project/firewall3.git
11 years agoSkip rules with invalid options
Jo-Philipp Wich [Mon, 18 Nov 2013 12:37:30 +0000 (12:37 +0000)]
Skip rules with invalid options

11 years agoChange fw3_parse_options() to indicate whether all options where parsed successfully
Jo-Philipp Wich [Mon, 18 Nov 2013 12:36:45 +0000 (12:36 +0000)]
Change fw3_parse_options() to indicate whether all options where parsed successfully

11 years agoUse a global -m conntrack --ctstate DNAT rule to accept all port forwards of a given...
Jo-Philipp Wich [Wed, 6 Nov 2013 23:56:36 +0000 (23:56 +0000)]
Use a global -m conntrack --ctstate DNAT rule to accept all port forwards of a given zone in filter

11 years agoImprove ubus support
Steven Barth [Wed, 23 Oct 2013 10:00:09 +0000 (12:00 +0200)]
Improve ubus support

* Use network.interface dump call instead of individual status calls
  to reduce overall netifd lookups and invokes to 1 per fw3 process.

* Allow protocol handlers to assign a firewall zone for an interface
  in the data section to allow for dynamic firewall zone assignment.

11 years agoUse fw3_ipt_rule_replace() when setting up zone interface rules
Jo-Philipp Wich [Thu, 10 Oct 2013 20:36:08 +0000 (20:36 +0000)]
Use fw3_ipt_rule_replace() when setting up zone interface rules

This avoids duplicate rules in the final ruleset when multiple interfaces,
subnets or devices in a zone specification resolve to the same values.

11 years agoUse fw3_ipt_rule_replace() when setting up reflection
Jo-Philipp Wich [Thu, 10 Oct 2013 19:59:08 +0000 (19:59 +0000)]
Use fw3_ipt_rule_replace() when setting up reflection

This avoids duplicate rules in the final ruleset when the target zone
contains multiple interfaces.

11 years agoAllow any protocol for reflection rules
Jo-Philipp Wich [Thu, 10 Oct 2013 19:38:57 +0000 (19:38 +0000)]
Allow any protocol for reflection rules

11 years agoReorganize chain layout for raw/NOTRACK rules to fix support for custom rules with...
Jo-Philipp Wich [Wed, 14 Aug 2013 14:58:04 +0000 (16:58 +0200)]
Reorganize chain layout for raw/NOTRACK rules to fix support for custom rules with target "NOTRACK"

11 years agoUse "-j CT --notrack" instead of deprecated "-j NOTRACK"
Jo-Philipp Wich [Wed, 14 Aug 2013 14:50:49 +0000 (16:50 +0200)]
Use "-j CT --notrack" instead of deprecated "-j NOTRACK"

11 years agoRevert "Make sure that NOTRACK is linked into firewall3 if it is part of libext*.a"
Jo-Philipp Wich [Wed, 14 Aug 2013 14:46:36 +0000 (16:46 +0200)]
Revert "Make sure that NOTRACK is linked into firewall3 if it is part of libext*.a"

This reverts commit 95cc95c7fec2d68fa8e27cc8e8e4b8dbacababf8.

11 years agoMake sure that NOTRACK is linked into firewall3 if it is part of libext*.a
Jo-Philipp Wich [Wed, 14 Aug 2013 14:30:45 +0000 (16:30 +0200)]
Make sure that NOTRACK is linked into firewall3 if it is part of libext*.a

11 years agoTreat redirects as port redirections if the specified dest_ip belongs to the router...
Jo-Philipp Wich [Tue, 16 Jul 2013 12:12:15 +0000 (14:12 +0200)]
Treat redirects as port redirections if the specified dest_ip belongs to the router itself, this is a compatibility fix to firewall2.

11 years agoProperly dereference struct ether_addr
Jo-Philipp Wich [Sat, 29 Jun 2013 13:25:40 +0000 (15:25 +0200)]
Properly dereference struct ether_addr

11 years agoDo not rely on ether_ntoa() when formatting mac addresses.
Jo-Philipp Wich [Sat, 29 Jun 2013 13:07:29 +0000 (15:07 +0200)]
Do not rely on ether_ntoa() when formatting mac addresses.

