| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow ipsets to be created with a default timeout of 0. This permits
timed entries to be added if required even though the default is 0
(indefinite)
Prior to this change a default timeout value of 0 would create a set without
timeout support.
Fixes: FS#3977
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
|
|
|
|
|
|
| |
When loading ipset files using the loadfile option, skip blank lines and
lines that start with '#' (disregarding any leading whitespace).
Signed-off-by: Daniel Harding <dharding@living180.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The reload_set option was added in commit 509e673dab01 ("firewall3:
Improve ipset support"), and the purpose of the option is to control if
a set should be flushed or not on a firewall reload.
In some cases, the option unfortunately does not work properly. I had
fixed the errors locally, but failed to submit a v2 of "Improve ipset
support". This patch contains my local fixes, and after the following
changes are applied then the option (as well as ipset support) works as
at least I expect.
The following errors have been fixed:
* "family" was not written to the state file, causing all sets read from
this file was considered as ipv4. Save family to ensure that sets are
handled correctly on firewall reload.
* The default value of "reload_set" is false, meaning that the
reload-check in "fw3_create_ipsets()" is always true (on reload). A
consequence of this is that new sets are never created on firewall
reload. In order to ensure that new sets are created, only consider
"reload_set" if the set exists. If a set (from configuration) does not
exist, we always want to create it.
* On reload and before "fw3_destroy_ipsets()" are called, we need to
update run_state to ensure that sets are updated correctly. We need to
check if the sets in run_state is found in cfg_state, if not the set
should be destroyed (done by forcing reload_set to true). If the set is
found, then we copy the value of reload_set to the set in run_state so
that the elements are updated as the user expects.
Since we now always copy the value of reload_set from cfg_state, there
is no need to write reload_set to run_state.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is an attempt at improving the ipset support in firewall3.
The following changes have been made:
* The enabled option did not work properly for ipsets, as it was not
checked on create/destroy of a set. After this commit, sets are only
created/destroyed if enabled is set to true.
* Add support for reloading, or recreating, ipsets on firewall reload.
By setting "reload_set" to true, the set will be destroyed and then
re-created when the firewall is reloaded. My use-case for "reload_set"
was to reset sets populated by dnsmasq, without having to restart the
firewall or resort to scripts.
* Add support for the counters and comment extensions. By setting
"counters" or "comment" to true, then counters or comments are added to
the set.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
re-ordered additional variables
dropped enum OPT_COMMENT & OPT_COUNTERS as unused
implemented exponential delay whilst waiting for ipset deletion/creation
fixed delays made firewall unresponsive for too long on reloads
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a new list option "entry" which can be used to specify entries
to add to the ipset, e.g.
config ipset
option name test
...
list entry 1.2.3.4,8080
list entry 5.6.7.8,8081
Also introduce a new option "loadfile" which refers to an external file
containing set entries to add, with one item per line.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
It gives the ability to create ipset rules via procd
services and netifd interface firewall data.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
| |
The return value of fw3_parse_options() should be checked.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Iptables supports using non-continuous netmasks like FFFF::FFFF which would
match the first and last 16bit of an IPv6 address while ignoring the parts
in between which is useful fordeclaring rules targeting hosts on rotating
prefixes.
Instead of storing parsed netmasks as bitcount internally, use a full mask
which is passed to iptables as-is.
Also support a new shorthand notation "addr/-N" which will construct a mask
that matches the *last* N bits of an address - useful for matching the host
part only of an IPv4 address, e.g.
option dest_ip '::c23f:eff:fe7a:a094/-64'
This will convert to a netmask of "::ffff:ffff:ffff:ffff".
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
|
|
|
|
|
|
|
| |
- Do not consider bitmap storage for IPv6 family sets
- Move ipset family parameter before any additional option
- Only emit family parameter for hash sets
- Do not allow IPv6 iprange for IPv4 sets and vice versa
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
external value
|
| |
|
|
|
|
| |
if set
|
|
|
|
| |
enabled = true
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
per family
|
|
|
|
| |
ipsets and includes
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|