summaryrefslogtreecommitdiff
path: root/zones.c
Commit message (Collapse)AuthorAgeFilesLines
* zones: add zone identifying local traffic in raw OUTPUT chainHans Dedecker2019-01-021-5/+9
| | | | | | | | | | | Add zone chains identifying local generated traffic; either by configuring a loopback device or as subnet a loopback address; in the raw OUTPUT chain as local generated traffic is passing this chain. This allows helpers to be used for local generated traffic. Signed-off-by: Alin Nastac <alin.nastac@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Acked-by: Jo-Philipp Wich <jo@mein.io>
* zones: add interface/subnet bound LOG rulesJo-Philipp Wich2018-05-191-37/+32
| | | | | | | | | Emit LOG rules bound to the source/destination device or subnet to match the same traffic handled by the terminal REJECT/DROP rules. This fixes superflous logging of unrelated traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Reword rule commentsJo-Philipp Wich2018-03-131-4/+4
| | | | | | | Reword various rule comments to be more explicit and also annotate the flow offloading rule while we're at it. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* zones: allow per-table log controlStijn Tintel2018-02-261-3/+8
| | | | | | | | | | When enabling logging for a zone, logging is enabled in the filter and mangle tables. The log rule in the mangle table enables mtu_fix logging, which has the tendency to flood logs. Allow per-table log control by making the log boolean a bit field that can be used to enabled logging in the filter and/or mangle tables. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* helpers: implement explicit CT helper assignment supportJo-Philipp Wich2018-02-201-2/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement support for explicit per-zone conntrack helper assignment in the raw table in order to compensate for the now disabled automatic helper assignment in recent Linux kernels. This commit adds, along with the required infrastructure, a new per- zone uci option "helper" which can be used to tie one or more CT helpers to a given zone. For example the following configuration: config zone option name lan option network lan list helper ftp list helper sip ... will assign the FTP and SIP conntrack helpers as specified in /usr/share/fw3/helpers.conf to traffic originating from the LAN zone. Additionally, a new boolean option "auto_helper" has been defined for both "config defaults" and "config zone" sections, with the former option overruling the latter. When the default true "option auto_helper" is set, all available helpers are automatically attached to each non-masq zone (i.e. "lan" by default). When one or more "list helper" options are specified, the zone has masquerading enabled or "auto_helper" is set to false, then the automatic helper attachment is disabled for the corresponding zone. Furthermore, this commit introduces support for a new 'HELPER' target in "config rule" sections, along with "option helper" to match helper traffic and "option set_helper" to assign CT helpers to a stream. Finally, "config redirect" sections support "option helper" too now, which causes fw3 to emit helper setting rules for forwarded DNAT traffic. When "option helper" is not defined for a redirect and when the global option "auto_helper" is not disabled, fw3 will pick a suitable helper based on the destination protocol and port and assign it to DNATed traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* zones: disable masq when resolving of all masq_src or masq_dest items failedJo-Philipp Wich2018-02-131-1/+33
| | | | | | | Avoid generating 0.0.0.0/0 masquerade rules when resolving of the corresponding symbolic masq_src or masq_dest value failed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall3: check the return value of fw3_parse_options()Pierre Lebleu2017-05-091-1/+2
| | | | | | The return value of fw3_parse_options() should be checked. Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
* zones: drop outgoing invalid traffic in masqueraded zonesJo-Philipp Wich2017-04-271-0/+12
| | | | | | | | | | Install conntrack state invalid drop rules to catch outgoing, un-natted traffic in zones with enabled masquerading. Also introduce a new option "masq_allow_invalid" it inhibit this new drop rules. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* zones: do not check conntrack state in zone_*_dest_ACCEPT chainsJo-Philipp Wich2017-01-131-5/+0
| | | | | | | | | | | | | Packets which are merely forwarded by the router and which are neither involved in any DNAT/SNAT nor originate locally, are considered INVALID from a conntrack point of view, causing them to get dropped in the zone_*_dest_ACCEPT chains, since those only allow stream with state NEW or UNTRACKED. Remove the ctstate restriction on dest accept chains to properly pass- through unrelated 3rd party traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* global: remove automatic notrack rulesJo-Philipp Wich2016-11-291-15/+0
| | | | | | | | | | | With recent Kernel versions and the introduction of the conntrack routing cache there is no need to maintain performance hacks in userspace anymore, so simply drop the generation of automatic -j CT --notrack rules for zones. This also fixes some cases where traffic is not matched for zones that do not explicitely enforce connection tracking. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* zones: properly handle multiple masq_src / masq_dest negations (FS#248)Jo-Philipp Wich2016-11-011-7/+59
| | | | | | | | | | Properly implement masquerade exceptions by using -j RETURN rules to jump out of the postrouting container chain and only emit the permutated -j MASQUERADE rules for non-negated addresses. Fixes FD#248. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* utils.h: Avoid name clashes for setbit/delbit/hasbitFlorian Fainelli2016-09-181-13/+13