The ether_ntoa() in libc does not include leading zeroes in the formatted
address, this causes the address to not get recognized by iptables 1.4.10
which expects a fixed length for mac strings.

11 years agoDon't mistreat unknown protocol names as "any protocol"
Jo-Philipp Wich [Tue, 18 Jun 2013 14:26:11 +0000 (16:26 +0200)]
Don't mistreat unknown protocol names as "any protocol"

11 years agoFix processing of CIDRs with mask 0
Jo-Philipp Wich [Tue, 18 Jun 2013 14:11:56 +0000 (16:11 +0200)]
Fix processing of CIDRs with mask 0

11 years agoFix processing of negated options
Jo-Philipp Wich [Thu, 13 Jun 2013 15:14:07 +0000 (17:14 +0200)]
Fix processing of negated options

11 years agoProperly handle reject target in rules with specific destination
Jo-Philipp Wich [Thu, 13 Jun 2013 12:46:17 +0000 (14:46 +0200)]
Properly handle reject target in rules with specific destination

11 years agoKeep all basic chains on reload and only flush them, this allows user rules to jump...
Jo-Philipp Wich [Thu, 6 Jun 2013 10:56:18 +0000 (12:56 +0200)]
Keep all basic chains on reload and only flush them, this allows user rules to jump to targets like "reject" or "notrack"

11 years agoFix endian issue in compare_addr(), solves auto detection of "option dest" for redire...
Jo-Philipp Wich [Thu, 6 Jun 2013 10:35:50 +0000 (12:35 +0200)]
Fix endian issue in compare_addr(), solves auto detection of "option dest" for redirects on little endian systems

11 years agoFor ingress rules, only jump into zone_name_src_ACTION chains if the target is not...
Jo-Philipp Wich [Thu, 6 Jun 2013 09:40:02 +0000 (11:40 +0200)]
For ingress rules, only jump into zone_name_src_ACTION chains if the target is not ACCEPT and if logging is enabled in the src zone, this cuts some overhead

11 years agoImplement limit and limit_burst options for rules.
Jo-Philipp Wich [Thu, 6 Jun 2013 09:37:00 +0000 (11:37 +0200)]
Implement limit and limit_burst options for rules.

11 years agoUse zone_name_src_ACTION chain for input rules with non-wildcard source
Jo-Philipp Wich [Wed, 5 Jun 2013 10:49:17 +0000 (12:49 +0200)]
Use zone_name_src_ACTION chain for input rules with non-wildcard source

11 years agoExtend ipset option syntax to support specifying directions inplace.
Jo-Philipp Wich [Wed, 5 Jun 2013 10:01:34 +0000 (12:01 +0200)]
Extend ipset option syntax to support specifying directions inplace.

11 years agoFix wrong signature of fw3_xt_print_matches()
Jo-Philipp Wich [Tue, 4 Jun 2013 11:11:53 +0000 (13:11 +0200)]
Fix wrong signature of fw3_xt_print_matches()

11 years agoAdd abstract fw3_xt_print_matches() and fw3_xt_print_target() functions since the...
Jo-Philipp Wich [Tue, 4 Jun 2013 10:53:51 +0000 (12:53 +0200)]
Add abstract fw3_xt_print_matches() and fw3_xt_print_target() functions since the output of ->save differs between xtables 5 and 10... sigh

11 years agoFix wrong chain emitted for zone forward policy, the terminal chain is source, not...
Jo-Philipp Wich [Tue, 4 Jun 2013 10:12:26 +0000 (12:12 +0200)]
Fix wrong chain emitted for zone forward policy, the terminal chain is source, not destination bound.

11 years agoDecouple handle destroying from committing, add fw3_ipt_close() instead
Jo-Philipp Wich [Mon, 3 Jun 2013 16:28:10 +0000 (18:28 +0200)]
Decouple handle destroying from committing, add fw3_ipt_close() instead

11 years agoDo not let libxtables implicitely load extensions, do it directly from fw3 and track...
Jo-Philipp Wich [Mon, 3 Jun 2013 15:43:06 +0000 (17:43 +0200)]
Do not let libxtables implicitely load extensions, do it directly from fw3 and track the loaded objects for properly closing when destroying the handle.

