aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/config/firewall
Commit message (Collapse)AuthorAgeFilesLines
* firewall: fix stray continue statementJo-Philipp Wich2017-05-271-4/+4
| | | | | | | The previous commit introduced a faulty continue statement which might lead to faulty rules not getting freed or reported. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: extend ubus support, exception handling, parse fixesJo-Philipp Wich2017-05-271-3/+3
| | | | | | | | | | | | | | | | | | | | | | | Update to latest Git HEAD in order to import a number of fixes and other improvements: 3d2c18a options: improve handling of negations when parsing space separated values 0e5dd73 iptables: support -i, -o, -s and -d in option extra 4cb06c7 ubus: increase ubus network interface dump timeout e5dfc82 iptables: add exception handling f625954 firewall3: add check_snat() function 7d3d9dc firewall3: display the section type for UBUS rules 53ef9f1 firewall3: add UBUS support for include scripts 5cd4af4 firewall3: add UBUS support for ipset sections 02d6832 firewall3: add UBUS support for forwarding sections 0a7d36d firewall3: add UBUS support for redirect sections d44f418 firewall3: add fw3_attr_parse_name_type() function e264c8e firewall3: replace warn_rule() by warn_section() 6039c7f firewall3: check the return value of fw3_parse_options() Fixes FS#548, FS#806, FS#811. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to the latest version, fixes a gcc7 build errorFelix Fietkau2017-05-251-3/+3
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall: document rules for IPSec ESP/ISAKMP with 'name' optionYousong Zhou2017-03-282-15/+16
| | | | | | | | | | These are recommended practices by REC-22 and REC-24 of RFC6092: "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service" Fixes FS#640 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* firewall3: update to Git head to support xtables API level > 11Jo-Philipp Wich2017-02-191-3/+3
| | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: fix forwarding local subnet trafficJo-Philipp Wich2017-01-131-3/+3
| | | | | | | | | | | | | Packets which are merely forwarded by the router and which are neither involved in any DNAT/SNAT nor originate locally, are considered INVALID from a conntrack point of view, causing them to get dropped in the zone_*_dest_ACCEPT chains, since those only allow stream with state NEW or UNTRACKED. Remove the ctstate restriction on dest accept chains to properly pass- through unrelated 3rd party traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* treewide: clean up and unify PKG_VERSION for git based downloadsFelix Fietkau2016-12-221-5/+3
| | | | | | Also use default defintions for PKG_SOURCE_SUBDIR, PKG_SOURCE Signed-off-by: Felix Fietkau <nbd@nbd.name>
* treewide: clean up download hashesFelix Fietkau2016-12-161-1/+1
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall3: drop support for automatic NOTRACK rulesJo-Philipp Wich2016-12-141-3/+3
| | | | | | | | | | | | Update to current HEAD in order to drop automatic generation of per-zone NOTRACK rules. The NOTRACK rules used to provide a little performance improvement but the later introduction of the netfilter conntrack cache made those rules largely unnecessary. Additionally, those rules caused various issues which broke stateful firewalling in some scenarios. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to fix FS#31, FS#73, FS#154, FS#248Jo-Philipp Wich2016-11-081-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update to latest Git head in order to import several fixes and enhancements. - Disable drop invalid by default (FS#73, FS#154) Instead of dropping packets with conntrack state INVALID, only allow streams with explicit NEW or UNTRACKED conntrack state. This change gives user defined rules the chance to accept traffic like ICMPv6 multicast which would be filtered away by the very early ctstate INVALID drop rule otherwise. The old behaviour can be restored by explicitely setting "drop_invalid" to 1 in the global firewall config section. - Fix re-initialization of loadable iptables extensions on musl (FS#31) Since musl does not implement actual dlclose() semantics, it is impossible to re-run initializers on subsequent dlopen() calls. The firewall3 executable now intercepts the extension registration calls instead in order to be able to re-call them when needed. This also allowed us to switch to libxtables' builtin extension loader as a positive side-effect. - Fix masquerade rules for multiple negated IP addresses (FS#248) When building MASQUERADE rules for zones which specify multiple negated addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of the masquerading chain instead of creating multiple rules with inverted "-s" arguments. - Tag own rules using comments Instead of relying on the nonstandard xt_id match, use the xt_comment match to mark own rules. Existing comments are prefixed with "!fw3: " while uncommented rules are marked with a sole "!fw3" string. This allows removing the xt_id match entirely in a later commit. - Make missing ubus connection nonfatal Technically, firewall3 is able to operate without ubus just fine as long as the zones are declared using "option device" or "option subnet" instead of "option network" so do not abort execution if ubus could not be connected or of no network namespace is exported in ubus. This allows running firewall3 on ordinary Linux systems. - Fix conntrack requirement detection for indirectly connected zones The current code fails to apply the conntrack requirement flag recursively to zones, leading to stray NOTRACK rules which break conntrack based traffic policing. Change the implementation to iteratively reapply the conntrack fixup logic until no more zones had been changed in order to ensure that all directly and indirectly connected zones receive the conntrack requirement flag. - Add support for iptables 1.6.x Adds support for the xtables version 11 api in order to allow building against iptables 1.6.x Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* source: Switch to xz for packages and tools where possibleDaniel Engberg2016-10-061-1/+2
