| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The field proto in the struct fw3_cthelper should be implemented
as a list in order to support multiple protocols.
For example, the helper for SIP should be able to support both
TCP and UDP within only one entry in the config file.
config helper
option name 'sip'
option description 'SIP VoIP connection tracking'
option module 'nf_conntrack_sip'
option family 'any'
option proto 'tcpudp'
option port '5060'
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
| |
Enables hardware offload support where supported
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
| |
Add rtsp conntrack helper listening on IPv4 tcp port 554
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
| |
Reword various rule comments to be more explicit and also annotate the flow
offloading rule while we're at it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
| |
Introduce a new defaults section option "flow_offloading" which,
when enabled, causes fw3 to emit a -j FLOWOFFLOAD rule in the
forwarding chain.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a new list option "entry" which can be used to specify entries
to add to the ipset, e.g.
config ipset
option name test
...
list entry 1.2.3.4,8080
list entry 5.6.7.8,8081
Also introduce a new option "loadfile" which refers to an external file
containing set entries to add, with one item per line.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
| |
Due to a misplaced parenthesis, rule_mask() may try to access
r->target->userspacesize through a r->target NULL pointer.
Fix this problem by correcting the parenthesis placement in the memset
expression, using the originally intented operator precedence.
Spotted in the cz.nic fork of firewall3.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
| |
When enabling logging for a zone, logging is enabled in the filter and
mangle tables. The log rule in the mangle table enables mtu_fix logging,
which has the tendency to flood logs. Allow per-table log control by
making the log boolean a bit field that can be used to enabled logging
in the filter and/or mangle tables.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement support for explicit per-zone conntrack helper assignment in
the raw table in order to compensate for the now disabled automatic
helper assignment in recent Linux kernels.
This commit adds, along with the required infrastructure, a new per-
zone uci option "helper" which can be used to tie one or more CT helpers
to a given zone.
For example the following configuration:
config zone
option name lan
option network lan
list helper ftp
list helper sip
... will assign the FTP and SIP conntrack helpers as specified in
/usr/share/fw3/helpers.conf to traffic originating from the LAN zone.
Additionally, a new boolean option "auto_helper" has been defined for
both "config defaults" and "config zone" sections, with the former
option overruling the latter.
When the default true "option auto_helper" is set, all available helpers
are automatically attached to each non-masq zone (i.e. "lan" by default).
When one or more "list helper" options are specified, the zone has
masquerading enabled or "auto_helper" is set to false, then the automatic
helper attachment is disabled for the corresponding zone.
Furthermore, this commit introduces support for a new 'HELPER' target in
"config rule" sections, along with "option helper" to match helper traffic
and "option set_helper" to assign CT helpers to a stream.
Finally, "config redirect" sections support "option helper" too now,
which causes fw3 to emit helper setting rules for forwarded DNAT traffic.
When "option helper" is not defined for a redirect and when the global
option "auto_helper" is not disabled, fw3 will pick a suitable helper
based on the destination protocol and port and assign it to DNATed traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
Avoid generating 0.0.0.0/0 masquerade rules when resolving of the
corresponding symbolic masq_src or masq_dest value failed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
| |
Adjust fw3_parse_network() to emit an empty address item with
.set = false, .resolved = true when we failed to resolve the network
name into any ip address.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
| |
Change fw3_ubus_address() to return the number of addresses resolved from
the given network name, this will be required to handle failed resolving
in higher layers later on.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
It gives the ability to create firewall rules within the service
itself and independently of the instances.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
| |
The continue statement was mistakingly copy-pasted from other error
handling code.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Improve the space separated list parser to interprete "val1 ! val2"
as ("val1", "!val2") instead of ("val1", "!", "val2").
This corrects parsing of sections like ...
config rule
option sec_ip '! 1.1.1.0/24'
... which previously errored out with:
Warning: Option @rule[0].src_ip has invalid value '!'
Fixes FS#806.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
Allow "option extra" to specify "-i", "-o", "-s" and "-d" arguments which
previously caused rules to get rejected with "Bad argument" errors.
Partially fixes FS#806.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
| |
When netifd is being stressed (eg doing reconfig using multiple interfaces)
ubus timeouts can be observed when invoking network interface dump.
Increase the ubus timeout to 2000 msec similar to the service ubus timeout.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
| |
Override libxtables standard error handler to not exit the program but to
longjmp() back to error handling code which is simply skipping the rule.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
The snat rule check is done by a function to avoid the walking
through the list twice.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
|
| |
It gives the ability to display the section type for
rules pushed via procd services and netifd interface
firewall data.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
| |
It gives the ability to include scripts via procd
services and netifd interface firewall data.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
| |
It gives the ability to create ipset rules via procd
services and netifd interface firewall data.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
| |
It gives the ability to create forward rules via procd
services and netifd interface firewall data.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
| |
It gives the ability to create redirect rules via
procd services and netifd interface firewall data.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
| |
Move the name and type parsing out of the rule file
in order to make it reusable by others.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
| |
Replace the wan_rule() by warn_section() in order to
make it reusable by the other section type.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
| |
The return value of fw3_parse_options() should be checked.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
| |
Fixes build error with older gcc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
| |
Install conntrack state invalid drop rules to catch outgoing, un-natted
traffic in zones with enabled masquerading.
