aboutsummaryrefslogtreecommitdiffstats
path: root/package/firewall/files
Commit message (Collapse)AuthorAgeFilesLines
...
* firewall: also establish forward rules when setting up nat reflection, back ↵Jo-Philipp Wich2010-10-031-6/+15
| | | | | | out early if reflection is disabled SVN-Revision: 23201
* firewall: fix chain selection logic, option dest must be ignored for notrack ↵Jo-Philipp Wich2010-09-281-6/+5
| | | | | | targets SVN-Revision: 23143
* firewall: don't setup nat reflection if negations are usedJo-Philipp Wich2010-09-281-0/+3
| | | | SVN-Revision: 23142
* fireall: - support negations for src_ip, dest_ip, src_dip options in rules ↵Jo-Philipp Wich2010-09-284-27/+41
| | | | | | and redirects - add NOTRACK target to rule sections, allows to define fine grained notrack rules SVN-Revision: 23141
* firewall: protect iptables invocations with locks in interface ops, it might ↵Jo-Philipp Wich2010-09-191-0/+4
| | | | | | run concurrently due to hotplug invocations on network restart SVN-Revision: 23090
* firewall: make invalid redirects and duplicate zones non-fatal, print a ↵Jo-Philipp Wich2010-09-163-9/+11
| | | | | | notice and discard them SVN-Revision: 23080
* firewall: run ifdown hotplug events synchronized, fixes a racecondition on ↵Jo-Philipp Wich2010-09-152-9/+7
| | | | | | "ifup iface" when ifdown and ifup events are delivered with a small dealy SVN-Revision: 23064
* firewall: deliver remove hotplug events for all active zones/networks when ↵Jo-Philipp Wich2010-09-142-2/+41
| | | | | | restarting the firewall SVN-Revision: 23062
* firewall: - simplify masquerade rule setup - remove various subshell ↵Jo-Philipp Wich2010-09-116-93/+113
| | | | | | invocations - speedup fw() by not relying on xargs and pipes - rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source SVN-Revision: 23024
* firewall: - fix possible endless loop when the family option is used for ↵Jo-Philipp Wich2010-09-052-4/+6
| | | | | | forwardings - only generate forwarding rules in SNAT redirect sections if src_dip is specified SVN-Revision: 22938
* firewall: introduce SNAT support for redirect sectionsJo-Philipp Wich2010-09-052-3/+18
| | | | SVN-Revision: 22937
* firewall: add option to disable NAT reflectionJo-Philipp Wich2010-09-041-0/+4
| | | | SVN-Revision: 22908
* firewall: - handle NAT reflection in firewall hotplug, solves synchronizing ↵Jo-Philipp Wich2010-09-043-6/+30
| | | | | | issues on boot - introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation SVN-Revision: 22888
* firewall: - fix processing of rules with an ip family option - append ↵Jo-Philipp Wich2010-08-313-41/+62
| | | | | | interface rules at the end of internal zone chains, simplifies injecting user or addon rules - support simple file logging (option log + option log_limit per zone) SVN-Revision: 22847
* firwall: fix nat reflection for zones covering multiple networksJo-Philipp Wich2010-07-311-34/+56
| | | | SVN-Revision: 22442
* firewall: add basic NAT reflection/NAT loopback supportJo-Philipp Wich2010-07-311-0/+79
| | | | SVN-Revision: 22441
* firewall: allow redirecting only destination port (#7197)Jo-Philipp Wich2010-07-161-2/+3
| | | | SVN-Revision: 22227
* firewall: fix another notrack related bugJo-Philipp Wich2010-07-151-1/+1
| | | | SVN-Revision: 22218
* firewall: - notrack support was broken in multiple ways, fix it - also ↵Jo-Philipp Wich2010-07-154-8/+10
| | | | | | consider a zone conntracked if any redirect references it (#7196) SVN-Revision: 22215
* firewall: - support alias ifnames different from parent ifname - properly ↵Jo-Philipp Wich2010-06-021-10/+23
| | | | | | handle multiple subnets per alias (v4+v6) SVN-Revision: 21656
* firewall: Initial alias interface support. This allows to define zones ↵Jo-Philipp Wich2010-06-012-28/+85
| | | | | | covering alias interfaces and associated entries like rules and forwardings. SVN-Revision: 21653
* firewall: change the order of IPv4/IPv6 address detection, fixes mixed ↵Jo-Philipp Wich2010-05-312-2/+2
| | | | | | notation v6 improperly detected as v4 address SVN-Revision: 21642
* firewall: fix support for netranges in redirect and rule sectionsJo-Philipp Wich2010-05-303-7/+7
| | | | SVN-Revision: 21640
* firewall: count rules per chain and family, fix wrong order of ip6tables ↵Jo-Philipp Wich2010-05-221-4/+4
| | | | | | rules when ipv4 only or dual family rules are defined SVN-Revision: 21533
* firewall: don't apply default udp/68 rule to ip6tablesJo-Philipp Wich2010-05-191-0/+1