11 years agoMake IPv6 support optional
Jo-Philipp Wich [Mon, 27 May 2013 14:50:50 +0000 (16:50 +0200)]
Make IPv6 support optional

11 years agoAdd abstract fw3_xt_reset() implementation
Jo-Philipp Wich [Mon, 27 May 2013 13:46:15 +0000 (15:46 +0200)]
Add abstract fw3_xt_reset() implementation

11 years agoDynamically create rules for available libext*.a libraries, clean up rules
Jo-Philipp Wich [Mon, 27 May 2013 11:52:15 +0000 (13:52 +0200)]
Dynamically create rules for available libext*.a libraries, clean up rules

11 years agoFix compatibility with older libiptc/libip6tc
Jo-Philipp Wich [Mon, 27 May 2013 09:17:06 +0000 (11:17 +0200)]
Fix compatibility with older libiptc/libip6tc

11 years agoOnly emit different ip family warnings if the ip wasn't automatically resolved
Jo-Philipp Wich [Sun, 26 May 2013 15:22:11 +0000 (17:22 +0200)]
Only emit different ip family warnings if the ip wasn't automatically resolved

11 years agoMark fw3_address objects that got resolved by fw3_parse_network()
Jo-Philipp Wich [Sun, 26 May 2013 15:19:39 +0000 (17:19 +0200)]
Mark fw3_address objects that got resolved by fw3_parse_network()

11 years agoChange wording of inferred destination warning for redirects
Jo-Philipp Wich [Sun, 26 May 2013 15:15:47 +0000 (17:15 +0200)]
Change wording of inferred destination warning for redirects

11 years agoReplace fw3_free_zone() with the generic implementation
Jo-Philipp Wich [Sun, 26 May 2013 15:13:49 +0000 (17:13 +0200)]
Replace fw3_free_zone() with the generic implementation

11 years agoAvoid segfault when freeing rules whose target could not be found
Jo-Philipp Wich [Sun, 26 May 2013 14:22:01 +0000 (16:22 +0200)]
Avoid segfault when freeing rules whose target could not be found

11 years agoInfer destination zone of DNAT redirects from dest_ip option
Jo-Philipp Wich [Sun, 26 May 2013 14:15:33 +0000 (16:15 +0200)]
Infer destination zone of DNAT redirects from dest_ip option

11 years agoAdd fw3_resolve_zone_addresses() helper to obtain a list of all subnets covered by...
Jo-Philipp Wich [Sun, 26 May 2013 14:02:24 +0000 (16:02 +0200)]
Add fw3_resolve_zone_addresses() helper to obtain a list of all subnets covered by a zone

11 years agoRemove fw3_ubus_address_free() and use fw3_free_list() instead
Jo-Philipp Wich [Sun, 26 May 2013 13:59:53 +0000 (15:59 +0200)]
Remove fw3_ubus_address_free() and use fw3_free_list() instead

11 years agoAdd fw3_free_list() helper
Jo-Philipp Wich [Sun, 26 May 2013 13:58:17 +0000 (15:58 +0200)]
Add fw3_free_list() helper

11 years agoFix output rules with "option dest *"
Jo-Philipp Wich [Sat, 25 May 2013 16:08:20 +0000 (18:08 +0200)]
Fix output rules with "option dest *"

11 years agoAllow devices for src_ip, src_dip and dest_ip options
Jo-Philipp Wich [Sat, 25 May 2013 16:00:04 +0000 (18:00 +0200)]
Allow devices for src_ip, src_dip and dest_ip options

11 years agoPass -Wl,--whole-archive and -Wl,--no-whole-archive during linking to avoid duplicate...
Jo-Philipp Wich [Fri, 24 May 2013 11:48:52 +0000 (13:48 +0200)]
Pass -Wl,--whole-archive and -Wl,--no-whole-archive during linking to avoid duplicate symbol issues with libgcc

11 years agoDon't leak memory when encountering unknown match or target
Jo-Philipp Wich [Thu, 23 May 2013 12:38:56 +0000 (14:38 +0200)]
Don't leak memory when encountering unknown match or target

