| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
Properly skip struct ifaddr entries with NULL ifa_addr, thanks Kostas Papadopoulos for reporting.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 42138
|
|
|
|
|
|
|
|
|
|
| |
Utilize the new selective conntrack flushing facility to clear
out active conntrack entries referring to old IP addresses after
a firewall reload.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 42114
|
|
|
|
|
|
|
|
|
|
|
| |
Properly parse and pass arbritary netmasks to iptables, this allows
specifying ranges like '::c23f:eff:fe7a:a094/::ffff:ffff:ffff:ffff' to
match the host part of an IPv6 address regardless of the currently active
IPv6 prefix.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 41760
|
|
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 41558
|
|
|
|
|
|
|
|
|
|
| |
The commit 92281eb747b56e748b7c3d754055919c23befdd4 broke fw3_ubus_addresses() so that
no addresses where returned at all, this caused fw3 to not emit NAT reflection rules
anymore.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 41556
|
|
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 41491
|
|
|
|
|
|
|
|
| |
rules from procd
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 41480
|
|
|
|
| |
SVN-Revision: 41349
|
|
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 40510
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 39965
|
|
|
|
|
|
|
|
|
|
|
| |
- Do not consider bitmap storage for IPv6 family sets
- Move ipset family parameter before any additional option
- Only emit family parameter for hash sets
- Do not allow IPv6 iprange for IPv4 sets and vice versa
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 39647
|
|
|
|
|
|
|
|
|
|
|
| |
The firewall3 implementation as well as the shell implementation predating it
used to process the tcp_ecnoption as boolean while it actually is an integer.
Change the code to parse tcp_ecn as integer.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 39122
|
|
|
|
|
|
|
|
|
|
| |
- instead of writing one (or more) ACCEPT rules in the filter table
for each redirect install a global ctstate DNAT accept rule per zone
- discard rules and redirects which have invalid options set instead
of silently skipping the invalid values
SVN-Revision: 38849
|
|
|
|
|
|
|
|
|
|
| |
* Use network.interface dump call instead of individual status calls
to reduce overall netifd lookups and invokes to 1 per fw3 process.
* Allow protocol handlers to assign a firewall zone for an interface
in the data section to allow for dynamic firewall zone assignment.
SVN-Revision: 38504
|
|
|
|
|
|
|
| |
- do not insert duplicate rules when setting up reflection to a zone containing multiple interfaces
- set up reflection for any protocol, not just TCP and UDP
SVN-Revision: 38361
|
|
|
|
|
|
|
| |
- uses "-j CT --notrack" instead of deprecated "-j NOTRACK"
- fixes support for rule sections with target "NOTRACK"
SVN-Revision: 37777
|
|
|
|
|
|
| |
- handles redirects as port relocations if the dest_ip points to the router itself
SVN-Revision: 37374
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 37224
|
|
|
|
| |
SVN-Revision: 37171
|
|
|
|
|
|
| |
- uses custom formatting for mac addresses to ensure leading zeroes, required for older iptables mac match parser
SVN-Revision: 37082
|
|
|
|
|
|
| |
- fixes misprocessing of unknown symbolic protocol names
SVN-Revision: 36963
|
|
|
|
|
|
| |
- fixes calculation of IPv4 netmasks derived from 0.0.0.0/0 CIDRs
SVN-Revision: 36960
|
|
|
|
|
|
| |
- properly process intermediate "!" options in argument list (fixes negated ipsets)
SVN-Revision: 36935
|
|
|
|
|
|
| |
- fixes handling of reject target for rule sections with specific destination zone
SVN-Revision: 36933
|
|
|
|
|
|
|
|
|
| |
- optimizes chain usage for ingress rules
- adds limit match support for redirect rules
- fixes automatic redirect dest detection on little endian systems
- leaves base chains in place on reload to allow user rules to target e.g. "reject"
SVN-Revision: 36871
|
|
|
|
|
|
| |
solves problem with colliding CONFIG_IPV6 symbols
SVN-Revision: 36868
|
|
|
|
|
|
|
| |
- simplifies using ipsets for rules and redirects, match direction can be specified in-place like option ipset 'setname src dst dst'
- uses zone_name_src_ACTION chains for input rules, this fixes logging with log enabled src zones
SVN-Revision: 36854
|
|
|
|
| |
SVN-Revision: 36840
|
|
|
|
| |
SVN-Revision: 36839
|
|
|
|
|
|
| |
head with compatibility fixes for AA
SVN-Revision: 36838
|
|
|
|
| |
SVN-Revision: 36837
|
|
|
|
| |
SVN-Revision: 36622
|
|
|
|
| |
SVN-Revision: 35745
|
|
|
|
|
|
|
|
|
|
|
|
| |
- reduce mssfix related log spam (#10681)
- separate src and dest terminal chains (#11453, #12945)
- disable per-zone custom chains by default, they're rarely used
Additionally introduce options "device", "subnet", "extra", "extra_src" and "extra_dest"
to allow defining zones not related to uci interfaces, e.g. to match "ppp+" or any tcp
traffic to and from a specific port.
SVN-Revision: 35484
|
|
|
|
| |
SVN-Revision: 35348
|
|
|
|
|
|
| |
from leaking out to the internet
SVN-Revision: 35012
|
|
|
|
| |
SVN-Revision: 34569
|
|
|
|
|
|
|
|
| |
- use comment match to keep track of per-network rules
- setup reflection for any interface which is part of a masqueraded zone, not just "wan"
- delete per-network reflection rules if network is brought down
SVN-Revision: 34472
|
|
SVN-Revision: 33688
|