Also introduce a new option "masq_allow_invalid" it inhibit this new
drop rules.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
| |
Commit e678dcb "Add support for netifd-generated rules" broke the UCI
context reporting for rule warnings. Refactor the code to restore this
functionality.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
Lookup of iface_name and iface_proto in the json data were switched
in fw3_ubus_rules
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
The --utc parameter is deprecated and UTC times are the default now.
To achieve local time, the --kenreltz param has to be passed instead
so invert the logic and swap --utc with --kerneltz.
Fixes #548.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.
Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
| |
With recent Kernel versions and the introduction of the conntrack routing
cache there is no need to maintain performance hacks in userspace anymore,
so simply drop the generation of automatic -j CT --notrack rules for zones.
This also fixes some cases where traffic is not matched for zones that do
not explicitely enforce connection tracking.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the following topology:
config zone
option name A
config zone
option name B
config zone
option name C
option conntrack 1
config forwarding
option src A
option dest B
config forwarding
option src A
option dest C
... the conntrack flag needs to be propagated into both zones A and B as well.
Since A is connected with C, A will inherit C's conntrack requirement which
means that B will need to inherit the flag as well since it is connected to A.
The current code fails to apply the conntrack requirement flag recursively to
zones, leading to stray NOTRACK rules which break conntrack based traffic
policing.
Change the implementation to iteratively reapply the conntrack fixup logic
until no more zones had been changed in order to ensure that all directly and
indirectly connected zones receive the conntrack requirement flag.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to avoid header clashes and redefinition errors in compilation
units which include iptables.h, move all includes into the iptables.c
file and only provide a forward declaration for struct fw3_ipt_rule.
This allows us to hide all xtables specific direct and indirect includes
in order to only expose a clean interface which does not rely on any kernel
header bits.
Within iptables.c, reshuffle the includes and predeclare some guard defines
to allow compilation on both glibc as well as patched and unpatched musl
systems.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The conflict between Musls net/if.h and linux/if.h is an old well known
one and taken care of by a series of linux-headers patches in OpenWrt.
Since Linux 4.8-rc5 Firewall3 also indirectly pulls in linux/in.h and
linux/in6.h leading to new conflicts.
As Firewall3 is fine with just the libc headers prevent inclusion of the
corresponding kernel headers.
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
|
|
|
|
|
|
|
|
| |
Instead of relying on the nonstandard xt_id match, use the xt_comment match
to tag own rules. Any rule with a comment starting with "!fw3" is considered
to be firewall3 internal.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
| |
The ubus network runtime information is not strictly required to use firewall3,
so make a failing ubus connection nonfatal.
This allows testing and running firewall3 on an ordinary desktop linux system,
given an appropriate configuration which uses "option device" instead of
"option network" for zone declarations.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we wrap xtables_register_match() and xtables_register_target() we do
not need to load the extensions ourselves anymore since there is no need to
keep the library handles for dlclose().
Switch to libxtables own loader by invoking xtables_find_match() and
xtables_find_target() with XTF_TRY_LOAD .
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
| |
This is required to build firewall3 on non-musl systems.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make loading of static extensions optional to support vanilla iptables
in it's default configuration by setting DISABLE_STATIC_EXTENSIONS
instead of hackery.
In case iptables is built with --disable-static libext.a, libext4.a and
libext6.a which OpenWrt installs in the form of libiptext.so,
libiptext4.so, libiptext6.so to save a couple more bytes are of no use
or non-existent one could say. So this commit avoids requiring a
tampered with iptables.
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
[Jo-Philipp Wich: stub init_extensions*() instead to reduce amount of ifdefs]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
In case iptables is built with --disable-static xt_standard needs to be
loaded just like the other extensions.
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
[Jo-Philipp Wich: minor code style change to if/return instead of if/else]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
Account for the struct xtables_globals change and add API version 11 to
the supported APIs.
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
Properly implement masquerade exceptions by using -j RETURN rules to jump out
of the postrouting container chain and only emit the permutated -j MASQUERADE
rules for non-negated addresses.
Fixes FD#248.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since musl libc does not support unloading libraries via dlclose() and since
we should not explicitely call library constructors we need to use an
alternative approach to track the match registrations performed by iptables
shared objects.
This commit changes the iptables glue code to keep a global registry of non-
builtin matches and targets.
We implement the bookkeeping by intercepting xtables_register_match() and
xtables_register_target() calls in order to record any extension registration
attempt performed by a loadable iptables library.
The code subsequently uses the global list of dynamically loaded extensions
to re-register dynamic matches and targets for each address family / table
combination.
As a consequence we can get rid of the lib vector in the iptables handle
and remove the dlclose() handling entirely. This simplifies the
load_extension() as well.
Fixes FS#31.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|