project/firewall3.git
3 years agofirewall3: fix duplicate defaults section detection
Rui Salvaterra [Sun, 18 Oct 2020 22:28:58 +0000 (23:28 +0100)]
firewall3: fix duplicate defaults section detection

The flag was initialised and tested, but actually never set when a duplicate
section was found.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
3 years agoipsets: allow blank/commented lines with loadfile
Daniel Harding [Tue, 27 Oct 2020 06:27:01 +0000 (09:27 +0300)]
ipsets: allow blank/commented lines with loadfile

When loading ipset files using the loadfile option, skip blank lines and
lines that start with '#' (disregarding any leading whitespace).

Signed-off-by: Daniel Harding <dharding@living180.net>
4 years agofw3: zones: limit zone names to 11 bytes
Alexey Dobrovolsky [Sun, 30 Aug 2020 21:10:09 +0000 (00:10 +0300)]
fw3: zones: limit zone names to 11 bytes

As defined in currently used iptables v1.8.4, chain name must be
under 29 chars. Thus, user can only edit 11 chars.

See also the bugreport [0].

[0] https://dev.archive.openwrt.org/ticket/20380

Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
[improve commit description, move length calculation information to src]
Signed-off-by: David Bauer <mail@david-bauer.net>
4 years agooptions: fix parsing of boolean attributes
Remi NGUYEN VAN [Sat, 15 Aug 2020 04:50:27 +0000 (13:50 +0900)]
options: fix parsing of boolean attributes

Boolean attributes were parsed the same way as string attributes,
so a value of { "bool_attr": "true" } would be parsed correctly, but
{ "bool_attr": true } (without quotes) was parsed as false.

Fixes FS#3284

Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
4 years agozones: apply tcp mss clamping also on ingress path
Yousong Zhou [Fri, 24 Jul 2020 04:52:59 +0000 (12:52 +0800)]
zones: apply tcp mss clamping also on ingress path

Fixes FS#3231

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
4 years agoredirects: fix segmentation fault
Alin Nastac [Thu, 7 May 2020 11:14:06 +0000 (13:14 +0200)]
redirects: fix segmentation fault

Fixes 9d7f49df47ad ("redurects: add support to define multiple zones for dnat reflection rules")

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
4 years agotreewide: replace unsafe string functions
Jo-Philipp Wich [Wed, 27 May 2020 20:23:23 +0000 (22:23 +0200)]
treewide: replace unsafe string functions

Replace sprintf(), strncpy() etc. with safer variants that perform bounds
checking on the target buffer. Also rework unsafe `p += sprintf(p, ....)`
code to properly handle error cases.

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-May/023363.html
Suggested-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agoimprove reload logic
Jo-Philipp Wich [Tue, 2 Jun 2020 17:37:09 +0000 (19:37 +0200)]
improve reload logic

 - Purge chains in two phases, first flush rules, then delete chains
 - Create missing zone user chains during reload
 - Keep used chains on reload to avoid removing user rules

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agoredurects: add support to define multiple zones for dnat reflection rules
Anton Engelhardt [Fri, 14 Sep 2018 17:31:15 +0000 (19:31 +0200)]
redurects: add support to define multiple zones for dnat reflection rules

Added new config option for redirect, which accepts a list of zones from
which reflection rules shall be created.

Example:
zones: wan lan devices servers

config redirect
...
        option target 'DNAT'
        option src 'wan'
        option dest 'servers'
        option proto 'tcp'
        option src_dport '443'
        option dest_port '443'
        option name 'HTTPS'
        option reflection_src 'extern'
...

Old behaviour would only add a reflection rule from the servers zone.

By adding a config `option reflection_zones 'lan devices servers'`,
reflection rules will get added for all and only the given zones.

Not setting that option results in the old behaviour of using the
DNAT destination zone for reflection rules.

Tested on x86 master and 18.06.

Signed-off-by: Anton Engelhardt <engelhardt.anton@gmail.com>
[reword commit message, align code style, avoid temporary list,
 singular option name]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agofirewall3: defaults: fix uci flow_offloading option
WangYanlong [Fri, 13 Mar 2020 12:29:27 +0000 (12:29 +0000)]
firewall3: defaults: fix uci flow_offloading option

Fixes 7cc2a84 ("defaults: robustify flow table detection.")

7cc2a84 made disabling flow_offloading impossible.
This is to fix the buggy behavior.