11 years agoUse weak function pointers to call extension init functions, this makes firewall3...
Jo-Philipp Wich [Thu, 23 May 2013 11:32:42 +0000 (13:32 +0200)]
Use weak function pointers to call extension init functions, this makes firewall3 independant from the features compiled into iptables

11 years agoLimit zone names to 14 bytes
Jo-Philipp Wich [Wed, 22 May 2013 14:09:59 +0000 (16:09 +0200)]
Limit zone names to 14 bytes

11 years agoAdd required ipset declarations for kernels < 3.7
Jo-Philipp Wich [Wed, 22 May 2013 13:56:59 +0000 (15:56 +0200)]
Add required ipset declarations for kernels < 3.7

11 years agoFurther fixes for zone reloads
Jo-Philipp Wich [Wed, 22 May 2013 10:09:49 +0000 (12:09 +0200)]
Further fixes for zone reloads

11 years agoOnly perform selective reload if firewall was already running, else do a normal start.
Jo-Philipp Wich [Wed, 22 May 2013 09:55:51 +0000 (11:55 +0200)]
Only perform selective reload if firewall was already running, else do a normal start.

11 years agoFix another crash bug if ipsets are supported but none is declared
Jo-Philipp Wich [Tue, 21 May 2013 18:03:13 +0000 (20:03 +0200)]
Fix another crash bug if ipsets are supported but none is declared

11 years agoFix rules for custom filter chains
Jo-Philipp Wich [Tue, 21 May 2013 14:44:47 +0000 (16:44 +0200)]
Fix rules for custom filter chains

11 years agoDo not print to pipe or close command if nothing was executed
Jo-Philipp Wich [Tue, 21 May 2013 14:43:56 +0000 (16:43 +0200)]
Do not print to pipe or close command if nothing was executed

11 years agoAdd missing libip6t_REJECT initialization
Jo-Philipp Wich [Fri, 17 May 2013 14:38:44 +0000 (16:38 +0200)]
Add missing libip6t_REJECT initialization

11 years agoOnly initialize extensions we actually use
Jo-Philipp Wich [Fri, 17 May 2013 14:32:42 +0000 (16:32 +0200)]
Only initialize extensions we actually use

11 years agoWait for ipsets to appear before continuing
Jo-Philipp Wich [Fri, 17 May 2013 13:17:48 +0000 (15:17 +0200)]
Wait for ipsets to appear before continuing

11 years agoRestore iptables-save include functionality
Jo-Philipp Wich [Thu, 16 May 2013 20:34:49 +0000 (22:34 +0200)]
Restore iptables-save include functionality

11 years agoAlso add comments for unnamed rules
Jo-Philipp Wich [Thu, 16 May 2013 20:24:20 +0000 (22:24 +0200)]
Also add comments for unnamed rules

11 years agoOnly process selected family for print
Jo-Philipp Wich [Thu, 16 May 2013 20:15:27 +0000 (22:15 +0200)]
Only process selected family for print

11 years agoInclude iptables command and table name in iptables debug output
Jo-Philipp Wich [Thu, 16 May 2013 20:05:19 +0000 (22:05 +0200)]
Include iptables command and table name in iptables debug output

11 years agoAdd debug prints for policy setting, don't commit ruleset in print mode
Jo-Philipp Wich [Thu, 16 May 2013 19:46:51 +0000 (21:46 +0200)]
Add debug prints for policy setting, don't commit ruleset in print mode

11 years agoRename struct fw3_rule_spec to struct fw3_chain_spec and move the declaration to...
Jo-Philipp Wich [Thu, 16 May 2013 19:26:56 +0000 (21:26 +0200)]
Rename struct fw3_rule_spec to struct fw3_chain_spec and move the declaration to options.h

11 years agoRemove now unused fw3_pr_rulespec()
Jo-Philipp Wich [Thu, 16 May 2013 19:25:15 +0000 (21:25 +0200)]
Remove now unused fw3_pr_rulespec()

11 years agoRemove now unused fw3_format_*() functions
Jo-Philipp Wich [Thu, 16 May 2013 19:23:49 +0000 (21:23 +0200)]
Remove now unused fw3_format_*() functions