| | | | SVN-Revision: 21509
* firewall: - fix ip6tables rules when icmp_type option is set - add "family" ↵Jo-Philipp Wich2010-05-196-40/+104
| | | | | | option to zones, forwardings, redirects and rules to selectively apply rules to iptables and/or ip6tables SVN-Revision: 21508
* firewall: add commented disable_ipv6 option to default configJo-Philipp Wich2010-05-191-0/+2
| | | | SVN-Revision: 21505
* firewall: implement disable_ipv6 uci optionJo-Philipp Wich2010-05-192-5/+11
| | | | SVN-Revision: 21503
* firewall (#7355) - partially revert r21486, start firewall on init again - ↵Jo-Philipp Wich2010-05-194-26/+11
| | | | | | skip iface hotplug events if base fw is not up yet - get ifname and up state with uci_get_state() in iface setup since the values gathered by scan_interfaces() may be outdated when iface coldplugging happens (observed with pptp) - ignore up state when bringing down interfaces because ifdown reverts state vars before dispatching the iface event - bump package revision SVN-Revision: 21502
* firewall: fix a possible deadlock when the firewall config has syntax errors ↵Jo-Philipp Wich2010-05-181-2/+4
| | | | | | during restart SVN-Revision: 21501
* firewall: use uci_get_state() wrapperJo-Philipp Wich2010-05-171-1/+1
| | | | SVN-Revision: 21493
* firewall: properly clear hooks in fw_stop() to prevent extensions from being ↵Jo-Philipp Wich2010-05-171-1/+8
| | | | | | called twice after fw_restart() SVN-Revision: 21488
* firewall: - defer firewall start until the first interface is brought up by ↵Jo-Philipp Wich2010-05-173-6/+20
| | | | | | hotplug, fixes race conditions on slow devices - create a file lock during firewall start and wait for it in hotplug events, prevents race conditions between start and addif - start firewall actions in background from hotplug handler since the firewall itself fires further hotplug events which results in a deadlock if not forked off - get loaded state direcly from the uci binary since updated value is not recognized by config_get after uci_set_state - bump package revision to r2 SVN-Revision: 21486
* firewall: properly unset position for delete command, fixes rule removal in ↵Jo-Philipp Wich2010-05-051-2/+2
| | | | | | ifdown SVN-Revision: 21378
* firewall: fix bug in iface hotplug handlerJo-Philipp Wich2010-05-051-1/+1
| | | | SVN-Revision: 21360
* firewall: - replace uci firewall with a modular dual stack implementation ↵Jo-Philipp Wich2010-05-0114-539/+1016
| | | | | | developed by Malte S. Stretz - bump version to 2 SVN-Revision: 21286
* allow pingTravis Kemen2010-03-181-0/+7
| | | | SVN-Revision: 20261
* firewall: insert rules at the beginning of chains again while maintaining ↵Jo-Philipp Wich2010-03-021-1/+4
| | | | | | non reversed order, fixes wrong ordering introduced by r18015 SVN-Revision: 19946
* firewall: fix bad number error in fw_redirect() (#6704)Jo-Philipp Wich2010-02-201-3/+3
| | | | SVN-Revision: 19765
* Add destination ip of the wan adapter useful if you have multiple ip addresses.Travis Kemen2010-02-111-0/+2
| | | | SVN-Revision: 19574
* firewall: fix a race condition preventing interfaces from being added to the ↵Jo-Philipp Wich2010-01-191-2/+6
| | | | | | firewall on boot SVN-Revision: 19232
* firewall: fix fallout from r18716 (fixes #6338)Felix Fietkau2009-12-101-1/+3
| | | | SVN-Revision: 18733
* firewall: get rid of recursive shell script inclusion to improve hush ↵Felix Fietkau2009-12-092-37/+46
| | | | | | compatibility SVN-Revision: 18716
* firewall: initialize dest_port with src_dport if omitted in redirect ↵Jo-Philipp Wich2009-12-011-21/+21
| | | | | | sections to narrow down corresponding forward rules to the actual target ports - thanks Niels Boehm! (#6249) SVN-Revision: 18617
* firewall: fix zone defaultsFelix Fietkau2009-10-111-2/+19
| | | | SVN-Revision: 18028
* firewall: do not process rules in reverseFelix Fietkau2009-10-101-1/+1
| | | | SVN-Revision: 18015
* firewall: fix MSS issue affection RELATED new connections (closes: #5173)Nicolas Thill2009-09-272-4/+4
| | | | SVN-Revision: 17762
* firewall: add sanity checks to zone default rules (patch from #5459)Felix Fietkau2009-09-241-3/+3
| | | | SVN-Revision: 17713
* firewall: move the config_get out of the loop, no need to call it multiple timesJo-Philipp Wich2009-09-141-2/+3
| | | | SVN-Revision: 17581
* firewall: properly dispatch delif events if the network has a different name ↵Jo-Philipp Wich2009-09-141-1/+1
| | | | | | then the corresponding zone SVN-Revision: 17580