aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/config/firewall
Commit message (Collapse)AuthorAgeFilesLines
* firewall: bump to latest HEADDavid Bauer2020-09-051-3/+3
| | | | | | | 8c2f9fa fw3: zones: limit zone names to 11 bytes 78d52a2 options: fix parsing of boolean attributes Signed-off-by: David Bauer <mail@david-bauer.net>
* firewall: Fix PKG_MIRROR_HASHHauke Mehrtens2020-08-241-1/+1
| | | | | Fixes: 6c57fb7aa93d ("firewall: bump to version 2020-07-05") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* firewall: bump to version 2020-07-05Yousong Zhou2020-07-261-3/+3
| | | | | | | | | | | | | | | Changes since last source version e9b90df zones: apply tcp mss clamping also on ingress path 050816a redirects: fix segmentation fault f62a52b treewide: replace unsafe string functions 23cc543 improve reload logic 9d7f49d redurects: add support to define multiple zones for dnat reflection rules f87d0b0 firewall3: defaults: fix uci flow_offloading option fe9602c rules: fix typo 7cc2a84 defaults: robustify flow table detection. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* firewall: add rule for traceroute supportPhilip Prindeville2020-05-211-0/+13
| | | | | | | | | | | | | | | | | Running your firewall's "wan" zone in REJECT zone (1) exposes the presence of the router, (2) depending on the sophistication of fingerprinting tools might identify the OS and release running on the firewall which then identifies known vulnerabilities with it and (3) perhaps most importantly of all, your firewall can be used in a DDoS reflection attack with spoofed traffic generating ICMP Unreachables or TCP RST's to overwhelm a victim or saturate his link. This rule, when enabled, allows traceroute to work even when the default input policy of the firewall for the wan zone has been set to DROP. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* firewall: update to latest Git HEADJo-Philipp Wich2019-11-221-3/+3
| | | | | | | 8174814 utils: persist effective extra_src and extra_dest options in state file 72a486f zones: fix emitting match rules for zones with only "extra" options Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to latest git HEADHans Dedecker2019-10-041-3/+3
| | | | | | daed0cf utils: fix resource leak Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: update to latest Git HEADJo-Philipp Wich2019-09-181-3/+3
| | | | | | | 383eb58 ubus: do not overwrite ipset name attribute Ref: https://forum.openwrt.org/t/fw3-ipset-procd-objects/44044 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to latest git HEADPetr Štetiar2019-09-151-3/+3
| | | | | | c26f8907d1d2 firewall3: fix typo that affects ICMPv6 rules with numeric icmp_type Signed-off-by: Petr Štetiar <ynezz@true.cz>
* firewall: update to latest git HEADHauke Mehrtens2019-09-081-3/+3
| | | | | | 487bd0d utils: Fix string format message Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* firewal: update to latest git HEADHans Dedecker2019-09-071-3/+3
| | | | | | | | 4d0c703 firewall3: Fix some format string problems 8c404ef iptables.c: lock the xtables.lock c1d3a4d utils: implement fw3_lock_path() & fw3_unlock_path() Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: update to latest git HEADKevin Darbyshire-Bryant2019-08-221-3/+3
| | | | | | bf29c1e firewall3: ipset: Handle reload_set properly Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* firewall: improve ipset supportKevin Darbyshire-Bryant2019-08-161-4/+4
| | | | | | | | | | | | | | | | | | | | Bump to latest git HEAD 509e673 firewall3: Improve ipset support The enabled option did not work properly for ipsets, as it was not checked on create/destroy of a set. After this commit, sets are only created/destroyed if enabled is set to true. Add support for reloading, or recreating, ipsets on firewall reload. By setting "reload_set" to true, the set will be destroyed and then re-created when the firewall is reloaded. Add support for the counters and comment extensions. By setting "counters" or "comment" to true, then counters or comments are added to the set. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* firewall: update to latest git HEADHans Dedecker2019-08-051-3/+3
| | | | | | de94097 utils: coverity resource leak warning Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: update to latest git HEADHans Dedecker2019-01-031-3/+3
