project/firewall3.git
7 years agofirewall3: add fw3_attr_parse_name_type() function
Pierre Lebleu [Thu, 4 May 2017 08:52:53 +0000 (10:52 +0200)]
firewall3: add fw3_attr_parse_name_type() function

Move the name and type parsing out of the rule file
in order to make it reusable by others.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: replace warn_rule() by warn_section()
Pierre Lebleu [Thu, 4 May 2017 08:52:52 +0000 (10:52 +0200)]
firewall3: replace warn_rule() by warn_section()

Replace the wan_rule() by warn_section() in order to
make it reusable by the other section type.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: check the return value of fw3_parse_options()
Pierre Lebleu [Thu, 4 May 2017 08:50:56 +0000 (10:50 +0200)]
firewall3: check the return value of fw3_parse_options()

The return value of fw3_parse_options() should be checked.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agobuild: use -Wno-format-truncation instead of -Wno-error=format-truncation
Felix Fietkau [Tue, 9 May 2017 10:42:37 +0000 (12:42 +0200)]
build: use -Wno-format-truncation instead of -Wno-error=format-truncation

Fixes build error with older gcc

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agoutils: replace sprintf use with snprintf to avoid overflows
Felix Fietkau [Thu, 4 May 2017 14:21:17 +0000 (16:21 +0200)]
utils: replace sprintf use with snprintf to avoid overflows

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agobuild: disable the format-truncation warning error to fix gcc 7 build errors
Felix Fietkau [Thu, 4 May 2017 14:17:51 +0000 (16:17 +0200)]
build: disable the format-truncation warning error to fix gcc 7 build errors

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agozones: drop outgoing invalid traffic in masqueraded zones
Jo-Philipp Wich [Sun, 9 Apr 2017 12:35:32 +0000 (14:35 +0200)]
zones: drop outgoing invalid traffic in masqueraded zones

Install conntrack state invalid drop rules to catch outgoing, un-natted
traffic in zones with enabled masquerading.

Also introduce a new option "masq_allow_invalid" it inhibit this new
drop rules.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agorules: fix UCI context in error reporting
Jo-Philipp Wich [Sun, 9 Apr 2017 13:19:52 +0000 (15:19 +0200)]
rules: fix UCI context in error reporting

Commit e678dcb "Add support for netifd-generated rules" broke the UCI
context reporting for rule warnings. Refactor the code to restore this
functionality.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoubus: fix interface name and proto lookup
Hans Dedecker [Thu, 13 Apr 2017 13:49:04 +0000 (15:49 +0200)]
ubus: fix interface name and proto lookup

Lookup of iface_name and iface_proto in the json data were switched
in fw3_ubus_rules

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agofirewall3: fix handling of UTC times
Jo-Philipp Wich [Wed, 22 Feb 2017 09:46:58 +0000 (10:46 +0100)]
firewall3: fix handling of UTC times

The --utc parameter is deprecated and UTC times are the default now.
To achieve local time, the --kenreltz param has to be passed instead
so invert the logic and swap --utc with --kerneltz.

Fixes #548.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoiptables: support xtables API > 11
Jo-Philipp Wich [Tue, 7 Feb 2017 21:10:19 +0000 (22:10 +0100)]
iptables: support xtables API > 11

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agozones: do not check conntrack state in zone_*_dest_ACCEPT chains
Jo-Philipp Wich [Fri, 13 Jan 2017 17:19:43 +0000 (18:19 +0100)]
zones: do not check conntrack state in zone_*_dest_ACCEPT chains

Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.

Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoglobal: remove automatic notrack rules
Jo-Philipp Wich [Tue, 29 Nov 2016 11:27:42 +0000 (12:27 +0100)]
global: remove automatic notrack rules

With recent Kernel versions and the introduction of the conntrack routing
cache there is no need to maintain performance hacks in userspace anymore,
so simply drop the generation of automatic -j CT --notrack rules for zones.

