Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | firewall: also establish forward rules when setting up nat reflection, back ↵ | Jo-Philipp Wich | 2010-10-03 | 1 | -6/+15 | |
| | | | | | | out early if reflection is disabled SVN-Revision: 23201 | |||||
* | firewall: fix chain selection logic, option dest must be ignored for notrack ↵ | Jo-Philipp Wich | 2010-09-28 | 1 | -6/+5 | |
| | | | | | | targets SVN-Revision: 23143 | |||||
* | firewall: don't setup nat reflection if negations are used | Jo-Philipp Wich | 2010-09-28 | 1 | -0/+3 | |
| | | | | SVN-Revision: 23142 | |||||
* | fireall: - support negations for src_ip, dest_ip, src_dip options in rules ↵ | Jo-Philipp Wich | 2010-09-28 | 4 | -27/+41 | |
| | | | | | | and redirects - add NOTRACK target to rule sections, allows to define fine grained notrack rules SVN-Revision: 23141 | |||||
* | firewall: protect iptables invocations with locks in interface ops, it might ↵ | Jo-Philipp Wich | 2010-09-19 | 1 | -0/+4 | |
| | | | | | | run concurrently due to hotplug invocations on network restart SVN-Revision: 23090 | |||||
* | firewall: make invalid redirects and duplicate zones non-fatal, print a ↵ | Jo-Philipp Wich | 2010-09-16 | 3 | -9/+11 | |
| | | | | | | notice and discard them SVN-Revision: 23080 | |||||
* | firewall: run ifdown hotplug events synchronized, fixes a racecondition on ↵ | Jo-Philipp Wich | 2010-09-15 | 2 | -9/+7 | |
| | | | | | | "ifup iface" when ifdown and ifup events are delivered with a small dealy SVN-Revision: 23064 | |||||
* | firewall: deliver remove hotplug events for all active zones/networks when ↵ | Jo-Philipp Wich | 2010-09-14 | 2 | -2/+41 | |
| | | | | | | restarting the firewall SVN-Revision: 23062 | |||||
* | firewall: - simplify masquerade rule setup - remove various subshell ↵ | Jo-Philipp Wich | 2010-09-11 | 6 | -93/+113 | |
| | | | | | | invocations - speedup fw() by not relying on xargs and pipes - rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source SVN-Revision: 23024 | |||||
* | firewall: - fix possible endless loop when the family option is used for ↵ | Jo-Philipp Wich | 2010-09-05 | 2 | -4/+6 | |
| | | | | | | forwardings - only generate forwarding rules in SNAT redirect sections if src_dip is specified SVN-Revision: 22938 | |||||
* | firewall: introduce SNAT support for redirect sections | Jo-Philipp Wich | 2010-09-05 | 2 | -3/+18 | |
| | | | | SVN-Revision: 22937 | |||||
* | firewall: add option to disable NAT reflection | Jo-Philipp Wich | 2010-09-04 | 1 | -0/+4 | |
| | | | | SVN-Revision: 22908 | |||||
* | firewall: - handle NAT reflection in firewall hotplug, solves synchronizing ↵ | Jo-Philipp Wich | 2010-09-04 | 3 | -6/+30 | |
| | | | | | | issues on boot - introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation SVN-Revision: 22888 | |||||
* | firewall: - fix processing of rules with an ip family option - append ↵ | Jo-Philipp Wich | 2010-08-31 | 3 | -41/+62 | |
| | | | | | | interface rules at the end of internal zone chains, simplifies injecting user or addon rules - support simple file logging (option log + option log_limit per zone) SVN-Revision: 22847 | |||||
* | firwall: fix nat reflection for zones covering multiple networks | Jo-Philipp Wich | 2010-07-31 | 1 | -34/+56 | |
| | | | | SVN-Revision: 22442 | |||||
* | firewall: add basic NAT reflection/NAT loopback support | Jo-Philipp Wich | 2010-07-31 | 1 | -0/+79 | |
| | | | | SVN-Revision: 22441 | |||||
