| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Handled more elegantly in the previous commit.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Given that firewall3 already skips the table when fw3_ipt_open fails,
there is no need for fw3_has_table.
Furthermore, /proc/net/ip_tables_names is not reliable under linux
containers (e.g. Docker/LXC/LXD). This patch will remove the need for
existing hacks required for OpenWrt to run on those platforms.
Reviewed-by: Rui Salvaterra <rsalvaterra@gmail.com>
Tested-by: Rui Salvaterra <rsalvaterra@gmail.com>
Tested-by: Ansuel Smith <ansuelsmth@gmail.com>
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
|
| |
|
|
|
|
|
|
|
|
|
| |
RFC-8622 implements a low priority DSCP marking called 'Least Effort' or
'LE' Instead of prioritising traffic in varying degrees, this defines a
scum class of packet that really is the lowest of the low and you may
consider forwarding if you really have nothing better to do.
This patch adds LE class support to firewall3.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
| |
|
|
|
|
|
|
| |
syn_flood chain entry is guarded by '--syn' checks in the calling chains, so the
syn_flood chain doesn't need to check packet flags, it only needs to count and
potentially drop.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By calling the command 'fw3 reload' several times at the same time, I
noticed that the locking was not working properly. It happened from time
to time that some firewall rules were present twice in the system!
By removing the 'unlink' systemcall, this error no longer occurred on my
systems.
Since fw3 does not run as a service, it makes no sense to delete this
lock file every time a filehandler is no longer open on this lock file,
because fw3 binary is not running.
If fw3 does run as a service then we can remove this lock file on
service stop. But this is not the case for fw3.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With Linux 5.15+, tables are loaded on access. Firewall3 uses the
ip{,6}_tables_names proc entries to check if a table exists. In this new
implementation, the proc entries can contain wrong data if a table is present
but never used, and firewall3 will incorrectly think that the table is
unavailable. This causes configuration problems, since after a normal boot the
proc entries contain only the "filter" table and are missing "raw", "mangle" and
"nat".
To fix this, "poke" the tables to load them, simply by opening and closing them
without doing any operation. This simple operation is sufficient to make the
missing tables appear in the proc entries.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[Reword the commit message and code comment]
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Allow ipsets to be created with a default timeout of 0. This permits
timed entries to be added if required even though the default is 0
(indefinite)
Prior to this change a default timeout value of 0 would create a set without
timeout support.
Fixes: FS#3977
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
| |
|
|
|
|
| |
We don't need an extra boolean.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
|
| |
Both fw3_has_table and fw3_has_target do the same thing. Factor out the common
code into a separate function.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, fw3 places all DSCP/MARK target rules into the PREROUTING chain,
and accepts but ignores a src device. This behaviour is impractical for
most common applications (e.g. QOS setup), since rules are applied to all
devices and in all directions.
Fix this generally by honouring src/dest device selection and placing the
rules into the appropriate chain of the mangle table. This code is based
on a proof of concept shared by Jo-Philipp Wich <jo@mein.io>.
Fixes: 12a7cf9db1f9 ("Add support for DSCP matches and target")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
|
| |
|
|
|
|
|
|
|
| |
While resolving zones to devices it's possible to introduce duplicates due
to the presence of aliased interfaces.
Fix this by consolidating the fw3_zone->devices list during creation.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
|
| |
|
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reviewed-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
Ref: https://bugs.openwrt.org/index.php?getfile=1053
Fixes: FS#1053
Fixes: 427bc12 ("iptables: fix serializing multiple weekdays")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
| |
The flag was initialised and tested, but actually never set when a duplicate
section was found.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
|
| |
When loading ipset files using the loadfile option, skip blank lines and
lines that start with '#' (disregarding any leading whitespace).
Signed-off-by: Daniel Harding <dharding@living180.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As defined in currently used iptables v1.8.4, chain name must be
under 29 chars. Thus, user can only edit 11 chars.
See also the bugreport [0].
[0] https://dev.archive.openwrt.org/ticket/20380
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
[improve commit description, move length calculation information to src]
Signed-off-by: David Bauer <mail@david-bauer.net>
|
| |
|
|
|
|
|
|
|
|
| |
Boolean attributes were parsed the same way as string attributes,
so a value of { "bool_attr": "true" } would be parsed correctly, but
{ "bool_attr": true } (without quotes) was parsed as false.
