jow
c13a8a8058
[backfire] firewall:
...
- backport SNAT changes from trunk
- always create zone_x_nat chains, like prerouting
- simplify masquerade rule setup
- treat proto option as list, allows specifying multiple protocols for rules and redirects
- add missing cleanup rule for NOTRACK entries
- introduce a helper function to deal with portranges
git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@23025 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-11 20:47:35 +00:00
jow
b8178fe409
[backfire] firewall: backport SNAT support from trunk
...
git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@22939 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-05 20:37:44 +00:00
jow
af55d401d2
[backfire] remove leftover debugging
...
git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@22902 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-04 17:21:42 +00:00
jow
82293648a1
[backfire] backport masq_src and masq_dest options from trunk firewall
...
git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@22901 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-04 17:20:12 +00:00
jow
1ad551b0a7
[backfire] firewall: allow redirecting only destination port ( #7197 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@22228 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-07-16 06:05:23 +00:00
jow
5e99434568
[backfire] firewall: consider zones referenced by redirects as conntracked ( #7196 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@22216 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-07-15 22:08:02 +00:00
jow
fa8f585a08
[package] firewall: insert rules at the beginning of chains again while maintaining non reversed order, fixes wrong ordering introduced by r18015
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19946 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-03-02 11:02:24 +00:00
jow
92af8399eb
[package] firewall: fix bad number error in fw_redirect() ( #6704 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19765 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-02-20 03:39:55 +00:00
thepeople
58a312461e
Add destination ip of the wan adapter useful if you have multiple ip addresses.
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19574 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-02-11 02:33:34 +00:00
jow
8084bc3069
[package] firewall: fix a race condition preventing interfaces from being added to the firewall on boot
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19232 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-01-19 23:02:11 +00:00
nbd
8b93389dca
firewall: fix fallout from r18716 ( fixes #6338 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18733 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-12-10 18:18:37 +00:00
nbd
6b2e482b31
firewall: get rid of recursive shell script inclusion to improve hush compatibility
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18716 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-12-09 14:04:37 +00:00
jow
9cdb777d0c
[package] firewall: initialize dest_port with src_dport if omitted in redirect sections to narrow
...
down corresponding forward rules to the actual target ports - thanks Niels Boehm! (#6249 )
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18617 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-12-01 22:31:10 +00:00
nbd
adbb0c8af6
firewall: fix zone defaults
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18028 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-10-11 02:42:22 +00:00
nbd
71394ccb5e
firewall: do not process rules in reverse
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@18015 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-10-10 18:08:26 +00:00
nico
dc1a20a020
[package] firewall: fix MSS issue affection RELATED new connections ( closes : #5173 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@17762 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-09-27 13:57:09 +00:00
nbd
7c52bc2d37
firewall: add sanity checks to zone default rules (patch from #5459 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@17713 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-09-24 21:59:16 +00:00
nbd
d268e4037b
firewall: emit hotplug events for interface add/remove
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@17415 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-08-26 22:46:24 +00:00
jow
f0250152da
[package] firewall: add icmp_type option to specify the icmp type in rule sections, bump pkg revision ( #5554 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@17115 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-08-03 22:24:48 +00:00
florian
e56f132e78
[package] fix typo in the uci firewall script
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@16076 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-05-26 10:51:01 +00:00
nbd
0d3ad9cfd0
firewall: automatically set up NOTRACK rules to disable connection tracking for zones that have no masquerading, no conntrack and no forwarding from/to other zones with masq/conntrack
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@15855 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-05-14 21:46:38 +00:00
jow
3a5c4c82ff
[package] firewall: process custom rules after forwardings and redirects, this actually allows blocking traffic to certain hosts and other rules
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@15278 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-04-19 20:39:02 +00:00
nbd
da25c6a4cb
firewall: don't clear the mangle table at startup or stop - it doesn't use it and clearing it breaks qos
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@14114 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-01-20 13:07:30 +00:00
jow
9a3973d64e
firewall: introduce drop_invalid option to allow disabling the invalid state match
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@14061 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-01-16 18:09:19 +00:00
nbd
312627976e
firewall: allow multiple interfaces to be part of one zone, fix the sanity checks for that
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@14058 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-01-16 17:39:03 +00:00
nbd
8db97c0089
firewall: clear the MSSFIX rules
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@13826 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-01-02 21:58:58 +00:00
cyrus
e1ee5624c2
Unify portrange-support in firewall rule generator
...