Signed-off-by: Yanlong Wang <yanlong.wang@naiver.org>
[move variable declaration to the top, remove braces from conditional]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agorules: fix typo
Yousong Zhou [Tue, 3 Mar 2020 06:32:47 +0000 (14:32 +0800)]
rules: fix typo

Fixes d596f728e9 ("rules: fix UCI context in error reporting")

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
4 years agodefaults: robustify flow table detection.
Rui Salvaterra [Fri, 24 Jan 2020 15:56:32 +0000 (15:56 +0000)]
defaults: robustify flow table detection.

The flow table detection fails if the respective target module is
built into the kernel, since it's looking for the module itself.

Create a generic helper and instead check for existence of the
FLOWOFFLOAD target in /proc/net/ip_tables_targets.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[slightly reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
5 years agoutils: persist effective extra_src and extra_dest options in state file
Jo-Philipp Wich [Fri, 22 Nov 2019 17:51:22 +0000 (18:51 +0100)]
utils: persist effective extra_src and extra_dest options in state file

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
5 years agozones: fix emitting match rules for zones with only "extra" options
Jo-Philipp Wich [Fri, 22 Nov 2019 17:23:16 +0000 (18:23 +0100)]
zones: fix emitting match rules for zones with only "extra" options

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
5 years agoutils: fix resource leak
Hans Dedecker [Mon, 23 Sep 2019 19:16:20 +0000 (21:16 +0200)]
utils: fix resource leak

Fix resource leak in fw3_lock_path in case flock fails

Detected by Coverity in CID 1453962

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
5 years agoubus: do not overwrite ipset name attribute
Jo-Philipp Wich [Wed, 18 Sep 2019 08:31:06 +0000 (10:31 +0200)]
ubus: do not overwrite ipset name attribute

When importing ipset definitions from published ubus data, do not
overwrite the name attribute with an autogenerated string like it
is being done for rules or redirects.

Ref: https://forum.openwrt.org/t/fw3-ipset-procd-objects/44044
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
5 years agofirewall3: fix typo that affects ICMPv6 rules with numeric icmp_type
Alin Nastac [Tue, 10 Sep 2019 14:15:13 +0000 (16:15 +0200)]
firewall3: fix typo that affects ICMPv6 rules with numeric icmp_type

Problem can be reproduced with a rule like this:
   option src 'wan'
   option family 'ipv6'
   option proto 'icmp'
   option icmp_type '128'
   option target 'DROP'
The resulted rule will set --icmpv6-type to 128/255.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
5 years agoutils: Fix string format message
Hauke Mehrtens [Sun, 8 Sep 2019 16:28:52 +0000 (18:28 +0200)]
utils: Fix string format message

Fix the format string to match the size_t type, this fixes a build
problem on 64 bit platforms.

Fixes: 4d0c703e750c ("firewall3: Fix some format string problems")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5 years agofirewall3: Fix some format string problems
Hauke Mehrtens [Mon, 2 Sep 2019 20:27:35 +0000 (22:27 +0200)]
firewall3: Fix some format string problems

This adds annotations for the format strings to the print functions and
fixes the newly found problems. One of them is a format security
problem.

Coverity: #1412532
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5 years agoiptables.c: lock the xtables.lock
Alexander Couzens [Fri, 17 May 2019 09:14:46 +0000 (11:14 +0200)]
iptables.c: lock the xtables.lock

When using fw3 together with other applications or scripts a race
conditions might occur. When fw3 is preparing the new tables, another
application can use the executable `iptables` which modifies the
kernel-tables.  libxtables will notify this and fails when fw3 is
committing the changes resulting in a failed firewall.

Now waits in a while loop until the lock is gone, activate the lock
itself and applies changes.

To reproduce the bug the following two scripts should run in parrallel,
after a few seconds the latter stop and leaves a broken firewall:

    while true; do iptables -N locking; done

and

    while [ "$(iptables -w -L OUTPUT | wc -l)" -gt 2 ]; do fw3 reload; done

The following message will appear

        Warning: iptc_commit(): Resource temporarily unavailable

and connectivity is gone.

Tested in an LXC and Qemu container.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
[fixed waiting for unlock and commit message]
Signed-off-by: Paul Spooren <mail@aparcar.org>
5 years agoutils: implement fw3_lock_path() & fw3_unlock_path()
Alexander Couzens [Fri, 17 May 2019 09:14:45 +0000 (11:14 +0200)]
utils: implement fw3_lock_path() & fw3_unlock_path()

To lock a second lock file at the same time, introduce fw3_{un,}lock_path.
fw3_lock_path support the path as parameter in difference to fw3_lock which
only locks the fw3 lock file (/var/run/fw3.lock)

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
5 years agofirewall3: ipset: Handle reload_set properly
Kristian Evensen [Mon, 19 Aug 2019 12:45:57 +0000 (14:45 +0200)]
firewall3: ipset: Handle reload_set properly

The reload_set option was added in commit 509e673dab01 ("firewall3:
Improve ipset support"), and the purpose of the option is to control if
a set should be flushed or not on a firewall reload.