| | | | | | | | 70f8785 zones: add zone identifying local traffic in raw OUTPUT chain 6920de7 utils: Free args in __fw3_command_pipe() 6ba9105 options: redirects: Fix possible buffer overflows Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: update to latest git HEADHans Dedecker2018-12-091-3/+3
| | | | | | 14589c8 redirects: properly handle src_dport in SNAT rules Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* package/: fix $(PROJECT_GIT) usageJohn Crispin2018-10-111-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* firewall: Install config files as 600Rosen Penev2018-10-111-6/+6
| | | | | | None of the files in firewall are used by non-root. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* firewall: bump to git HEADStijn Tintel2018-08-131-3/+3
| | | | | | | | 12a7cf9 Add support for DSCP matches and target 06fa692 defaults: use a generic check_kmod() function 1c4d5bc defaults: fix check_kmod() function Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* firewall: update to latest git HEADJo-Philipp Wich2018-07-261-3/+3
| | | | | | aa8846b ubus: avoid dumping interface state with NULL message Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall3: update to latest git HEADHans Dedecker2018-07-171-3/+3
| | | | | | d2bbeb7 firewall3: make reject types selectable by user Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: compile with LTO enabledFelix Fietkau2018-07-131-2/+2
| | | | | | Reduces .ipk size on MIPS from 41.6k to 41.1k Signed-off-by: Felix Fietkau <nbd@nbd.name>
* fw3: update to latest git HEADJohn Crispin2018-07-021-3/+3
| | | | | | 72684e5 firewall3: Fix GCC8 warnings by replacing sprintf with snprintf Signed-off-by: John Crispin <john@phrozen.org>
* firewall: update to latest git HEADHans Dedecker2018-05-251-3/+3
| | | | | | | 30463d0 zones: add interface/subnet bound LOG rules 0e77bf2 options: treat time strings as UTC times Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall3: update to latest git HEADJohn Crispin2018-05-141-4/+4
| | | | | | | | b45e162 helpers: fix the set_helper in the rule structure f742ba7 helpers.conf: support also tcp in the CT sip helper 08b2c61 helpers: make the proto field as a list rather than one option Signed-off-by: John Crispin <john@phrozen.org>
* firewall: update to the latest version, adds hw flow offload supportFelix Fietkau2018-04-051-3/+3
| | | | | | 35b3e74 defaults: add support for setting --hw on the xt_FLOWOFFLOAD rule Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall: update to latest git HEADHans Dedecker2018-03-221-3/+3
| | | | | | | | | 5cdf15e helpers.conf: add CT rtsp helper d5923f1 Reword rule comments c1a295a defaults: add support for xt_FLOWOFFLOAD rule 41c2ab5 ipsets: add support for specifying entries Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: bump to git HEADStijn Tintel2018-03-081-3/+5
| | | | | | | | | | | 392811a ubus: let fw3_ubus_address() return the number of resolved addresses 359adcf options: emit an empty address item when resolving networks fails 503db4a zones: disable masq when resolving of all masq_src or masq_dest items failed f50a524 helpers: implement explicit CT helper assignment support a3ef503 zones: allow per-table log control 8ef12cb iptables: fix possible NULL pointer access on constructing rule masks Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* firewall: depend on kmod-nf-conntrack6Matthias Schiffer2018-02-021-2/+2
| | | | | | | | Firewall rules don't work as intended without conntrack support. The recent cleanup removed the kmod-nf-conntrack6 dependency from the iptables modules; add it to the firewall package instead. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* treewide: replace LEDE_GIT with PROJECT_GITJo-Philipp Wich2018-01-101-1/+1
| | | | | | | Remove LEDE_GIT references in favor to the new name-agnostic PROJECT_GIT variable. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to latest git HEADHans Dedecker2017-11-071-3/+3
| | | | | | c430937 ubus: parse the firewall data within the service itself Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: fix stray continue statementJo-Philipp Wich2017-05-271-4/+4