This also fixes some cases where traffic is not matched for zones that do
not explicitely enforce connection tracking.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoforwards: properly propagate conntrack flag
Jo-Philipp Wich [Mon, 7 Nov 2016 14:27:49 +0000 (15:27 +0100)]
forwards: properly propagate conntrack flag

In the following topology:

    config zone
      option name A

    config zone
      option name B

    config zone
      option name C
      option conntrack 1

    config forwarding
      option src A
      option dest B

    config forwarding
      option src A
      option dest C

... the conntrack flag needs to be propagated into both zones A and B as well.

Since A is connected with C, A will inherit C's conntrack requirement which
means that B will need to inherit the flag as well since it is connected to A.

The current code fails to apply the conntrack requirement flag recursively to
zones, leading to stray NOTRACK rules which break conntrack based traffic
policing.

Change the implementation to iteratively reapply the conntrack fixup logic
until no more zones had been changed in order to ensure that all directly and
indirectly connected zones receive the conntrack requirement flag.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: move includes into iptables.c to avoid kernel header clashes
Jo-Philipp Wich [Sun, 6 Nov 2016 18:14:47 +0000 (19:14 +0100)]
iptables: move includes into iptables.c to avoid kernel header clashes

In order to avoid header clashes and redefinition errors in compilation
units which include iptables.h, move all includes into the iptables.c
file and only provide a forward declaration for struct fw3_ipt_rule.

This allows us to hide all xtables specific direct and indirect includes
in order to only expose a clean interface which does not rely on any kernel
header bits.

Within iptables.c, reshuffle the includes and predeclare some guard defines
to allow compilation on both glibc as well as patched and unpatched musl
systems.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agomusl-compat: avoid kernel header conflicts
Ralph Sennhauser [Sun, 6 Nov 2016 09:59:43 +0000 (10:59 +0100)]
musl-compat: avoid kernel header conflicts

The conflict between Musls net/if.h and linux/if.h is an old well known
one and taken care of by a series of linux-headers patches in OpenWrt.
Since Linux 4.8-rc5 Firewall3 also indirectly pulls in linux/in.h and
linux/in6.h leading to new conflicts.

As Firewall3 is fine with just the libc headers prevent inclusion of the
corresponding kernel headers.

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
8 years agoiptables: remove usage of xt_id
Jo-Philipp Wich [Sun, 6 Nov 2016 16:18:36 +0000 (17:18 +0100)]
iptables: remove usage of xt_id

Instead of relying on the nonstandard xt_id match, use the xt_comment match
to tag own rules. Any rule with a comment starting with "!fw3" is considered
to be firewall3 internal.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agomain: make failing ubus connection nonfatal
Jo-Philipp Wich [Sun, 6 Nov 2016 15:58:09 +0000 (16:58 +0100)]
main: make failing ubus connection nonfatal

The ubus network runtime information is not strictly required to use firewall3,
so make a failing ubus connection nonfatal.

This allows testing and running firewall3 on an ordinary desktop linux system,
given an appropriate configuration which uses "option device" instead of
"option network" for zone declarations.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: rework extension loader
Jo-Philipp Wich [Sun, 6 Nov 2016 15:47:23 +0000 (16:47 +0100)]
iptables: rework extension loader

Now that we wrap xtables_register_match() and xtables_register_target() we do
not need to load the extensions ourselves anymore since there is no need to
keep the library handles for dlclose().

Switch to libxtables own loader by invoking xtables_find_match() and
xtables_find_target() with XTF_TRY_LOAD .

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: declare _GNU_SOURCE to define RTLD_NEXT
Jo-Philipp Wich [Sun, 6 Nov 2016 14:20:23 +0000 (15:20 +0100)]
iptables: declare _GNU_SOURCE to define RTLD_NEXT

This is required to build firewall3 on non-musl systems.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: optional loading of static extensions
Ralph Sennhauser [Sun, 6 Nov 2016 07:33:37 +0000 (08:33 +0100)]
iptables: optional loading of static extensions

Make loading of static extensions optional to support vanilla iptables
in it's default configuration by setting DISABLE_STATIC_EXTENSIONS
instead of hackery.