Fixes FS#3284
Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
|
| |
|
|
|
|
|
| |
Fixes FS#3231
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
| |
Fixes 9d7f49df47ad ("redurects: add support to define multiple zones for dnat reflection rules")
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Replace sprintf(), strncpy() etc. with safer variants that perform bounds
checking on the target buffer. Also rework unsafe `p += sprintf(p, ....)`
code to properly handle error cases.
Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-May/023363.html
Suggested-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
| |
- Purge chains in two phases, first flush rules, then delete chains
- Create missing zone user chains during reload
- Keep used chains on reload to avoid removing user rules
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added new config option for redirect, which accepts a list of zones from
which reflection rules shall be created.
Example:
zones: wan lan devices servers
config redirect
...
option target 'DNAT'
option src 'wan'
option dest 'servers'
option proto 'tcp'
option src_dport '443'
option dest_port '443'
option name 'HTTPS'
option reflection_src 'extern'
...
Old behaviour would only add a reflection rule from the servers zone.
By adding a config `option reflection_zones 'lan devices servers'`,
reflection rules will get added for all and only the given zones.
Not setting that option results in the old behaviour of using the
DNAT destination zone for reflection rules.
Tested on x86 master and 18.06.
Signed-off-by: Anton Engelhardt <engelhardt.anton@gmail.com>
[reword commit message, align code style, avoid temporary list,
singular option name]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes 7cc2a84 ("defaults: robustify flow table detection.")
7cc2a84 made disabling flow_offloading impossible.
This is to fix the buggy behavior.
Signed-off-by: Yanlong Wang <yanlong.wang@naiver.org>
[move variable declaration to the top, remove braces from conditional]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
| |
Fixes d596f728e9 ("rules: fix UCI context in error reporting")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The flow table detection fails if the respective target module is
built into the kernel, since it's looking for the module itself.
Create a generic helper and instead check for existence of the
FLOWOFFLOAD target in /proc/net/ip_tables_targets.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[slightly reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
| |
Fix resource leak in fw3_lock_path in case flock fails
Detected by Coverity in CID 1453962
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
When importing ipset definitions from published ubus data, do not
overwrite the name attribute with an autogenerated string like it
is being done for rules or redirects.
Ref: https://forum.openwrt.org/t/fw3-ipset-procd-objects/44044
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Problem can be reproduced with a rule like this:
option src 'wan'
option family 'ipv6'
option proto 'icmp'
option icmp_type '128'
option target 'DROP'
The resulted rule will set --icmpv6-type to 128/255.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fix the format string to match the size_t type, this fixes a build
problem on 64 bit platforms.
Fixes: 4d0c703e750c ("firewall3: Fix some format string problems")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
| |
This adds annotations for the format strings to the print functions and
fixes the newly found problems. One of them is a format security
problem.
Coverity: #1412532
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using fw3 together with other applications or scripts a race
conditions might occur. When fw3 is preparing the new tables, another
application can use the executable `iptables` which modifies the
kernel-tables. libxtables will notify this and fails when fw3 is
committing the changes resulting in a failed firewall.
Now waits in a while loop until the lock is gone, activate the lock
itself and applies changes.
To reproduce the bug the following two scripts should run in parrallel,
after a few seconds the latter stop and leaves a broken firewall:
while true; do iptables -N locking; done
and
while [ "$(iptables -w -L OUTPUT | wc -l)" -gt 2 ]; do fw3 reload; done
The following message will appear
Warning: iptc_commit(): Resource temporarily unavailable
and connectivity is gone.
Tested in an LXC and Qemu container.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
[fixed waiting for unlock and commit message]
Signed-off-by: Paul Spooren <mail@aparcar.org>
|
| |
|
|
|
|
|
|
| |
To lock a second lock file at the same time, introduce fw3_{un,}lock_path.
fw3_lock_path support the path as parameter in difference to fw3_lock which
only locks the fw3 lock file (/var/run/fw3.lock)
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The reload_set option was added in commit 509e673dab01 ("firewall3:
Improve ipset support"), and the purpose of the option is to control if
a set should be flushed or not on a firewall reload.