| | | | | | | The previous commit introduced a faulty continue statement which might lead to faulty rules not getting freed or reported. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: extend ubus support, exception handling, parse fixesJo-Philipp Wich2017-05-271-3/+3
| | | | | | | | | | | | | | | | | | | | | | | Update to latest Git HEAD in order to import a number of fixes and other improvements: 3d2c18a options: improve handling of negations when parsing space separated values 0e5dd73 iptables: support -i, -o, -s and -d in option extra 4cb06c7 ubus: increase ubus network interface dump timeout e5dfc82 iptables: add exception handling f625954 firewall3: add check_snat() function 7d3d9dc firewall3: display the section type for UBUS rules 53ef9f1 firewall3: add UBUS support for include scripts 5cd4af4 firewall3: add UBUS support for ipset sections 02d6832 firewall3: add UBUS support for forwarding sections 0a7d36d firewall3: add UBUS support for redirect sections d44f418 firewall3: add fw3_attr_parse_name_type() function e264c8e firewall3: replace warn_rule() by warn_section() 6039c7f firewall3: check the return value of fw3_parse_options() Fixes FS#548, FS#806, FS#811. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to the latest version, fixes a gcc7 build errorFelix Fietkau2017-05-251-3/+3
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall: document rules for IPSec ESP/ISAKMP with 'name' optionYousong Zhou2017-03-282-15/+16
| | | | | | | | | | These are recommended practices by REC-22 and REC-24 of RFC6092: "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service" Fixes FS#640 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* firewall3: update to Git head to support xtables API level > 11Jo-Philipp Wich2017-02-191-3/+3
| | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: fix forwarding local subnet trafficJo-Philipp Wich2017-01-131-3/+3
| | | | | | | | | | | | | Packets which are merely forwarded by the router and which are neither involved in any DNAT/SNAT nor originate locally, are considered INVALID from a conntrack point of view, causing them to get dropped in the zone_*_dest_ACCEPT chains, since those only allow stream with state NEW or UNTRACKED. Remove the ctstate restriction on dest accept chains to properly pass- through unrelated 3rd party traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* treewide: clean up and unify PKG_VERSION for git based downloadsFelix Fietkau2016-12-221-5/+3
| | | | | | Also use default defintions for PKG_SOURCE_SUBDIR, PKG_SOURCE Signed-off-by: Felix Fietkau <nbd@nbd.name>
* treewide: clean up download hashesFelix Fietkau2016-12-161-1/+1
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall3: drop support for automatic NOTRACK rulesJo-Philipp Wich2016-12-141-3/+3
| | | | | | | | | | | | Update to current HEAD in order to drop automatic generation of per-zone NOTRACK rules. The NOTRACK rules used to provide a little performance improvement but the later introduction of the netfilter conntrack cache made those rules largely unnecessary. Additionally, those rules caused various issues which broke stateful firewalling in some scenarios. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to fix FS#31, FS#73, FS#154, FS#248Jo-Philipp Wich2016-11-081-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update to latest Git head in order to import several fixes and enhancements. - Disable drop invalid by default (FS#73, FS#154) Instead of dropping packets with conntrack state INVALID, only allow streams with explicit NEW or UNTRACKED conntrack state. This change gives user defined rules the chance to accept traffic like ICMPv6 multicast which would be filtered away by the very early ctstate INVALID drop rule otherwise. The old behaviour can be restored by explicitely setting "drop_invalid" to 1 in the global firewall config section. - Fix re-initialization of loadable iptables extensions on musl (FS#31) Since musl does not implement actual dlclose() semantics, it is impossible to re-run initializers on subsequent dlopen() calls. The firewall3 executable now intercepts the extension registration calls instead in order to be able to re-call them when needed. This also allowed us to switch to libxtables' builtin extension loader as a positive side-effect. - Fix masquerade rules for multiple negated IP addresses (FS#248) When building MASQUERADE rules