1
0
mirror of git://projects.qi-hardware.com/openwrt-xburst.git synced 2024-11-24 11:49:43 +02:00
Commit Graph

63 Commits

Author SHA1 Message Date
jow
15a81dae2a [package] firewall:
- introduce per-section "option enabled" which defaults to "1" - useful to disable rules or zones without having to delete them
	- annotate default traffic rules with names
	- bump version


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@29577 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-12-20 01:10:15 +00:00
jow
f7ec5e7119 [package] firewall: add DHCPv6 default rule (#10381)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28874 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-11-09 11:10:37 +00:00
jow
41db87f4cc [package] firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28669 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-29 18:02:45 +00:00
jow
cd1d712a7c [package] firewall: do not produce 0.0.0.0/0 if a symbolic masq_src or masq_dest is given but does not resolve to an ip
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28628 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-27 18:14:55 +00:00
jow
45cb96ebda [package] firewall: prevent ip6tables -t nat rules (#10265)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28535 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-23 12:25:57 +00:00
jow
0244db9bf2 [package] firewall: fix another instance of unquoted "*"
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28529 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-22 21:38:10 +00:00
jow
6ef496f17a [package] firewall: fix possible expansion of "*" when rules with "option src *" are processed
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28527 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-22 20:11:25 +00:00
jow
570749fed1 [package] firewall: do not check for module availability, let iptables fail if a feature is not present (#7610)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28525 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-22 19:50:35 +00:00
jow
040047ef04 [package] firewall: make ESTABLISHED,RELATED rules match before INVALID, use conntrack instead of state match (#10038)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@28148 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-09-01 20:37:22 +00:00
jow
f80fb45dc2 [package] firewall: further tune ICMPv6 default rules according to RFC4890 (#9893)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27979 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-08-14 00:33:29 +00:00
jow
d572d07324 [package] firewall: prevent redundant rules if multiple ports and multiple icmp types are given in a rule block for both icmp and other protocols
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27792 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-26 22:21:39 +00:00
jow
7aabfee408 [package] firewall: fix serious bug in state var handling (#9746)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27711 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-20 15:29:10 +00:00
jow
9b9c4a2430 [package] firewall: rework state variable handling, use uci_toggle_state() where applicable and properly handle duplicates in add and del state helpers (#9152, #9710)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27618 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-15 15:03:57 +00:00
jow
fb73402d37 [package] firewall: make sure that -m mac is used with --mac-source, follow up to r27508
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27519 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-07 10:28:31 +00:00
jow
0be37efeae [package] firewall:
- solve scoping issues when multiple values are used, thanks Daniel Dickinson
	- ignore src_port/dest_port for proto icmp rules, ignore icmp_type for non-icmp rules
	- properly handle icmp when proto is given in numerical form (1, 58)
	- support negated icmp types


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27500 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-06 22:10:46 +00:00
jow
9179216cd8 [package] firewall: properly handle negated ports in nat reflection
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27334 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-07-01 11:48:14 +00:00
jow
87281df903 [package] firewall:
- allow multiple ports, protocols, macs, icmp types per rule
	- implement "limit" and "limit_burst" options for rules
	- implement "extra" option to rules and redirects for passing arbritary flags to iptables
	- implement negations for "src_port", "dest_port", "src_dport", "src_mac", "proto" and "icmp_type" options
	- allow wildcard (*) "src" and "dest" options in rules to allow specifying "any" source or destination
	- validate symbolic icmp-type names against the selected iptables binary
	- properly handle forwarded ICMPv6 traffic in the default configuration


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27317 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-30 01:31:23 +00:00
jow
f19aa29f12 [package] firewall: allow symbolic names of interfaces and aliases in masq_src and masq_dest
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27196 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-06-16 21:54:59 +00:00
jow
8d0ec8922c [package] firewall: prevent excessive uci state data aggregation (#9152)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26740 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-04-20 11:49:09 +00:00
jow
b12a3e34a3 [package] firewall: prevent duplicate values in interface state vars
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26382 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-30 20:29:17 +00:00
thepeople
d531cb04e9 Keep firewall.user during sysupgrades
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26241 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-20 00:57:47 +00:00
jow
a4666fa483 [package] firewall: move include sourcing into a subshell, this makes the firewall init immune against exit in the include scripts
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25835 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-02 19:20:29 +00:00
jow
ba53471109 [package] firewall: fix rule generation for v4 or v6 only zones (#8955)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25813 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-03-01 18:04:14 +00:00
jow
8abaf1c3f4 [package] firewall: fix wrong rule order if multiple protocols are used
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@25179 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-01-27 22:19:53 +00:00
jow
b757185a71 [package] firewall: insert SNAT and DNAT rules according to the order of the configuration file (#8052)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23318 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-10-08 12:11:55 +00:00
jow
22599b9bc0 [package] firewall: mark /etc/firewall.user as conffile
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23231 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-10-05 07:31:49 +00:00
jow
b592e5c373 [package] firewall: also establish forward rules when setting up nat reflection, back out early if reflection is disabled
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23201 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-10-03 18:11:59 +00:00
jow
f2b88b6980 [package] add maintainer information
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23159 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-30 10:48:37 +00:00
jow
1efeaa35d1 [package] fireall:
- support negations for src_ip, dest_ip, src_dip options in rules and redirects
	- add NOTRACK target to rule sections, allows to define fine grained notrack rules


