFC4890 recommends to leave IGMP and MLD unfiltered as they are always link-scoped anyways. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@45613 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix some more null-pointer accessesSteven Barth2015-02-261-2/+2
| | | | | | | | thanks to Hans Dedecker Signed-off-by: Steven Barth <steven@midlink.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@44540 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: respect src_dip option for reflection (#18544)Jo-Philipp Wich2015-01-081-3/+3
| | | | | | | | Also fix wrong IPv4 netmask calculation on x86-64, thanks Ulrich Weber. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@43874 3c298f89-4303-0410-b956-a3cf2f4a3e73
* license info - revert r43155John Crispin2014-11-031-2/+0
| | | | | | | | turns out that r43155 adds duplicate info. Signed-off-by: John Crispin <blogic@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@43167 3c298f89-4303-0410-b956-a3cf2f4a3e73
* Add more license tags with SPDX identifiersJohn Crispin2014-11-031-0/+2
| | | | | | | | | | | | | | | | | | Note, that licensing stuff is a nightmare: many packages does not clearly state their licenses, and often multiple source files are simply copied together - each with different licensing information in the file headers. I tried hard to ensure, that the license information extracted into the OpenWRT's makefiles fit the "spirit" of the packages, e.g. such small packages which come without a dedicated source archive "inherites" the OpenWRT's own license in my opinion. However, I can not garantee that I always picked the correct information and/or did not miss license information. Signed-off-by: Michael Heimpold <mhei@heimpold.de> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@43155 3c298f89-4303-0410-b956-a3cf2f4a3e73
* Add a few SPDX tagsSteven Barth2014-11-021-0/+1
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@43151 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: allow '*' as synonym for any / all in family and proto optionsJo-Philipp Wich2014-09-191-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42620 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix heap corruption in fw3_bitlen2netmask() with IPv6 addressesJo-Philipp Wich2014-09-181-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42610 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix invalid memory access when processing /128 IPv6 addresses from ↵Jo-Philipp Wich2014-09-171-2/+2
| | | | | | | | ubus, properly emit REDIRECT rules for local port forwards Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42604 3c298f89-4303-0410-b956-a3cf2f4a3e73
* package/*: remove useless explicit set of function returncodeJohn Crispin2014-08-251-4/+0
| | | | | | | | | | | | | | | | | | | | | | somebody started to set a function returncode in the validation stuff and everybody copies it, e.g. myfunction() { fire_command return $? } a function automatically returns with the last returncode, so we can safely remove the command 'return $?'. reference: http://tldp.org/LDP/abs/html/exit-status.html "The last command executed in the function or script determines the exit status." Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42278 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: the firewall did not start properly on bootJohn Crispin2014-08-211-1/+1
| | | | | | | | https://dev.openwrt.org/ticket/17593 Signed-off-by: John Crispin <blogic@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42233 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix potential NULL pointer accessJo-Philipp Wich2014-08-111-2/+2
| | | | | | | | Properly skip struct ifaddr entries with NULL ifa_addr, thanks Kostas Papadopoulos for reporting. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42138 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: implement selective conntrack flushing (#10225)Jo-Philipp Wich2014-08-111-2/+2
| | | | | | | | | | Utilize the new selective conntrack flushing facility to clear out active conntrack entries referring to old IP addresses after a firewall reload. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42114 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: implement support for abritary netmasksJo-Philipp Wich2014-07-191-2/+2
| | | | | | | | | | | Properly parse and pass arbritary netmasks to iptables, this allows specifying ranges like '::c23f:eff:fe7a:a094/::ffff:ffff:ffff:ffff' to match the host part of an IPv6 address regardless of the currently active IPv6 prefix. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@41760 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix segfault introduced by latest updateJo-Philipp Wich2014-07-101-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@41558 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix regressions introduced after latest ubus reworkJo-Philipp Wich2014-07-101-2/+2
| | | | | | | | | | The commit 92281eb747b56e748b7c3d754055919c23befdd4 broke fw3_ubus_addresses() so that no addresses where returned at all, this caused fw3 to not emit NAT reflection rules anymore. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@41556 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix issue with parsing network optionsJo-Philipp Wich2014-07-031-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@41491 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to the latest version, adds support for fetching firewall ↵Felix Fietkau2014-07-021-2/+2
| | | | | | | | rules from procd Signed-off-by: Felix Fietkau <nbd@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@41480 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall3: add fw3 zone function to enumerate devicesSteven Barth2014-06-261-2/+2
| | | | git-svn-id: svn://svn.openwrt.org/openwrt/trunk@41349 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: add support for nat-rules and netifd-proto-originating rulesSteven Barth2014-04-141-2/+2
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@40510 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to latest version, fixes a musl build errorFelix Fietkau2014-03-201-2/+2
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39965 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix validation constraintsJo-Philipp Wich2014-02-211-8/+8
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39649 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix several ipset integration issues (#15016)Jo-Philipp Wich2014-02-201-3/+3
| | | | | | | | | | | - Do not consider bitmap storage for IPv6 family sets - Move ipset family parameter before any additional option - Only emit family parameter for hash sets - Do not allow IPv6 iprange for IPv4 sets and vice versa Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39647 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall3: update init.d script to make use of procdJohn Crispin2014-02-181-9/+49
| | | | | | | | add validation data Signed-off-by: John Crispin <blogic@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39617 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: don't reload if there were no address or data changesSteven Barth2014-01-191-0/+1