* | firewall: allow redirecting only destination port (#7197) | Jo-Philipp Wich | 2010-07-16 | 1 | -2/+3 | |
| | | | | SVN-Revision: 22227 | |||||
* | firewall: fix another notrack related bug | Jo-Philipp Wich | 2010-07-15 | 1 | -1/+1 | |
| | | | | SVN-Revision: 22218 | |||||
* | firewall: - notrack support was broken in multiple ways, fix it - also ↵ | Jo-Philipp Wich | 2010-07-15 | 4 | -8/+10 | |
| | | | | | | consider a zone conntracked if any redirect references it (#7196) SVN-Revision: 22215 | |||||
* | firewall: - support alias ifnames different from parent ifname - properly ↵ | Jo-Philipp Wich | 2010-06-02 | 1 | -10/+23 | |
| | | | | | | handle multiple subnets per alias (v4+v6) SVN-Revision: 21656 | |||||
* | firewall: Initial alias interface support. This allows to define zones ↵ | Jo-Philipp Wich | 2010-06-01 | 2 | -28/+85 | |
| | | | | | | covering alias interfaces and associated entries like rules and forwardings. SVN-Revision: 21653 | |||||
* | firewall: change the order of IPv4/IPv6 address detection, fixes mixed ↵ | Jo-Philipp Wich | 2010-05-31 | 2 | -2/+2 | |
| | | | | | | notation v6 improperly detected as v4 address SVN-Revision: 21642 | |||||
* | firewall: fix support for netranges in redirect and rule sections | Jo-Philipp Wich | 2010-05-30 | 3 | -7/+7 | |
| | | | | SVN-Revision: 21640 | |||||
* | firewall: count rules per chain and family, fix wrong order of ip6tables ↵ | Jo-Philipp Wich | 2010-05-22 | 1 | -4/+4 | |
| | | | | | | rules when ipv4 only or dual family rules are defined SVN-Revision: 21533 | |||||
* | firewall: don't apply default udp/68 rule to ip6tables | Jo-Philipp Wich | 2010-05-19 | 1 | -0/+1 | |
| | | | | SVN-Revision: 21509 | |||||
* | firewall: - fix ip6tables rules when icmp_type option is set - add "family" ↵ | Jo-Philipp Wich | 2010-05-19 | 6 | -40/+104 | |
| | | | | | | option to zones, forwardings, redirects and rules to selectively apply rules to iptables and/or ip6tables SVN-Revision: 21508 | |||||
* | firewall: add commented disable_ipv6 option to default config | Jo-Philipp Wich | 2010-05-19 | 1 | -0/+2 | |
| | | | | SVN-Revision: 21505 | |||||
* | firewall: implement disable_ipv6 uci option | Jo-Philipp Wich | 2010-05-19 | 2 | -5/+11 | |
| | | | | SVN-Revision: 21503 | |||||
* | firewall (#7355) - partially revert r21486, start firewall on init again - ↵ | Jo-Philipp Wich | 2010-05-19 | 4 | -26/+11 | |
| | | | | | | skip iface hotplug events if base fw is not up yet - get ifname and up state with uci_get_state() in iface setup since the values gathered by scan_interfaces() may be outdated when iface coldplugging happens (observed with pptp) - ignore up state when bringing down interfaces because ifdown reverts state vars before dispatching the iface event - bump package revision SVN-Revision: 21502 | |||||
* | firewall: fix a possible deadlock when the firewall config has syntax errors ↵ | Jo-Philipp Wich | 2010-05-18 | 1 | -2/+4 | |
| | | | | | | during restart SVN-Revision: 21501 | |||||
* | firewall: use uci_get_state() wrapper | Jo-Philipp Wich | 2010-05-17 | 1 | -1/+1 | |
| | | | | SVN-Revision: 21493 | |||||
* | firewall: properly clear hooks in fw_stop() to prevent extensions from being ↵ | Jo-Philipp Wich | 2010-05-17 | 1 | -1/+8 | |
| | | | | | | called twice after fw_restart() SVN-Revision: 21488 | |||||
* | firewall: - defer firewall start until the first interface is brought up by ↵ | Jo-Philipp Wich | 2010-05-17 | 3 | -6/+20 | |