for zones which specify multiple negated addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of the masquerading chain instead of creating multiple rules with inverted "-s" arguments. - Tag own rules using comments Instead of relying on the nonstandard xt_id match, use the xt_comment match to mark own rules. Existing comments are prefixed with "!fw3: " while uncommented rules are marked with a sole "!fw3" string. This allows removing the xt_id match entirely in a later commit. - Make missing ubus connection nonfatal Technically, firewall3 is able to operate without ubus just fine as long as the zones are declared using "option device" or "option subnet" instead of "option network" so do not abort execution if ubus could not be connected or of no network namespace is exported in ubus. This allows running firewall3 on ordinary Linux systems. - Fix conntrack requirement detection for indirectly connected zones The current code fails to apply the conntrack requirement flag recursively to zones, leading to stray NOTRACK rules which break conntrack based traffic policing. Change the implementation to iteratively reapply the conntrack fixup logic until no more zones had been changed in order to ensure that all directly and indirectly connected zones receive the conntrack requirement flag. - Add support for iptables 1.6.x Adds support for the xtables version 11 api in order to allow building against iptables 1.6.x Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* source: Switch to xz for packages and tools where possibleDaniel Engberg2016-10-061-1/+2
| | | | | | | | | | | * Change git packages to xz * Update mirror checksums in packages where they are used * Change a few source tarballs to xz if available upstream * Remove unused lines in packages we're touching, requested by jow- and blogic * We're relying more on xz-utils so add official mirror as primary source, master site as secondary. * Add SHA256 checksums to multiple git tarball packages Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* firewall3: update to latest git HEADJohn Crispin2016-07-241-2/+2
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* package/*: update git urls for project reposJohn Crispin2016-06-131-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* firewall3: fix mark rules for local traffic, fix race conditionJo-Philipp Wich2016-05-021-3/+4
| | | | | | | Update to latest HEAD in order to fix MARK rule generation for local traffic, also fix a possible race condition during firewall start. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: drop invalid by default, remove chain indirection, fix invert ↵Jo-Philipp Wich2016-01-291-3/+3
| | | | | | | | | | | | flags (#21738) * Enable drop_invalid by default to catch unnatted packets (#21738) * Fix processing of inversions for -i, -o, -s, -d and -p flags * Remove delegate_* chain indirection but rely on xt_id to identify own rules Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48551
* firewall: add CONFIG_IPV6 to PKG_CONFIG_DEPENDS to fix a rebuild errorFelix Fietkau2016-01-181-0/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48315
* firewall: move to git.openwrt.orgFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48128
* firewall: allow DHCPv6 traffic to/from fc00::/6 instead of fe80::/10Jo-Philipp Wich2015-09-251-2/+2
| | | | | | | | | | There is no RFC requirement that DHCPv6 servers must reply with a link local address and some ISP servers in the wild appear to using addresses in the ULA range to send DHCPv6 offers. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 47048
* firewall: depend on kmod-ipt-conntrack (#20542)Jo-Philipp Wich2015-09-171-1/+1
| | | | | | | | | Our ruleset requires kernel support for conntrack state matching, therfore depend on the require kmod. Fixes #20542. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 46990
* firewall: Remove src_port from firewall.config to receive dhcpv6 repliesSteven Barth2015-09-111-1/+0
| | | | | | | | | | Seems like my second try was again whitespace broken. Sorry for the noise. Remove src_port from firewall.config to receive dhcpv6 replies. Fixes #20295. Signed-off-by: Anselm Eberhardt <a.eberhardt@cygnusnetworks.de> SVN-Revision: 46842
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 09:22:59 +0000