In case iptables is built with --disable-static libext.a, libext4.a and
libext6.a which OpenWrt installs in the form of libiptext.so,
libiptext4.so, libiptext6.so to save a couple more bytes are of no use
or non-existent one could say. So this commit avoids requiring a
tampered with iptables.

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
[Jo-Philipp Wich: stub init_extensions*() instead to reduce amount of ifdefs]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: fix loading standard target
Ralph Sennhauser [Sat, 5 Nov 2016 16:40:38 +0000 (17:40 +0100)]
iptables: fix loading standard target

In case iptables is built with --disable-static xt_standard needs to be
loaded just like the other extensions.

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
[Jo-Philipp Wich: minor code style change to if/return instead of if/else]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: add support for version 1.6.0
Ralph Sennhauser [Fri, 4 Nov 2016 13:41:10 +0000 (14:41 +0100)]
iptables: add support for version 1.6.0

Account for the struct xtables_globals change and add API version 11 to
the supported APIs.

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
8 years agozones: properly handle multiple masq_src / masq_dest negations (FS#248)
Jo-Philipp Wich [Tue, 1 Nov 2016 22:19:24 +0000 (23:19 +0100)]
zones: properly handle multiple masq_src / masq_dest negations (FS#248)

Properly implement masquerade exceptions by using -j RETURN rules to jump out
of the postrouting container chain and only emit the permutated -j MASQUERADE
rules for non-negated addresses.

Fixes FD#248.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: use different approach for managing loadable extensions
Jo-Philipp Wich [Tue, 9 Aug 2016 09:00:45 +0000 (11:00 +0200)]
iptables: use different approach for managing loadable extensions

Since musl libc does not support unloading libraries via dlclose() and since
we should not explicitely call library constructors we need to use an
alternative approach to track the match registrations performed by iptables
shared objects.

This commit changes the iptables glue code to keep a global registry of non-
builtin matches and targets.

We implement the bookkeeping by intercepting xtables_register_match() and
xtables_register_target() calls in order to record any extension registration
attempt performed by a loadable iptables library.

The code subsequently uses the global list of dynamically loaded extensions
to re-register dynamic matches and targets for each address family / table
combination.

As a consequence we can get rid of the lib vector in the iptables handle
and remove the dlclose() handling entirely. This simplifies the
load_extension() as well.

Fixes FS#31.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoutils.h: Avoid name clashes for setbit/delbit/hasbit
Florian Fainelli [Fri, 2 Sep 2016 02:10:15 +0000 (19:10 -0700)]
utils.h: Avoid name clashes for setbit/delbit/hasbit

Rename to fw3_{set,del,has}bit to avoid name clashes with sys/param.h:

/opt/toolchains/stbgcc-4.8-1.5/arm-linux-gnueabihf/sys-root/usr/include/sys/param.h:80:0: note: this is the location of the previous definition
 #define setbit(a,i)     ((a)[(i)/NBBY] |= 1<<((i)%NBBY))

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
8 years agozones: allow untracked traffic as well
Jo-Philipp Wich [Mon, 8 Aug 2016 14:48:47 +0000 (16:48 +0200)]
zones: allow untracked traffic as well

Now that we only allow ctstate NEW traffic by default we also need to
whitelist traffic explicitely marked by --notrack.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agodefaults: disable drop_invalid by default
Jo-Philipp Wich [Mon, 8 Aug 2016 14:25:37 +0000 (16:25 +0200)]
defaults: disable drop_invalid by default

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agozones: restrict default ACCEPT rules to NEW ctstate
Jo-Philipp Wich [Mon, 8 Aug 2016 13:52:28 +0000 (15:52 +0200)]
zones: restrict default ACCEPT rules to NEW ctstate

Restrict the per-zone default accept rules to only accept streams with
conntrack state NEW when drop_invalid is disabled.

