- handle NAT reflection in firewall hotplug, solves synchronizing issues on boot
- introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22888 3c298f89-4303-0410-b956-a3cf2f4a3e73
- fix processing of rules with an ip family option
- append interface rules at the end of internal zone chains, simplifies injecting user or addon rules
- support simple file logging (option log + option log_limit per zone)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22847 3c298f89-4303-0410-b956-a3cf2f4a3e73
- notrack support was broken in multiple ways, fix it
- also consider a zone conntracked if any redirect references it (#7196)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22215 3c298f89-4303-0410-b956-a3cf2f4a3e73
- fix ip6tables rules when icmp_type option is set
- add "family" option to zones, forwardings, redirects and rules to selectively apply rules to iptables and/or ip6tables
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21508 3c298f89-4303-0410-b956-a3cf2f4a3e73
- partially revert r21486, start firewall on init again
- skip iface hotplug events if base fw is not up yet
- get ifname and up state with uci_get_state() in iface setup
since the values gathered by scan_interfaces() may be outdated
when iface coldplugging happens (observed with pptp)
- ignore up state when bringing down interfaces because ifdown
reverts state vars before dispatching the iface event
- bump package revision
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21502 3c298f89-4303-0410-b956-a3cf2f4a3e73
- defer firewall start until the first interface is brought up by hotplug, fixes race conditions on slow devices
- create a file lock during firewall start and wait for it in hotplug events, prevents race conditions between start and addif
- start firewall actions in background from hotplug handler since the firewall itself fires further hotplug events which results in a deadlock if not forked off
- get loaded state direcly from the uci binary since updated value is not recognized by config_get after uci_set_state
- bump package revision to r2
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21486 3c298f89-4303-0410-b956-a3cf2f4a3e73
- replace uci firewall with a modular dual stack implementation developed by Malte S. Stretz
- bump version to 2
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21286 3c298f89-4303-0410-b956-a3cf2f4a3e73
down corresponding forward rules to the actual target ports - thanks Niels Boehm! (#6249)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18617 3c298f89-4303-0410-b956-a3cf2f4a3e73
- make uci firewall default and remove old code
- fix up dependencies
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12284 3c298f89-4303-0410-b956-a3cf2f4a3e73
- iptbales and netfilter packages need to be rewrapped when we switch to this firewall as default
- there are some examples in the file /etc/config/firewall
- iptables-save/restore are still missing
- hotplug takes care of adding/removing netdevs during runtime
- misisng features ? wishes ? let me know ...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12089 3c298f89-4303-0410-b956-a3cf2f4a3e73