| | | | | | | | | Rename to fw3_{set,del,has}bit to avoid name clashes with sys/param.h: /opt/toolchains/stbgcc-4.8-1.5/arm-linux-gnueabihf/sys-root/usr/include/sys/param.h:80:0: note: this is the location of the previous definition #define setbit(a,i) ((a)[(i)/NBBY] |= 1<<((i)%NBBY)) Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* zones: allow untracked traffic as wellJo-Philipp Wich2016-08-081-2/+4
| | | | | | | Now that we only allow ctstate NEW traffic by default we also need to whitelist traffic explicitely marked by --notrack. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* zones: restrict default ACCEPT rules to NEW ctstateJo-Philipp Wich2016-08-081-0/+8
| | | | | | | | | | | Restrict the per-zone default accept rules to only accept streams with conntrack state NEW when drop_invalid is disabled. This commit hardens the firewall in order to allow disabling drop_invalid by default since ctstate INVALID also matches desired traffic like IPv6 neighbour discovery messages. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* treewide: replace jow@openwrt.org with jo@mein.ioJo-Philipp Wich2016-06-071-1/+1
| | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Use xt_id match to track own rulesJo-Philipp Wich2016-01-241-10/+10
| | | | | | | | | | | Instead of relying on the delegate_* chains to isolate own toplevel rules from user supplied ones, use the xt_id match to attach a magic value to fw3 rules which allows selective cleanup regardless of the container chain. Also add an experimental "fw3 gc" call to garbage collect empty chains. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
* redirects: respect src_dip option for reflection rulesJo-Philipp Wich2015-01-081-10/+23
| | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
* Selectively flush conntrackJo-Philipp Wich2014-08-111-0/+4
| | | | | | | | | | | Record active IP addresses in firewall state file and trigger conntrack flush for changed IP addresses on firewall reload. Additionally trigger a complete flush on the first firewall start in order to clear out streams which might have bypassed the masquerading rules. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
* zones: make forward policy destination boundJo-Philipp Wich2014-07-211-3/+3
| | | | | | | | | The zone forwarding policy was installed source bound which resulted in zones with forward accept policy to allow traffic anywhere while only traffic between the zones network is supposed to be allowed in this case. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
* make fw3_ubus_address take a list_head * argument instead of allocating & ↵Felix Fietkau2014-06-301-15/+2
| | | | | | returning one Signed-off-by: Felix Fietkau <nbd@openwrt.org>
* use calloc instead of malloc+memsetFelix Fietkau2014-06-301-7/+2
| | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org>
* Clean up dead codeJo-Philipp Wich2013-11-181-0/+2
|
* Use a global -m conntrack --ctstate DNAT rule to accept all port forwards of ↵Jo-Philipp Wich2013-11-071-0/+13
| | | | a given zone in filter
* Improve ubus supportSteven Barth2013-10-231-0/+2
| | | | | | | | * Use network.interface dump call instead of individual status calls to reduce overall netifd lookups and invokes to 1 per fw3 process. * Allow protocol handlers to assign a firewall zone for an interface in the data section to allow for dynamic firewall zone assignment.
* Use fw3_ipt_rule_replace() when setting up zone interface rulesJo-Philipp Wich2013-10-101-10/+10
| | | | | This avoids duplicate rules in the final ruleset when multiple interfaces, subnets or devices in a zone specification resolve to the same values.
* Reorganize chain layout for raw/NOTRACK rules to fix support for custom ↵Jo-Philipp Wich2013-08-141-5/+15
| | | | rules with target "NOTRACK"
* Keep all basic chains on reload and only flush them, this allows user rules ↵Jo-Philipp Wich2013-06-061-1/+7
| | | | to jump to targets like "reject" or "notrack"
* Fix wrong chain emitted for zone forward policy, the terminal chain is ↵Jo-Philipp Wich2013-06-041-3/+3
| | | | source, not destination bound.
* Replace fw3_free_zone() with the generic implementationJo-Philipp Wich2013-05-261-20/+0
|
* Add fw3_resolve_zone_addresses() helper to obtain a list of all subnets ↵Jo-Philipp Wich2013-05-261-0/+45
| | | | covered by a zone
* Limit zone names to 14 bytesJo-Philipp Wich2013-05-221-0/+8
|
* Further fixes for zone reloadsJo-Philipp Wich2013-05-221-1/+4
|
* Rename struct fw3_rule_spec to struct fw3_chain_spec and move the ↵Jo-Philipp Wich2013-05-171-3/+3
| | | | declaration to options.h
* Drop iptables-restore and create rules through libiptc and libxtablesJo-Philipp Wich2013-05-171-155/+213
|
* Use libiptc to clear current rulesetJo-Philipp Wich2013-05-131-12/+22
|
* Record device-network relation in state file, fix zone hotplug eventsJo-Philipp Wich2013-05-021-20/+7
|
* Remove referenced to unused FW3_FLAG_DELETED flagJo-Philipp Wich2013-04-301-4/+2
|
* Remove unused "running" argument form fw3_lookup_zone()Jo-Philipp Wich2013-04-301-1/+1
|
* Split runtime and config states, store runtime state in UCI formatJo-Philipp Wich2013-04-301-14/+10
|
* Properly handle deleted zones and ipsets on restartsJo-Philipp Wich2013-03-191-2/+4
|
* Accept network names in per-zone subnet optionJo-Philipp Wich2013-03-191-2/+2
|
* Implement support for "network" datatype and use it for masq_src / masq_destJo-Philipp Wich2013-03-191-4/+8
|
* Do not accept option src_mac for SNAT rulesJo-Philipp Wich2013-03-181-1/+1
|
* Consolidate and unify argument order for functionsJo-Philipp Wich2013-03-141-22/+22
|
* Emit hotplug calls when flushing / creating zone chainsJo-Philipp Wich2013-03-131-0/+54
|
* Unify fw3_default and fw3_target enumsJo-Philipp Wich2013-03-131-18/+18
|
* Track used networks and devices in state fileJo-Philipp Wich2013-03-121-0/+4
|
* Unify print_chains() implementations in utils.c fw3_pr_rulespec()Jo-Philipp Wich2013-03-121-53/+14
|
* Rework zone flush logicJo-Philipp Wich2013-03-111-91/+76
|
* Change fw3_no_family() macro to take bit field value directlyJo-Philipp Wich2013-03-111-2/+2
|
View Lorry Controller Status