This commit hardens the firewall in order to allow disabling drop_invalid
by default since ctstate INVALID also matches desired traffic like IPv6
neighbour discovery messages.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agocmake: Find uci.h
Florian Fainelli [Mon, 11 Jul 2016 19:07:08 +0000 (12:07 -0700)]
cmake: Find uci.h

Add a CMake FIND_PATH and INCLUDE_DIRECTORIES searching for uci.h. Some
external toolchains which do not include standard locations would fail
to find the header otherwise.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
8 years agotreewide: replace jow@openwrt.org with jo@mein.io
Jo-Philipp Wich [Tue, 7 Jun 2016 12:13:25 +0000 (14:13 +0200)]
treewide: replace jow@openwrt.org with jo@mein.io

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoload running state after lock is acquired
Alin Năstac [Fri, 29 Apr 2016 13:00:01 +0000 (15:00 +0200)]
load running state after lock is acquired

When running "/etc/init.d/firewall reload & fw3 -q restart", the
fw3 instance that handle the reload might try to read the running
state after firewall was stopped by the fw3 instance that does the
restarting. Since a NULL run_state will transform reload operation in
start operation, the resulted iptables chains will contain duplicate
sets of rules.

8 years agoset mark for locally generated traffic in OUTPUT chain
Daniel Golle [Thu, 28 Apr 2016 12:25:02 +0000 (14:25 +0200)]
set mark for locally generated traffic in OUTPUT chain

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
8 years agodefaults.c: remove toplevel_rule struct
Alexandru Ardelean [Wed, 27 Apr 2016 06:16:51 +0000 (09:16 +0300)]
defaults.c: remove toplevel_rule struct

Since commit 60f1444 , this struct is no longer used.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
8 years agodefaults: emit ctstate INVALID drop rules by default
Jo-Philipp Wich [Fri, 29 Jan 2016 17:22:34 +0000 (18:22 +0100)]
defaults: emit ctstate INVALID drop rules by default

Enable the creation of state invalid catch rules by default to prevent
unnatted traffic from leaking onto the wan.

Fixes OpenWrt ticket #21738.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
8 years agoiptables: fix inversion flags
Len White [Fri, 29 Jan 2016 07:10:44 +0000 (02:10 -0500)]
iptables: fix inversion flags

Signed-off-by: Len White <lwhite@nrw.ca>
8 years agoRemove commented code
Jo-Philipp Wich [Sun, 24 Jan 2016 17:07:26 +0000 (18:07 +0100)]
Remove commented code

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
8 years agoUse xt_id match to track own rules
Jo-Philipp Wich [Sun, 24 Jan 2016 16:43:30 +0000 (17:43 +0100)]
Use xt_id match to track own rules

Instead of relying on the delegate_* chains to isolate own toplevel
rules from user supplied ones, use the xt_id match to attach a magic
value to fw3 rules which allows selective cleanup regardless of the
container chain.

Also add an experimental "fw3 gc" call to garbage collect empty chains.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoredirects: only emit REDIRECT rules if dest_ip is unset
Jo-Philipp Wich [Tue, 26 May 2015 12:50:21 +0000 (14:50 +0200)]
redirects: only emit REDIRECT rules if dest_ip is unset

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoRework match initialization
Jo-Philipp Wich [Tue, 26 May 2015 10:29:52 +0000 (12:29 +0200)]
Rework match initialization

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoLink libext dynamically
Jo-Philipp Wich [Tue, 5 May 2015 15:21:22 +0000 (17:21 +0200)]
Link libext dynamically

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoiptables: initialize multiport match
Jo-Philipp Wich [Fri, 22 May 2015 18:18:09 +0000 (20:18 +0200)]
iptables: initialize multiport match

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoubus: allow proto handlers to override device in announced rules
Jo-Philipp Wich [Thu, 21 May 2015 13:04:11 +0000 (15:04 +0200)]
ubus: allow proto handlers to override device in announced rules

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoubus: print rule name when reporting errors
Jo-Philipp Wich [Fri, 17 Apr 2015 14:12:14 +0000 (16:12 +0200)]
ubus: print rule name when reporting errors

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agoubus: store rule origin as comment
Jo-Philipp Wich [Fri, 17 Apr 2015 14:06:39 +0000 (16:06 +0200)]
ubus: store rule origin as comment