| | | | | | | | | | | * Change git packages to xz * Update mirror checksums in packages where they are used * Change a few source tarballs to xz if available upstream * Remove unused lines in packages we're touching, requested by jow- and blogic * We're relying more on xz-utils so add official mirror as primary source, master site as secondary. * Add SHA256 checksums to multiple git tarball packages Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* firewall3: update to latest git HEADJohn Crispin2016-07-241-2/+2
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* package/*: update git urls for project reposJohn Crispin2016-06-131-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* firewall3: fix mark rules for local traffic, fix race conditionJo-Philipp Wich2016-05-021-3/+4
| | | | | | | Update to latest HEAD in order to fix MARK rule generation for local traffic, also fix a possible race condition during firewall start. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: drop invalid by default, remove chain indirection, fix invert ↵Jo-Philipp Wich2016-01-291-3/+3
| | | | | | | | | | | | flags (#21738) * Enable drop_invalid by default to catch unnatted packets (#21738) * Fix processing of inversions for -i, -o, -s, -d and -p flags * Remove delegate_* chain indirection but rely on xt_id to identify own rules Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48551
* firewall: add CONFIG_IPV6 to PKG_CONFIG_DEPENDS to fix a rebuild errorFelix Fietkau2016-01-181-0/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48315
* firewall: move to git.openwrt.orgFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48128
* firewall: allow DHCPv6 traffic to/from fc00::/6 instead of fe80::/10Jo-Philipp Wich2015-09-251-2/+2
| | | | | | | | | | There is no RFC requirement that DHCPv6 servers must reply with a link local address and some ISP servers in the wild appear to using addresses in the ULA range to send DHCPv6 offers. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 47048
* firewall: depend on kmod-ipt-conntrack (#20542)Jo-Philipp Wich2015-09-171-1/+1
| | | | | | | | | Our ruleset requires kernel support for conntrack state matching, therfore depend on the require kmod. Fixes #20542. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 46990
* firewall: Remove src_port from firewall.config to receive dhcpv6 repliesSteven Barth2015-09-111-1/+0
| | | | | | | | | | Seems like my second try was again whitespace broken. Sorry for the noise. Remove src_port from firewall.config to receive dhcpv6 replies. Fixes #20295. Signed-off-by: Anselm Eberhardt <a.eberhardt@cygnusnetworks.de> SVN-Revision: 46842
* firewall: fix typo in ESP ruleSteven Barth2015-07-272-2/+2
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46506
* firewall: comply with REC-22, REC-24 of RFC 6092Steven Barth2015-07-242-13/+12
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46478
* firewall: link iptables extensions dynamicallyJo-Philipp Wich2015-05-261-7/+2
| | | | | | | | | | | | | | Use shared libipt{,4,6}ext.so libraries instead of statically linking the userspace matches into the fw3 executable. As a side effect the match initialization is extremely simplified compared to the weak function pointer juggling performed before. This also fixes the initialization of the multiport match. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 45764
* firewall: Allow IGMP and MLD input on WANSteven Barth2015-05-051-0/+19
| | | | | | | | | | | | The WAN port should at least respond to IGMP and MLD queries as otherwise a snooping bridge/switch might drop traffic. RFC4890 recommends to leave IGMP and MLD unfiltered as they are always link-scoped anyways. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> SVN-Revision: 45613
* firewall: fix some more null-pointer accessesSteven Barth2015-02-261-2/+2
| | | | | | | | thanks to Hans Dedecker Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 44540
* firewall: respect src_dip option for reflection (#18544)Jo-Philipp Wich2015-01-081-3/+3
| | | | | | | | Also fix wrong IPv4 netmask calculation on x86-64, thanks Ulrich Weber. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 43874
* license info - revert r43155John Crispin2014-11-031-2/+0
| | | | | | | | turns out that r43155 adds duplicate info. Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 43167
* Add more license tags with SPDX identifiersJohn Crispin2014-11-031-0/+2
| | | | | | | | | | | | | | | | | | Note, that licensing stuff is a nightmare: many packages does not clearly state their licenses, and often multiple source files are simply copied together - each with different licensing information in the file headers. I tried hard to ensure, that the license information extracted into the OpenWRT's makefiles fit the "spirit" of the packages, e.g. such small packages which come without a dedicated source archive "inherites" the OpenWRT's own license in my opinion. However, I can not garantee that I always picked the correct information and/or did not miss license information. Signed-off-by: Michael Heimpold <mhei@heimpold.de> SVN-Revision: 43155