fixes #4404
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@13791 3c298f89-4303-0410-b956-a3cf2f4a3e73
2009-01-01 13:05:16 +00:00
nbd
e8530f33a9
disable the MSS fixup hack by default (most ISPs don't require this as a workaround for MTU problems, only some do). this should give a nice speedup for routing on standard-compliant ISPs
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@13788 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-12-31 19:02:03 +00:00
blogic
e9ded9eef5
fixes firewall for trunk, custom chains were never reched, as policies apply beforehand
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12978 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-10-14 10:53:55 +00:00
blogic
23ab7d24d7
fixes firewall rule generation. forwarding rules were inserted in input chains, fixes #4028
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12768 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-09-28 17:40:09 +00:00
blogic
1d1f04a661
custom chains were never reached on DROP/REJECT policy, fixes #4004 #4029
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12767 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-09-28 17:06:39 +00:00
nbd
3056e3c10b
firewall: fix default policies, add a check for duplicate defaults sections and make custom chains more generic
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12765 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-09-28 16:17:37 +00:00
nico
1fa1f8e7d8
firewall changes:
...
- implement a REJECT policy and enable it by default, reject packets with approriate response (closes : #3970 )
- cleanup syn_flood and remove logging
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12688 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-09-24 15:10:16 +00:00
cyrus
40b17025ed
Fixed a typo in the firewall scripts
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12616 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-09-16 22:01:14 +00:00
cyrus
e81a77ae5d
Fixed a typo in firewall scripts, closes #4000
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12613 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-09-15 18:57:39 +00:00
blogic
1818023bf0
make uci firewall backwards compatible to the old firewall.user
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12408 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-27 19:16:54 +00:00
blogic
41ac8d9c29
add proto tcpudp to firewall
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12407 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-27 18:54:52 +00:00
blogic
e3073ce270
fix device duplication in firewall if the balancing of ifup and ifdown is broken
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12404 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-27 18:31:34 +00:00
blogic
5d9144f606
make sure uci firewall reverts its states when stopped
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12403 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-27 16:48:54 +00:00
blogic
b3bb348939
fixes uci firewall init order, Signed-off-by: Roberto Riggio
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12402 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-27 15:55:21 +00:00
cyrus
101992b80b
firewall: Added support for port-ranges as firstPort-lastPort to redirect sections
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12396 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-27 14:04:52 +00:00
blogic
4927575ba5
adds 5 new chains to the uci firewall that can be used to hook custom rules
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12395 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-27 12:03:48 +00:00
blogic
60197a65d9
adds more sanity checks to uci firewall
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12392 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-26 11:07:04 +00:00
blogic
6a94232068
use proto instead of protocol in uci firewall
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12391 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-26 07:23:29 +00:00
nbd
b8fc6bb720
fix some firewall script typos (patch from #3897 )
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12332 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-17 12:01:01 +00:00
thepeople
3de484921c
fix typo, proto should be protocol
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12318 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-16 06:33:22 +00:00
blogic
b4667d52b0
trigger error if dport is used when no proto is defined
...
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12317 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-15 20:18:13 +00:00
blogic
aa954c1c5d
uci firewall
...
- make uci firewall default and remove old code
- fix up dependencies
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@12284 3c298f89-4303-0410-b956-a3cf2f4a3e73
2008-08-11 22:27:36 +00:00