In some cases, the option unfortunately does not work properly. I had
fixed the errors locally, but failed to submit a v2 of "Improve ipset
support". This patch contains my local fixes, and after the following
changes are applied then the option (as well as ipset support) works as
at least I expect.
The following errors have been fixed:
* "family" was not written to the state file, causing all sets read from
this file was considered as ipv4. Save family to ensure that sets are
handled correctly on firewall reload.
* The default value of "reload_set" is false, meaning that the
reload-check in "fw3_create_ipsets()" is always true (on reload). A
consequence of this is that new sets are never created on firewall
reload. In order to ensure that new sets are created, only consider
"reload_set" if the set exists. If a set (from configuration) does not
exist, we always want to create it.
* On reload and before "fw3_destroy_ipsets()" are called, we need to
update run_state to ensure that sets are updated correctly. We need to
check if the sets in run_state is found in cfg_state, if not the set
should be destroyed (done by forcing reload_set to true). If the set is
found, then we copy the value of reload_set to the set in run_state so
that the elements are updated as the user expects.
Since we now always copy the value of reload_set from cfg_state, there
is no need to write reload_set to run_state.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is an attempt at improving the ipset support in firewall3.
The following changes have been made:
* The enabled option did not work properly for ipsets, as it was not
checked on create/destroy of a set. After this commit, sets are only
created/destroyed if enabled is set to true.
* Add support for reloading, or recreating, ipsets on firewall reload.
By setting "reload_set" to true, the set will be destroyed and then
re-created when the firewall is reloaded. My use-case for "reload_set"
was to reset sets populated by dnsmasq, without having to restart the
firewall or resort to scripts.
* Add support for the counters and comment extensions. By setting
"counters" or "comment" to true, then counters or comments are added to
the set.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
re-ordered additional variables
dropped enum OPT_COMMENT & OPT_COUNTERS as unused
implemented exponential delay whilst waiting for ipset deletion/creation
fixed delays made firewall unresponsive for too long on reloads
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
| |
|
|
|
|
| |
solve coverity reported resource leak (socket handle)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add zone chains identifying local generated traffic; either by configuring
a loopback device or as subnet a loopback address; in the raw OUTPUT chain
as local generated traffic is passing this chain.
This allows helpers to be used for local generated traffic.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
| |
args was not freed after leaving this function.
Fixes Coverity issue 1412470 Resource leak
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes two possible situations where strncpy() produces a not null
terminated buffer.
Coverity IDs:
* 1412247 Buffer not null terminated
* 1412279 Buffer not null terminated
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of SNAT rules the src_dport parameter is used both as a rewrite
parameter as well as a matching parameter which is not the expected
behavior.
The latter is caused by port_redir being set to src_dport in case dest_port
parameter is not.
As this logic is in place to mimic the old shell script based firewall
behavior for DNAT only set port_redir in case the redirect rule is
a DNAT rule.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
| |
Fixes 06fa692 ("defaults: use a generic check_kmod() function")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
| |
Rather than having functions for check_offloading() et al, replace it with a
generic function.
Signed-off-by: Joe Holden <jwh@zorins.co.uk>
|
| |
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
| |
Invoking ubus methods with NULL message is not supported anymore, so
make sure that network.interface/dump is called with an empty blob buffer
argument.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
| |
RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
error: ‘%u’ directive writing between 1 and 10 bytes into a region of size
between 7 and 11 [-Werror=format-overflow=]
sprintf(buf, "%u-%u", port->port_min, port->port_max);
^~
note: directive argument in the range [0, 2147483647]
sprintf(buf, "%u-%u", port->port_min, port->port_max);
^~~~~~~
note: ‘sprintf’ output between 4 and 17 bytes into a destination of size
13
sprintf(buf, "%u-%u", port->port_min, port->port_max);
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Emit LOG rules bound to the source/destination device or subnet to match the
same traffic handled by the terminal REJECT/DROP rules.
This fixes superflous logging of unrelated traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When parsing user supplied time strings, calculate an UTC time instant by
substracting the current zone offset from the result of mktime(3), then use
gmtime_r(3) to turn the time_t value back into a sanitized time structure.
This ensures that user supplied dates are not interpreted as local time.
Fixes FS#1483.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
| |
The set_helper field has to be set by set_helper and not helper.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