11 years agoDrop iptables-restore and create rules through libiptc and libxtables
Jo-Philipp Wich [Tue, 14 May 2013 22:04:33 +0000 (00:04 +0200)]
Drop iptables-restore and create rules through libiptc and libxtables

11 years agoUse libiptc to clear current ruleset
Jo-Philipp Wich [Mon, 13 May 2013 17:47:12 +0000 (19:47 +0200)]
Use libiptc to clear current ruleset

11 years agoForce fsync() after writing statefile
Jo-Philipp Wich [Wed, 8 May 2013 13:12:13 +0000 (15:12 +0200)]
Force fsync() after writing statefile

11 years agoMake reload atomic
Jo-Philipp Wich [Wed, 8 May 2013 12:47:48 +0000 (14:47 +0200)]
Make reload atomic

11 years agoFamily "any" is not applicable to ipsets, default to v4 and disallow "any"
Jo-Philipp Wich [Mon, 6 May 2013 13:10:28 +0000 (15:10 +0200)]
Family "any" is not applicable to ipsets, default to v4 and disallow "any"

11 years agoSimplify ipset external checks and optionally initialize ispet name from external...
Jo-Philipp Wich [Thu, 2 May 2013 15:43:32 +0000 (17:43 +0200)]
Simplify ipset external checks and optionally initialize ispet name from external value

11 years agoCheck whether ipset exists before referencing it in rules or redirects
Jo-Philipp Wich [Thu, 2 May 2013 14:44:50 +0000 (16:44 +0200)]
Check whether ipset exists before referencing it in rules or redirects

11 years agoRecord device-network relation in state file, fix zone hotplug events
Jo-Philipp Wich [Thu, 2 May 2013 13:26:47 +0000 (15:26 +0200)]
Record device-network relation in state file, fix zone hotplug events

11 years agoRecord default policies in state file
Jo-Philipp Wich [Tue, 30 Apr 2013 19:33:37 +0000 (21:33 +0200)]
Record default policies in state file

11 years agoStore ipset storage method and matches in state file, keep iprange and ports if set
Jo-Philipp Wich [Tue, 30 Apr 2013 19:18:15 +0000 (21:18 +0200)]
Store ipset storage method and matches in state file, keep iprange and ports if set

11 years agoSend quit comment in fw3_destroy_ipsets() and initialize ipset objects with enabled...
Jo-Philipp Wich [Tue, 30 Apr 2013 19:03:34 +0000 (21:03 +0200)]
Send quit comment in fw3_destroy_ipsets() and initialize ipset objects with enabled = true

11 years agoDon't track family of ipsets
Jo-Philipp Wich [Tue, 30 Apr 2013 18:59:35 +0000 (20:59 +0200)]
Don't track family of ipsets

11 years agoFix parsing of ipset datatypes
Jo-Philipp Wich [Tue, 30 Apr 2013 18:26:44 +0000 (20:26 +0200)]
Fix parsing of ipset datatypes

11 years agoTrack ipsets in state file
Jo-Philipp Wich [Tue, 30 Apr 2013 18:09:20 +0000 (20:09 +0200)]
Track ipsets in state file

11 years agoWrite statefile flags in hexadecimal format
Jo-Philipp Wich [Tue, 30 Apr 2013 18:05:35 +0000 (20:05 +0200)]
Write statefile flags in hexadecimal format

11 years agoAllow hex notation in int type options
Jo-Philipp Wich [Tue, 30 Apr 2013 18:03:14 +0000 (20:03 +0200)]
Allow hex notation in int type options

11 years agoAdd common fw3_address_to_string() helper function
Jo-Philipp Wich [Tue, 30 Apr 2013 17:56:39 +0000 (19:56 +0200)]
Add common fw3_address_to_string() helper function

11 years agoRemove referenced to unused FW3_FLAG_DELETED flag
Jo-Philipp Wich [Tue, 30 Apr 2013 17:40:41 +0000 (19:40 +0200)]
Remove referenced to unused FW3_FLAG_DELETED flag

11 years agoRemove unused "running" argument form fw3_lookup_ipset()
Jo-Philipp Wich [Tue, 30 Apr 2013 17:40:04 +0000 (19:40 +0200)]
Remove unused "running" argument form fw3_lookup_ipset()