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agofirewall3: fix null pointer access when no target is present
Hans Dedecker [Wed, 25 Feb 2015 15:00:56 +0000 (16:00 +0100)]
firewall3: fix null pointer access when no target is present

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
9 years agoredirects: fix possible null pointer access
Jo-Philipp Wich [Tue, 13 Jan 2015 11:46:37 +0000 (12:46 +0100)]
redirects: fix possible null pointer access

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
9 years agofirewall3: fix left shift on 64 bit systems in fw3_bitlen2netmask
Ulrich Weber [Mon, 5 Jan 2015 14:58:34 +0000 (15:58 +0100)]
firewall3: fix left shift on 64 bit systems in fw3_bitlen2netmask

otherwise 0.0.0.0/0 is set as 0.0.0.0/255.255.255.255 on x86_64

Signed-off-by: Ulrich Weber <uw@ocedo.com>
9 years agoredirects: respect src_dip option for reflection rules
Jo-Philipp Wich [Thu, 8 Jan 2015 13:17:16 +0000 (14:17 +0100)]
redirects: respect src_dip option for reflection rules

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agooptions: allow '*' as value for protocols and families
Jo-Philipp Wich [Fri, 19 Sep 2014 18:09:19 +0000 (20:09 +0200)]
options: allow '*' as value for protocols and families

No functional change, just a little bit of consistency with src / dest
specifiers where '*' means 'any' or 'all'. To follow the principle of
least surprise, allow the some for family and protocol options.

  option proto '*' is equivalent to option proto 'all'
  option family '*' is equivalent to option family 'any'

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoutils: rework fw3_bitlen2netmask() IPv6 mask calculation
Jo-Philipp Wich [Thu, 18 Sep 2014 10:09:12 +0000 (12:09 +0200)]
utils: rework fw3_bitlen2netmask() IPv6 mask calculation

The previous code wrote beyound the end of the destination buffer under
certain circumstances, causing possible heap corruptions.

Rewrite the IPv6 mask calculation code to use a safe byte-wise assignment
loop instead of two memset() calls and one byte assignment in the middle.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoredirect: emit -j REDIRECT rules for local port forwards
Jo-Philipp Wich [Wed, 17 Sep 2014 21:57:39 +0000 (23:57 +0200)]
redirect: emit -j REDIRECT rules for local port forwards

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoutils: fix invalid memory access in fw3_bitlen2netmask()
Jo-Philipp Wich [Wed, 17 Sep 2014 17:49:53 +0000 (19:49 +0200)]
utils: fix invalid memory access in fw3_bitlen2netmask()

When fw3_bitlen2netmask() is invoked with a bit length of 128, the next
byte after the end of struct in6_addr is errorneously zeroed, leading to
a heap corruption on at least x86_64 with uclibc and possibly others.

Prevent the invalid writes by explicitely testing for a bit count < 128.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoutils: ifa_addr may be NULL, skip such entries
Jo-Philipp Wich [Mon, 11 Aug 2014 17:42:59 +0000 (19:42 +0200)]
utils: ifa_addr may be NULL, skip such entries

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoSelectively flush conntrack
Jo-Philipp Wich [Wed, 6 Aug 2014 17:00:18 +0000 (19:00 +0200)]
Selectively flush conntrack

Record active IP addresses in firewall state file and trigger
conntrack flush for changed IP addresses on firewall reload.

Additionally trigger a complete flush on the first firewall
start in order to clear out streams which might have bypassed
the masquerading rules.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agozones: make forward policy destination bound
Jo-Philipp Wich [Mon, 21 Jul 2014 14:06:04 +0000 (16:06 +0200)]
zones: make forward policy destination bound

The zone forwarding policy was installed source bound which resulted
in zones with forward accept policy to allow traffic anywhere while
only traffic between the zones network is supposed to be allowed in this
case.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agooptions: fix logic flaw when parsing ipaddr/mask notation
Jo-Philipp Wich [Sat, 19 Jul 2014 12:42:47 +0000 (14:42 +0200)]
options: fix logic flaw when parsing ipaddr/mask notation

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoUse netmasks instead of prefix lengths internally
Jo-Philipp Wich [Fri, 18 Jul 2014 13:43:56 +0000 (15:43 +0200)]
Use netmasks instead of prefix lengths internally

Iptables supports using non-continuous netmasks like FFFF::FFFF which would
match the first and last 16bit of an IPv6 address while ignoring the parts
in between which is useful fordeclaring rules targeting hosts on rotating
prefixes.

