| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Reword various rule comments to be more explicit and also annotate the flow
offloading rule while we're at it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
It gives the ability to create forward rules via procd
services and netifd interface firewall data.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
| |
The return value of fw3_parse_options() should be checked.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
With recent Kernel versions and the introduction of the conntrack routing
cache there is no need to maintain performance hacks in userspace anymore,
so simply drop the generation of automatic -j CT --notrack rules for zones.
This also fixes some cases where traffic is not matched for zones that do
not explicitely enforce connection tracking.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the following topology:
config zone
option name A
config zone
option name B
config zone
option name C
option conntrack 1
config forwarding
option src A
option dest B
config forwarding
option src A
option dest C
... the conntrack flag needs to be propagated into both zones A and B as well.
Since A is connected with C, A will inherit C's conntrack requirement which
means that B will need to inherit the flag as well since it is connected to A.
The current code fails to apply the conntrack requirement flag recursively to
zones, leading to stray NOTRACK rules which break conntrack based traffic
policing.
Change the implementation to iteratively reapply the conntrack fixup logic
until no more zones had been changed in order to ensure that all directly and
indirectly connected zones receive the conntrack requirement flag.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
Rename to fw3_{set,del,has}bit to avoid name clashes with sys/param.h:
/opt/toolchains/stbgcc-4.8-1.5/arm-linux-gnueabihf/sys-root/usr/include/sys/param.h:80:0: note: this is the location of the previous definition
#define setbit(a,i) ((a)[(i)/NBBY] |= 1<<((i)%NBBY))
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of relying on the delegate_* chains to isolate own toplevel
rules from user supplied ones, use the xt_id match to attach a magic
value to fw3 rules which allows selective cleanup regardless of the
container chain.
Also add an experimental "fw3 gc" call to garbage collect empty chains.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
dst_flags and running_dst_flags to flags and running_flags
|
|
|
|
| |
ipsets and includes
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|