| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Add zone chains identifying local generated traffic; either by configuring
a loopback device or as subnet a loopback address; in the raw OUTPUT chain
as local generated traffic is passing this chain.
This allows helpers to be used for local generated traffic.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
Emit LOG rules bound to the source/destination device or subnet to match the
same traffic handled by the terminal REJECT/DROP rules.
This fixes superflous logging of unrelated traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
Reword various rule comments to be more explicit and also annotate the flow
offloading rule while we're at it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
| |
When enabling logging for a zone, logging is enabled in the filter and
mangle tables. The log rule in the mangle table enables mtu_fix logging,
which has the tendency to flood logs. Allow per-table log control by
making the log boolean a bit field that can be used to enabled logging
in the filter and/or mangle tables.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement support for explicit per-zone conntrack helper assignment in
the raw table in order to compensate for the now disabled automatic
helper assignment in recent Linux kernels.
This commit adds, along with the required infrastructure, a new per-
zone uci option "helper" which can be used to tie one or more CT helpers
to a given zone.
For example the following configuration:
config zone
option name lan
option network lan
list helper ftp
list helper sip
... will assign the FTP and SIP conntrack helpers as specified in
/usr/share/fw3/helpers.conf to traffic originating from the LAN zone.
Additionally, a new boolean option "auto_helper" has been defined for
both "config defaults" and "config zone" sections, with the former
option overruling the latter.
When the default true "option auto_helper" is set, all available helpers
are automatically attached to each non-masq zone (i.e. "lan" by default).
When one or more "list helper" options are specified, the zone has
masquerading enabled or "auto_helper" is set to false, then the automatic
helper attachment is disabled for the corresponding zone.
Furthermore, this commit introduces support for a new 'HELPER' target in
"config rule" sections, along with "option helper" to match helper traffic
and "option set_helper" to assign CT helpers to a stream.
Finally, "config redirect" sections support "option helper" too now,
which causes fw3 to emit helper setting rules for forwarded DNAT traffic.
When "option helper" is not defined for a redirect and when the global
option "auto_helper" is not disabled, fw3 will pick a suitable helper
based on the destination protocol and port and assign it to DNATed traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
Avoid generating 0.0.0.0/0 masquerade rules when resolving of the
corresponding symbolic masq_src or masq_dest value failed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
| |
The return value of fw3_parse_options() should be checked.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
Install conntrack state invalid drop rules to catch outgoing, un-natted
traffic in zones with enabled masquerading.
Also introduce a new option "masq_allow_invalid" it inhibit this new
drop rules.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.
Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
| |
With recent Kernel versions and the introduction of the conntrack routing
cache there is no need to maintain performance hacks in userspace anymore,
so simply drop the generation of automatic -j CT --notrack rules for zones.
This also fixes some cases where traffic is not matched for zones that do
not explicitely enforce connection tracking.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
| |
Properly implement masquerade exceptions by using -j RETURN rules to jump out
of the postrouting container chain and only emit the permutated -j MASQUERADE
rules for non-negated addresses.
Fixes FD#248.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
Rename to fw3_{set,del,has}bit to avoid name clashes with sys/param.h:
/opt/toolchains/stbgcc-4.8-1.5/arm-linux-gnueabihf/sys-root/usr/include/sys/param.h:80:0: note: this is the location of the previous definition
#define setbit(a,i) ((a)[(i)/NBBY] |= 1<<((i)%NBBY))
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
|
|
|
|
|
|
|
| |
Now that we only allow ctstate NEW traffic by default we also need to
whitelist traffic explicitely marked by --notrack.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
| |
Restrict the per-zone default accept rules to only accept streams with
conntrack state NEW when drop_invalid is disabled.
This commit hardens the firewall in order to allow disabling drop_invalid
by default since ctstate INVALID also matches desired traffic like IPv6
neighbour discovery messages.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of relying on the delegate_* chains to isolate own toplevel
rules from user supplied ones, use the xt_id match to attach a magic
value to fw3 rules which allows selective cleanup regardless of the
container chain.
Also add an experimental "fw3 gc" call to garbage collect empty chains.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Record active IP addresses in firewall state file and trigger
conntrack flush for changed IP addresses on firewall reload.
Additionally trigger a complete flush on the first firewall
start in order to clear out streams which might have bypassed
the masquerading rules.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
|
|
|
|
|
|
|
| |
The zone forwarding policy was installed source bound which resulted
in zones with forward accept policy to allow traffic anywhere while
only traffic between the zones network is supposed to be allowed in this
case.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
|
|
|
|
|
| |
returning one
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
| |
|
|
|
|
| |
a given zone in filter
|
|
|
|
|
|
|
|
| |
* Use network.interface dump call instead of individual status calls
to reduce overall netifd lookups and invokes to 1 per fw3 process.
* Allow protocol handlers to assign a firewall zone for an interface
in the data section to allow for dynamic firewall zone assignment.
|
|
|
|
|
| |
This avoids duplicate rules in the final ruleset when multiple interfaces,
subnets or devices in a zone specification resolve to the same values.
|
|
|
|
| |
rules with target "NOTRACK"
|
|
|
|
| |
to jump to targets like "reject" or "notrack"
|
|
|
|
| |
source, not destination bound.
|
| |
|
|
|
|
| |
covered by a zone
|
| |
|
| |
|
|
|
|
| |
declaration to options.h
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|