Instead of storing parsed netmasks as bitcount internally, use a full mask
which is passed to iptables as-is.

Also support a new shorthand notation "addr/-N" which will construct a mask
that matches the *last* N bits of an address - useful for matching the host
part only of an IPv4 address, e.g.

  option dest_ip '::c23f:eff:fe7a:a094/-64'

This will convert to a netmask of "::ffff:ffff:ffff:ffff".

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoubus: handle attribute access after NULL check in parse_subnets()
Jo-Philipp Wich [Thu, 10 Jul 2014 16:38:35 +0000 (18:38 +0200)]
ubus: handle attribute access after NULL check in parse_subnets()

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoubus: fix fw3_ubus_address()
Jo-Philipp Wich [Thu, 10 Jul 2014 09:15:03 +0000 (11:15 +0200)]
ubus: fix fw3_ubus_address()

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoubus: fix fw3_ubus_device() to only return a pointer if a device was found
Jo-Philipp Wich [Thu, 10 Jul 2014 09:03:13 +0000 (11:03 +0200)]
ubus: fix fw3_ubus_device() to only return a pointer if a device was found

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agooptions: fix fw3_parse_network() when destination pointer is not a list
Jo-Philipp Wich [Thu, 3 Jul 2014 08:52:48 +0000 (10:52 +0200)]
options: fix fw3_parse_network() when destination pointer is not a list

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoubus: add support for fetching firewall rules from procd
Felix Fietkau [Wed, 2 Jul 2014 18:23:10 +0000 (20:23 +0200)]
ubus: add support for fetching firewall rules from procd

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoubus: use blobmsg_parse to validate device attributes and decouple the found device...
Felix Fietkau [Mon, 30 Jun 2014 17:25:25 +0000 (19:25 +0200)]
ubus: use blobmsg_parse to validate device attributes and decouple the found device name from the order in which elements appear

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agomake fw3_ubus_address take a list_head * argument instead of allocating & returning one
Felix Fietkau [Mon, 30 Jun 2014 17:17:53 +0000 (19:17 +0200)]
make fw3_ubus_address take a list_head * argument instead of allocating & returning one

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agouse calloc instead of malloc+memset
Felix Fietkau [Mon, 30 Jun 2014 16:46:08 +0000 (18:46 +0200)]
use calloc instead of malloc+memset

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoubus: use blobmsg_parse to validate data from network.interface:dump
Felix Fietkau [Mon, 30 Jun 2014 16:40:38 +0000 (18:40 +0200)]
ubus: use blobmsg_parse to validate data from network.interface:dump

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoAdd fw3 zone call to list devices in a zone
Steven Barth [Thu, 26 Jun 2014 12:12:51 +0000 (14:12 +0200)]
Add fw3 zone call to list devices in a zone

Signed-off-by: Steven Barth <steven@midlink.org>
10 years agoAdd support for netifd-generated rules
Steven Barth [Sun, 13 Apr 2014 16:48:39 +0000 (18:48 +0200)]
Add support for netifd-generated rules

Signed-off-by: Steven Barth <steven@midlink.org>
10 years agoAdd support for device and direction parameters
Steven Barth [Sun, 13 Apr 2014 16:41:06 +0000 (18:41 +0200)]
Add support for device and direction parameters

Signed-off-by: Steven Barth <steven@midlink.org>
10 years agosnat: add support for connlimiting port-range SNAT
Steven Barth [Mon, 14 Apr 2014 06:49:55 +0000 (08:49 +0200)]
snat: add support for connlimiting port-range SNAT

