- introduce per-section "option enabled" which defaults to "1" - useful to disable rules or zones without having to delete them
- annotate default traffic rules with names
- bump version
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@29577 3c298f89-4303-0410-b956-a3cf2f4a3e73
- solve scoping issues when multiple values are used, thanks Daniel Dickinson
- ignore src_port/dest_port for proto icmp rules, ignore icmp_type for non-icmp rules
- properly handle icmp when proto is given in numerical form (1, 58)
- support negated icmp types
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27500 3c298f89-4303-0410-b956-a3cf2f4a3e73
- allow multiple ports, protocols, macs, icmp types per rule
- implement "limit" and "limit_burst" options for rules
- implement "extra" option to rules and redirects for passing arbritary flags to iptables
- implement negations for "src_port", "dest_port", "src_dport", "src_mac", "proto" and "icmp_type" options
- allow wildcard (*) "src" and "dest" options in rules to allow specifying "any" source or destination
- validate symbolic icmp-type names against the selected iptables binary
- properly handle forwarded ICMPv6 traffic in the default configuration
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27317 3c298f89-4303-0410-b956-a3cf2f4a3e73
- support negations for src_ip, dest_ip, src_dip options in rules and redirects
- add NOTRACK target to rule sections, allows to define fine grained notrack rules
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23141 3c298f89-4303-0410-b956-a3cf2f4a3e73
- simplify masquerade rule setup
- remove various subshell invocations
- speedup fw() by not relying on xargs and pipes
- rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23024 3c298f89-4303-0410-b956-a3cf2f4a3e73
- handle NAT reflection in firewall hotplug, solves synchronizing issues on boot
- introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22888 3c298f89-4303-0410-b956-a3cf2f4a3e73
- fix processing of rules with an ip family option
- append interface rules at the end of internal zone chains, simplifies injecting user or addon rules
- support simple file logging (option log + option log_limit per zone)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22847 3c298f89-4303-0410-b956-a3cf2f4a3e73
- notrack support was broken in multiple ways, fix it
- also consider a zone conntracked if any redirect references it (#7196)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22215 3c298f89-4303-0410-b956-a3cf2f4a3e73
- fix ip6tables rules when icmp_type option is set
- add "family" option to zones, forwardings, redirects and rules to selectively apply rules to iptables and/or ip6tables
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21508 3c298f89-4303-0410-b956-a3cf2f4a3e73
- partially revert r21486, start firewall on init again
- skip iface hotplug events if base fw is not up yet
- get ifname and up state with uci_get_state() in iface setup
since the values gathered by scan_interfaces() may be outdated
when iface coldplugging happens (observed with pptp)
- ignore up state when bringing down interfaces because ifdown
reverts state vars before dispatching the iface event
- bump package revision
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21502 3c298f89-4303-0410-b956-a3cf2f4a3e73
- defer firewall start until the first interface is brought up by hotplug, fixes race conditions on slow devices
- create a file lock during firewall start and wait for it in hotplug events, prevents race conditions between start and addif
- start firewall actions in background from hotplug handler since the firewall itself fires further hotplug events which results in a deadlock if not forked off
- get loaded state direcly from the uci binary since updated value is not recognized by config_get after uci_set_state
- bump package revision to r2
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21486 3c298f89-4303-0410-b956-a3cf2f4a3e73