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23141 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-28 10:42:56 +00:00
jow
3d98699ef3 [package] firewall: protect iptables invocations with locks in interface ops, it might run concurrently due to hotplug invocations on network restart
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23090 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-19 15:01:47 +00:00
jow
6ce96a49f3 [package] firewall: make invalid redirects and duplicate zones non-fatal, print a notice and discard them
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23080 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-16 11:47:35 +00:00
jow
5986668ca9 [package] firewall: run ifdown hotplug events synchronized, fixes a racecondition on "ifup iface" when ifdown and ifup events are delivered with a small dealy
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23064 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-15 01:53:36 +00:00
jow
ac32f8a93b [package] firewall: deliver remove hotplug events for all active zones/networks when restarting the firewall
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23062 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-14 23:11:12 +00:00
jow
c653713313 [package] firewall:
- simplify masquerade rule setup
	- remove various subshell invocations
	- speedup fw() by not relying on xargs and pipes
	- rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23024 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-11 20:04:34 +00:00
jow
750dead792 [package] firewall: introduce SNAT support for redirect sections
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22937 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-05 19:03:17 +00:00
jow
572cb3cc9e [package] firewall: clean up description (#7875)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22905 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-04 17:39:00 +00:00
jow
291f78f21a [package] firewall:
- handle NAT reflection in firewall hotplug, solves synchronizing issues on boot
	- introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22888 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-04 15:49:13 +00:00
jow
94c817eadb [package] firewall:
- fix processing of rules with an ip family option
	- append interface rules at the end of internal zone chains, simplifies injecting user or addon rules
	- support simple file logging (option log + option log_limit per zone)


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22847 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-08-31 01:54:08 +00:00
jow
da83ad5b95 [package] firewall: add basic NAT reflection/NAT loopback support
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22441 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-07-31 13:06:14 +00:00
jow
5fbf6ca9e6 [package] firewall: allow redirecting only destination port (#7197)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22227 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-07-16 06:03:15 +00:00
jow
e3060b618d [package] firewall:
- notrack support was broken in multiple ways, fix it
	- also consider a zone conntracked if any redirect references it (#7196)


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22215 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-07-15 22:01:48 +00:00
jow
2c25f7e70c [package] firewall: Initial alias interface support. This allows to define zones covering alias interfaces and associated entries like rules and forwardings.
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21653 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-06-01 21:58:48 +00:00
jow
90b818e4a5 [package] firewall: fix support for netranges in redirect and rule sections
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21640 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-05-30 23:49:47 +00:00
jow
24931686cd [package] firewall:
- fix ip6tables rules when icmp_type option is set
	- add "family" option to zones, forwardings, redirects and rules to selectively apply rules to iptables and/or ip6tables


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21508 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-05-19 21:35:23 +00:00
jow
389232eaac [package] firewall (#7355)
- partially revert r21486, start firewall on init again
	- skip iface hotplug events if base fw is not up yet
	- get ifname and up state with uci_get_state() in iface setup
	  since the values gathered by scan_interfaces() may be outdated
	  when iface coldplugging happens (observed with pptp)
	- ignore up state when bringing down interfaces because ifdown
	  reverts state vars before dispatching the iface event
	- bump package revision


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21502 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-05-19 00:50:14 +00:00
jow
5acb7ec58a [package] firewall:
- defer firewall start until the first interface is brought up by hotplug, fixes race conditions on slow devices
	- create a file lock during firewall start and wait for it in hotplug events, prevents race conditions between start and addif
	- start firewall actions in background from hotplug handler since the firewall itself fires further hotplug events which results in a deadlock if not forked off
	- get loaded state direcly from the uci binary since updated value is not recognized by config_get after uci_set_state
	- bump package revision to r2


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21486 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-05-17 12:47:14 +00:00
jow
e8be3016c9 [package] firewall:
- replace uci firewall with a modular dual stack implementation	developed by Malte S. Stretz
	- bump version to 2


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21286 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-05-01 18:22:01 +00:00
jow
8084bc3069 [package] firewall: fix a race condition preventing interfaces from being added to the firewall on boot
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19232 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-01-19 23:02:11 +00:00
nbd
3f21f09b7c adjust dependencies of firewall and qos-scripts, so that these packages are visible even when iptables is not selected
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18714 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-12-09 13:36:39 +00:00
jow
9cdb777d0c [package] firewall: initialize dest_port with src_dport if omitted in redirect sections to narrow
down corresponding forward rules to the actual target ports - thanks Niels Boehm! (#6249)


git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18617 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-12-01 22:31:10 +00:00