Signed-off-by: Steven Barth <steven@midlink.org>
10 years agoFix building with newer toolchains
Steven Barth [Sun, 13 Apr 2014 16:33:39 +0000 (18:33 +0200)]
Fix building with newer toolchains

Signed-off-by: Steven Barth <steven@midlink.org>
10 years agosnat: ICMP can be port-natted as well
Steven Barth [Thu, 10 Apr 2014 20:39:42 +0000 (22:39 +0200)]
snat: ICMP can be port-natted as well

Signed-off-by: Steven Barth <steven@midlink.org>
10 years agonat: allow ACCEPT-target to explicitely disable NAT
Steven Barth [Thu, 10 Apr 2014 12:26:57 +0000 (14:26 +0200)]
nat: allow ACCEPT-target to explicitely disable NAT

Signed-off-by: Steven Barth <steven@midlink.org>
10 years agoReapply SNAT/MASQUERADE rules on firewall reloads
Jo-Philipp Wich [Fri, 11 Apr 2014 16:25:37 +0000 (18:25 +0200)]
Reapply SNAT/MASQUERADE rules on firewall reloads

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
10 years agoInitial support for "config nat" rules - this allows configuring zone-independant...
Jo-Philipp Wich [Sun, 6 Apr 2014 20:25:14 +0000 (22:25 +0200)]
Initial support for "config nat" rules - this allows configuring zone-independant SNAT and MASQUERADE rules

10 years agoutils: define _GNU_SOURCE to get clearenv()
Felix Fietkau [Thu, 20 Mar 2014 13:15:12 +0000 (14:15 +0100)]
utils: define _GNU_SOURCE to get clearenv()

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10 years agoSeveral ipset bugfixes
Jo-Philipp Wich [Thu, 20 Feb 2014 23:29:57 +0000 (23:29 +0000)]
Several ipset bugfixes

- Do not consider bitmap storage for IPv6 family sets
- Move ipset family parameter before any additional option
- Only emit family parameter for hash sets
- Do not allow IPv6 iprange for IPv4 sets and vice versa

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
11 years agoChange set_default() to take value as integer, required for tcp_ecn > 1
Jo-Philipp Wich [Tue, 17 Dec 2013 17:58:45 +0000 (17:58 +0000)]
Change set_default() to take value as integer, required for tcp_ecn > 1

11 years agoTreat option tcp_ecn as integer, not bool
Jo-Philipp Wich [Tue, 17 Dec 2013 17:52:34 +0000 (17:52 +0000)]
Treat option tcp_ecn as integer, not bool

11 years agoProperly check strtol() results when paring values as integers
Jo-Philipp Wich [Tue, 17 Dec 2013 17:50:42 +0000 (17:50 +0000)]
Properly check strtol() results when paring values as integers

11 years agoClean up dead code
Jo-Philipp Wich [Mon, 18 Nov 2013 12:51:47 +0000 (12:51 +0000)]
Clean up dead code

11 years agoSkip redirects with invalid options
Jo-Philipp Wich [Mon, 18 Nov 2013 12:37:38 +0000 (12:37 +0000)]
Skip redirects with invalid options

11 years agoSkip rules with invalid options
Jo-Philipp Wich [Mon, 18 Nov 2013 12:37:30 +0000 (12:37 +0000)]
Skip rules with invalid options

11 years agoChange fw3_parse_options() to indicate whether all options where parsed successfully
Jo-Philipp Wich [Mon, 18 Nov 2013 12:36:45 +0000 (12:36 +0000)]
Change fw3_parse_options() to indicate whether all options where parsed successfully

11 years agoUse a global -m conntrack --ctstate DNAT rule to accept all port forwards of a given...
Jo-Philipp Wich [Wed, 6 Nov 2013 23:56:36 +0000 (23:56 +0000)]
Use a global -m conntrack --ctstate DNAT rule to accept all port forwards of a given zone in filter

11 years agoImprove ubus support
Steven Barth [Wed, 23 Oct 2013 10:00:09 +0000 (12:00 +0200)]
Improve ubus support

* Use network.interface dump call instead of individual status calls
  to reduce overall netifd lookups and invokes to 1 per fw3 process.