| | | | | | | hotplug, fixes race conditions on slow devices - create a file lock during firewall start and wait for it in hotplug events, prevents race conditions between start and addif - start firewall actions in background from hotplug handler since the firewall itself fires further hotplug events which results in a deadlock if not forked off - get loaded state direcly from the uci binary since updated value is not recognized by config_get after uci_set_state - bump package revision to r2 SVN-Revision: 21486 | |||||
* | firewall: properly unset position for delete command, fixes rule removal in ↵ | Jo-Philipp Wich | 2010-05-05 | 1 | -2/+2 | |
| | | | | | | ifdown SVN-Revision: 21378 | |||||
* | firewall: fix bug in iface hotplug handler | Jo-Philipp Wich | 2010-05-05 | 1 | -1/+1 | |
| | | | | SVN-Revision: 21360 | |||||
* | firewall: - replace uci firewall with a modular dual stack implementation ↵ | Jo-Philipp Wich | 2010-05-01 | 14 | -539/+1016 | |
| | | | | | | developed by Malte S. Stretz - bump version to 2 SVN-Revision: 21286 | |||||
* | allow ping | Travis Kemen | 2010-03-18 | 1 | -0/+7 | |
| | | | | SVN-Revision: 20261 | |||||
* | firewall: insert rules at the beginning of chains again while maintaining ↵ | Jo-Philipp Wich | 2010-03-02 | 1 | -1/+4 | |
| | | | | | | non reversed order, fixes wrong ordering introduced by r18015 SVN-Revision: 19946 | |||||
* | firewall: fix bad number error in fw_redirect() (#6704) | Jo-Philipp Wich | 2010-02-20 | 1 | -3/+3 | |
| | | | | SVN-Revision: 19765 | |||||
* | Add destination ip of the wan adapter useful if you have multiple ip addresses. | Travis Kemen | 2010-02-11 | 1 | -0/+2 | |
| | | | | SVN-Revision: 19574 | |||||
* | firewall: fix a race condition preventing interfaces from being added to the ↵ | Jo-Philipp Wich | 2010-01-19 | 1 | -2/+6 | |
| | | | | | | firewall on boot SVN-Revision: 19232 | |||||
* | firewall: fix fallout from r18716 (fixes #6338) | Felix Fietkau | 2009-12-10 | 1 | -1/+3 | |
| | | | | SVN-Revision: 18733 | |||||
* | firewall: get rid of recursive shell script inclusion to improve hush ↵ | Felix Fietkau | 2009-12-09 | 2 | -37/+46 | |
| | | | | | | compatibility SVN-Revision: 18716 | |||||
* | firewall: initialize dest_port with src_dport if omitted in redirect ↵ | Jo-Philipp Wich | 2009-12-01 | 1 | -21/+21 | |
| | | | | | | sections to narrow down corresponding forward rules to the actual target ports - thanks Niels Boehm! (#6249) SVN-Revision: 18617 | |||||
* | firewall: fix zone defaults | Felix Fietkau | 2009-10-11 | 1 | -2/+19 | |
| | | | | SVN-Revision: 18028 | |||||
* | firewall: do not process rules in reverse | Felix Fietkau | 2009-10-10 | 1 | -1/+1 | |
| | | | | SVN-Revision: 18015 | |||||
* | firewall: fix MSS issue affection RELATED new connections (closes: #5173) | Nicolas Thill | 2009-09-27 | 2 | -4/+4 | |
| | | | | SVN-Revision: 17762 | |||||
* | firewall: add sanity checks to zone default rules (patch from #5459) | Felix Fietkau | 2009-09-24 | 1 | -3/+3 | |
| | | | | SVN-Revision: 17713 | |||||
* | firewall: move the config_get out of the loop, no need to call it multiple times | Jo-Philipp Wich | 2009-09-14 | 1 | -2/+3 | |
| | | | | SVN-Revision: 17581 | |||||
* | firewall: properly dispatch delif events if the network has a different name ↵ | Jo-Philipp Wich | 2009-09-14 | 1 | -1/+1 | |
| | | | | | | then the corresponding zone SVN-Revision: 17580 |