* Add a few SPDX tagsSteven Barth2014-11-021-0/+1
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43151
* firewall: allow '*' as synonym for any / all in family and proto optionsJo-Philipp Wich2014-09-191-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 42620
* firewall: fix heap corruption in fw3_bitlen2netmask() with IPv6 addressesJo-Philipp Wich2014-09-181-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 42610
* firewall: fix invalid memory access when processing /128 IPv6 addresses from ↵Jo-Philipp Wich2014-09-171-2/+2
| | | | | | | | ubus, properly emit REDIRECT rules for local port forwards Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 42604
* package/*: remove useless explicit set of function returncodeJohn Crispin2014-08-251-4/+0
| | | | | | | | | | | | | | | | | | | | | | somebody started to set a function returncode in the validation stuff and everybody copies it, e.g. myfunction() { fire_command return $? } a function automatically returns with the last returncode, so we can safely remove the command 'return $?'. reference: http://tldp.org/LDP/abs/html/exit-status.html "The last command executed in the function or script determines the exit status." Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com> SVN-Revision: 42278
* firewall: the firewall did not start properly on bootJohn Crispin2014-08-211-1/+1
| | | | | | | | https://dev.openwrt.org/ticket/17593 Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 42233
* firewall: fix potential NULL pointer accessJo-Philipp Wich2014-08-111-2/+2
| | | | | | | | Properly skip struct ifaddr entries with NULL ifa_addr, thanks Kostas Papadopoulos for reporting. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 42138
* firewall: implement selective conntrack flushing (#10225)Jo-Philipp Wich2014-08-111-2/+2
| | | | | | | | | | Utilize the new selective conntrack flushing facility to clear out active conntrack entries referring to old IP addresses after a firewall reload. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 42114
* firewall: implement support for abritary netmasksJo-Philipp Wich2014-07-191-2/+2
| | | | | | | | | | | Properly parse and pass arbritary netmasks to iptables, this allows specifying ranges like '::c23f:eff:fe7a:a094/::ffff:ffff:ffff:ffff' to match the host part of an IPv6 address regardless of the currently active IPv6 prefix. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 41760
* firewall: fix segfault introduced by latest updateJo-Philipp Wich2014-07-101-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 41558
* firewall: fix regressions introduced after latest ubus reworkJo-Philipp Wich2014-07-101-2/+2
| | | | | | | | | | The commit 92281eb747b56e748b7c3d754055919c23befdd4 broke fw3_ubus_addresses() so that no addresses where returned at all, this caused fw3 to not emit NAT reflection rules anymore. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 41556
* firewall: fix issue with parsing network optionsJo-Philipp Wich2014-07-031-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 41491
* firewall: update to the latest version, adds support for fetching firewall ↵Felix Fietkau2014-07-021-2/+2
| | | | | | | | rules from procd Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 41480
* firewall3: add fw3 zone function to enumerate devicesSteven Barth2014-06-261-2/+2
| | | | SVN-Revision: 41349
* firewall: add support for nat-rules and netifd-proto-originating rulesSteven Barth2014-04-141-2/+2
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 40510
* firewall: update to latest version, fixes a musl build errorFelix Fietkau2014-03-201-2/+2
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 39965
* firewall: fix validation constraintsJo-Philipp Wich2014-02-211-8/+8
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 39649
* firewall: fix several ipset integration issues (#15016)Jo-Philipp Wich2014-02-201-3/+3
| | | | | | | | | | | - Do not consider bitmap storage for IPv6 family sets - Move ipset family parameter before any additional option - Only emit family parameter for hash sets - Do not allow IPv6 iprange for IPv4 sets and vice versa Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 39647
* firewall3: update init.d script to make use of procdJohn Crispin2014-02-181-9/+49
| | | | | | | | add validation data Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 39617
* firewall: don't reload if there were no address or data changesSteven Barth2014-01-191-0/+1
| | | | | | | This fixes packet loss due to reloading firewall every minute with IPv6 implementation of certain ISPs. SVN-Revision: 39332
* firewall: improve logging in hotplug scriptJohn Crispin2014-01-151-1/+1
| | | | | | Signed-off-by: Nathan Hintz <nlhintz@hotmail.com> SVN-Revision: 39300
* firewall: fix handling of tcp_ecn parameterJo-Philipp Wich2013-12-171-2/+2
| | | | | | | | | | | The firewall3 implementation as well as the shell implementation predating it used to process the tcp_ecnoption as boolean while it actually is an integer. Change the code to parse tcp_ecn as integer. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 39122