* Allow protocol handlers to assign a firewall zone for an interface
  in the data section to allow for dynamic firewall zone assignment.

11 years agoUse fw3_ipt_rule_replace() when setting up zone interface rules
Jo-Philipp Wich [Thu, 10 Oct 2013 20:36:08 +0000 (20:36 +0000)]
Use fw3_ipt_rule_replace() when setting up zone interface rules

This avoids duplicate rules in the final ruleset when multiple interfaces,
subnets or devices in a zone specification resolve to the same values.

11 years agoUse fw3_ipt_rule_replace() when setting up reflection
Jo-Philipp Wich [Thu, 10 Oct 2013 19:59:08 +0000 (19:59 +0000)]
Use fw3_ipt_rule_replace() when setting up reflection

This avoids duplicate rules in the final ruleset when the target zone
contains multiple interfaces.

11 years agoAllow any protocol for reflection rules
Jo-Philipp Wich [Thu, 10 Oct 2013 19:38:57 +0000 (19:38 +0000)]
Allow any protocol for reflection rules

11 years agoReorganize chain layout for raw/NOTRACK rules to fix support for custom rules with...
Jo-Philipp Wich [Wed, 14 Aug 2013 14:58:04 +0000 (16:58 +0200)]
Reorganize chain layout for raw/NOTRACK rules to fix support for custom rules with target "NOTRACK"

11 years agoUse "-j CT --notrack" instead of deprecated "-j NOTRACK"
Jo-Philipp Wich [Wed, 14 Aug 2013 14:50:49 +0000 (16:50 +0200)]
Use "-j CT --notrack" instead of deprecated "-j NOTRACK"

11 years agoRevert "Make sure that NOTRACK is linked into firewall3 if it is part of libext*.a"
Jo-Philipp Wich [Wed, 14 Aug 2013 14:46:36 +0000 (16:46 +0200)]
Revert "Make sure that NOTRACK is linked into firewall3 if it is part of libext*.a"

This reverts commit 95cc95c7fec2d68fa8e27cc8e8e4b8dbacababf8.

11 years agoMake sure that NOTRACK is linked into firewall3 if it is part of libext*.a
Jo-Philipp Wich [Wed, 14 Aug 2013 14:30:45 +0000 (16:30 +0200)]
Make sure that NOTRACK is linked into firewall3 if it is part of libext*.a

11 years agoTreat redirects as port redirections if the specified dest_ip belongs to the router...
Jo-Philipp Wich [Tue, 16 Jul 2013 12:12:15 +0000 (14:12 +0200)]
Treat redirects as port redirections if the specified dest_ip belongs to the router itself, this is a compatibility fix to firewall2.

11 years agoProperly dereference struct ether_addr
Jo-Philipp Wich [Sat, 29 Jun 2013 13:25:40 +0000 (15:25 +0200)]
Properly dereference struct ether_addr

11 years agoDo not rely on ether_ntoa() when formatting mac addresses.
Jo-Philipp Wich [Sat, 29 Jun 2013 13:07:29 +0000 (15:07 +0200)]
Do not rely on ether_ntoa() when formatting mac addresses.

The ether_ntoa() in libc does not include leading zeroes in the formatted
address, this causes the address to not get recognized by iptables 1.4.10
which expects a fixed length for mac strings.

11 years agoDon't mistreat unknown protocol names as "any protocol"
Jo-Philipp Wich [Tue, 18 Jun 2013 14:26:11 +0000 (16:26 +0200)]
Don't mistreat unknown protocol names as "any protocol"

11 years agoFix processing of CIDRs with mask 0
Jo-Philipp Wich [Tue, 18 Jun 2013 14:11:56 +0000 (16:11 +0200)]
Fix processing of CIDRs with mask 0

11 years agoFix processing of negated options
Jo-Philipp Wich [Thu, 13 Jun 2013 15:14:07 +0000 (17:14 +0200)]
Fix processing of negated options