| | | | | | | This fixes packet loss due to reloading firewall every minute with IPv6 implementation of certain ISPs. git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39332 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: improve logging in hotplug scriptJohn Crispin2014-01-151-1/+1
| | | | | | Signed-off-by: Nathan Hintz <nlhintz@hotmail.com> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39300 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix handling of tcp_ecn parameterJo-Philipp Wich2013-12-171-2/+2
| | | | | | | | | | | The firewall3 implementation as well as the shell implementation predating it used to process the tcp_ecnoption as boolean while it actually is an integer. Change the code to parse tcp_ecn as integer. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39122 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: optimize DNAT rules and skip invalid rules and redirects (#14485)Jo-Philipp Wich2013-11-181-2/+2
| | | | | | | | | | - instead of writing one (or more) ACCEPT rules in the filter table for each redirect install a global ctstate DNAT accept rule per zone - discard rules and redirects which have invalid options set instead of silently skipping the invalid values git-svn-id: svn://svn.openwrt.org/openwrt/trunk@38849 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: Improve ubus supportSteven Barth2013-10-232-3/+3
| | | | | | | | | | * Use network.interface dump call instead of individual status calls to reduce overall netifd lookups and invokes to 1 per fw3 process. * Allow protocol handlers to assign a firewall zone for an interface in the data section to allow for dynamic firewall zone assignment. git-svn-id: svn://svn.openwrt.org/openwrt/trunk@38504 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: small improvements in nat reflectionJo-Philipp Wich2013-10-101-2/+2
| | | | | | | - do not insert duplicate rules when setting up reflection to a zone containing multiple interfaces - set up reflection for any protocol, not just TCP and UDP git-svn-id: svn://svn.openwrt.org/openwrt/trunk@38361 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to git headJo-Philipp Wich2013-08-141-2/+2
| | | | | | | - uses "-j CT --notrack" instead of deprecated "-j NOTRACK" - fixes support for rule sections with target "NOTRACK" git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37777 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to git headJo-Philipp Wich2013-07-161-2/+2
| | | | | | - handles redirects as port relocations if the dest_ip points to the router itself git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37374 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: add missing dependenciesFelix Fietkau2013-07-101-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37224 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: allow routed lan<->lan traffic by defaultJo-Philipp Wich2013-07-042-2/+2
| | | | git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37171 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to git headJo-Philipp Wich2013-06-291-2/+2
| | | | | | - uses custom formatting for mac addresses to ensure leading zeroes, required for older iptables mac match parser git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37082 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to git headJo-Philipp Wich2013-06-181-2/+2
| | | | | | - fixes misprocessing of unknown symbolic protocol names git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36963 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to git headJo-Philipp Wich2013-06-181-2/+2
| | | | | | - fixes calculation of IPv4 netmasks derived from 0.0.0.0/0 CIDRs git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36960 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to git headJo-Philipp Wich2013-06-131-2/+2
| | | | | | - properly process intermediate "!" options in argument list (fixes negated ipsets) git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36935 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to git headJo-Philipp Wich2013-06-131-2/+2
| | | | | | - fixes handling of reject target for rule sections with specific destination zone git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36933 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: udpate to git head (#13652, #13654, #13658)Jo-Philipp Wich2013-06-061-2/+2
| | | | | | | | | - optimizes chain usage for ingress rules - adds limit match support for redirect rules - fixes automatic redirect dest detection on little endian systems - leaves base chains in place on reload to allow user rules to target e.g. "reject" git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36871 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: copy libext*.a from staging dir and drop kernel.mk includes, ↵Jo-Philipp Wich2013-06-061-4/+1
| | | | | | solves problem with colliding CONFIG_IPV6 symbols git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36868 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: update to git head (#13652)Jo-Philipp Wich2013-06-051-2/+2
| | | | | | | - simplifies using ipsets for rules and redirects, match direction can be specified in-place like option ipset 'setname src dst dst' - uses zone_name_src_ACTION chains for input rules, this fixes logging with log enabled src zones git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36854 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall3: fix accidentally changed install directiveJo-Philipp Wich2013-06-041-1/+1
| | | | git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36840 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix git source urlJo-Philipp Wich2013-06-041-1/+1
| | | | git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36839 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall3: rename to firewall, move into base system menu, update to git ↵Jo-Philipp Wich2013-06-045-0/+285
| | | | | | head with compatibility fixes for AA git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36838 3c298f89-4303-0410-b956-a3cf2f4a3e73
* Drop legacy firewall packageJo-Philipp Wich2013-06-0417-1961/+0
| | | | git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36837 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: Remove obsoleted ULA-border ruleSteven Barth2013-05-132-20/+1
| | | | git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36622 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: fix logging rule regression (#12999)Jo-Philipp Wich2013-02-222-2/+2
| | | | git-svn-id: svn://svn.openwrt.org/openwrt/trunk@35745 3c298f89-4303-0410-b956-a3cf2f4a3e73
* firewall: various enhancementsJo-Philipp Wich2013-02-047-97/+133
| | | | | | | | | | | | - reduce mssfix related log spam (#10681) - separate src and dest terminal chains (#11453, #12945) - disable per-zone custom chains by default, they're rarely used Additionally introduce options "device", "subnet", "extra", "extra_src" and "extra_dest" to allow defining zones not related to uci interfaces, e.g. to match "ppp+" or any tcp traffic to and from a specific port. git-svn-id: svn://svn.openwrt.org/openwrt/trunk@35484 3c298f89-4303-0410-b956-a3cf2f4a3e73
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-18 08:56:02 +0000