11 years agoRemove unused "running" argument form fw3_lookup_zone()
Jo-Philipp Wich [Tue, 30 Apr 2013 17:34:37 +0000 (19:34 +0200)]
Remove unused "running" argument form fw3_lookup_zone()

11 years agoSplit runtime and config states, store runtime state in UCI format
Jo-Philipp Wich [Sat, 27 Apr 2013 15:20:56 +0000 (17:20 +0200)]
Split runtime and config states, store runtime state in UCI format

11 years agoAdd support for fwmark matches and targets
Jo-Philipp Wich [Fri, 5 Apr 2013 14:02:31 +0000 (16:02 +0200)]
Add support for fwmark matches and targets

11 years agoIncrease compatibility to old firewall by initializing protocol of rules and redirect...
Jo-Philipp Wich [Fri, 22 Mar 2013 15:27:34 +0000 (16:27 +0100)]
Increase compatibility to old firewall by initializing protocol of rules and redirects to tcp+udp if not specified

11 years agoFix parsing of '*' device and 'all' protocol value
Jo-Philipp Wich [Fri, 22 Mar 2013 14:07:14 +0000 (15:07 +0100)]
Fix parsing of '*' device and 'all' protocol value

11 years agoFix DNAT port remapping rules by not emitting 0.0.0.0 in --to-destination
Jo-Philipp Wich [Thu, 21 Mar 2013 14:17:47 +0000 (15:17 +0100)]
Fix DNAT port remapping rules by not emitting 0.0.0.0 in --to-destination

11 years agoProperly handle deleted zones and ipsets on restarts
Jo-Philipp Wich [Tue, 19 Mar 2013 15:00:51 +0000 (16:00 +0100)]
Properly handle deleted zones and ipsets on restarts

11 years agoAccept network names in per-zone subnet option
Jo-Philipp Wich [Tue, 19 Mar 2013 13:48:03 +0000 (14:48 +0100)]
Accept network names in per-zone subnet option

11 years agoAlso read addresses from "ipv6-prefix-assignment" ifstatus table
Jo-Philipp Wich [Tue, 19 Mar 2013 12:21:41 +0000 (13:21 +0100)]
Also read addresses from "ipv6-prefix-assignment" ifstatus table

11 years agoRework option parsing to support emitting multiple values from within a parse handler
Jo-Philipp Wich [Mon, 18 Mar 2013 18:20:22 +0000 (19:20 +0100)]
Rework option parsing to support emitting multiple values from within a parse handler

11 years agoImplement support for "network" datatype and use it for masq_src / masq_dest
Jo-Philipp Wich [Mon, 18 Mar 2013 15:38:33 +0000 (16:38 +0100)]
Implement support for "network" datatype and use it for masq_src / masq_dest

11 years agoDo not accept option src_mac for SNAT rules
Jo-Philipp Wich [Mon, 18 Mar 2013 14:55:11 +0000 (15:55 +0100)]
Do not accept option src_mac for SNAT rules

11 years agoConsolidate and unify argument order for functions
Jo-Philipp Wich [Thu, 14 Mar 2013 15:07:41 +0000 (16:07 +0100)]
Consolidate and unify argument order for functions

11 years agoOnly perform locking for start, stop, restart, reload and flush operations, this...
Jo-Philipp Wich [Thu, 14 Mar 2013 14:21:18 +0000 (15:21 +0100)]
Only perform locking for start, stop, restart, reload and flush operations, this allows using fw3 network and fw3 device in includes

11 years agoImplement reload option for includes to decide whether includes should get reloaded...
Jo-Philipp Wich [Thu, 14 Mar 2013 13:48:37 +0000 (14:48 +0100)]
Implement reload option for includes to decide whether includes should get reloaded on firewall reloads (useful when they tap into internal chains)

11 years agoMake nat reflection src address configurable by introducing a reflection_src paramete...
Jo-Philipp Wich [Wed, 13 Mar 2013 15:25:56 +0000 (16:25 +0100)]
Make nat reflection src address configurable by introducing a reflection_src parameter which can be set to "external" or "internal"