In some cases, the option unfortunately does not work properly. I had
fixed the errors locally, but failed to submit a v2 of "Improve ipset
support". This patch contains my local fixes, and after the following
changes are applied then the option (as well as ipset support) works as
at least I expect.

The following errors have been fixed:

* "family" was not written to the state file, causing all sets read from
this file was considered as ipv4. Save family to ensure that sets are
handled correctly on firewall reload.

* The default value of "reload_set" is false, meaning that the
reload-check in "fw3_create_ipsets()" is always true (on reload). A
consequence of this is that new sets are never created on firewall
reload. In order to ensure that new sets are created, only consider
"reload_set" if the set exists. If a set (from configuration) does not
exist, we always want to create it.

* On reload and before "fw3_destroy_ipsets()" are called, we need to
update run_state to ensure that sets are updated correctly. We need to
check if the sets in run_state is found in cfg_state, if not the set
should be destroyed (done by forcing reload_set to true). If the set is
found, then we copy the value of reload_set to the set in run_state so
that the elements are updated as the user expects.

Since we now always copy the value of reload_set from cfg_state, there
is no need to write reload_set to run_state.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
5 years agofirewall3: Improve ipset support
Kristian Evensen [Wed, 6 Feb 2019 20:21:51 +0000 (21:21 +0100)]
firewall3: Improve ipset support

This patch is an attempt at improving the ipset support in firewall3.
The following changes have been made:

* The enabled option did not work properly for ipsets, as it was not
checked on create/destroy of a set. After this commit, sets are only
created/destroyed if enabled is set to true.

* Add support for reloading, or recreating, ipsets on firewall reload.
By setting "reload_set" to true, the set will be destroyed and then
re-created when the firewall is reloaded. My use-case for "reload_set"
was to reset sets populated by dnsmasq, without having to restart the
firewall or resort to scripts.

* Add support for the counters and comment extensions. By setting
"counters" or "comment" to true, then counters or comments are added to
the set.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
re-ordered additional variables
dropped enum OPT_COMMENT & OPT_COUNTERS as unused
implemented exponential delay whilst waiting for ipset deletion/creation
fixed delays made firewall unresponsive for too long on reloads
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
5 years agoutils: coverity resource leak warning
Kevin Darbyshire-Bryant [Wed, 12 Jun 2019 15:38:39 +0000 (17:38 +0200)]
utils: coverity resource leak warning

solve coverity reported resource leak (socket handle)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
5 years agozones: add zone identifying local traffic in raw OUTPUT chain
Hans Dedecker [Thu, 6 Dec 2018 14:44:57 +0000 (15:44 +0100)]
zones: add zone identifying local traffic in raw OUTPUT chain

Add zone chains identifying local generated traffic; either by configuring
a loopback device or as subnet a loopback address; in the raw OUTPUT chain
as local generated traffic is passing this chain.
This allows helpers to be used for local generated traffic.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
5 years agoutils: Free args in __fw3_command_pipe()
Hauke Mehrtens [Wed, 19 Dec 2018 09:40:07 +0000 (10:40 +0100)]
utils: Free args in __fw3_command_pipe()

args was not freed after leaving this function.

Fixes Coverity issue 1412470 Resource leak

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Jo-Philipp Wich <jo@mein.io>
5 years agooptions: redirects: Fix possible buffer overflows
Hauke Mehrtens [Wed, 19 Dec 2018 09:34:08 +0000 (10:34 +0100)]
options: redirects: Fix possible buffer overflows

This fixes two possible situations where strncpy() produces a not null
terminated buffer.

Coverity IDs:
1412247 Buffer not null terminated
1412279 Buffer not null terminated

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Jo-Philipp Wich <jo@mein.io>
5 years agoredirects: properly handle src_dport in SNAT rules
Hans Dedecker [Thu, 6 Dec 2018 17:03:06 +0000 (18:03 +0100)]
redirects: properly handle src_dport in SNAT rules

In case of SNAT rules the src_dport parameter is used both as a rewrite
parameter as well as a matching parameter which is not the expected
behavior.
The latter is caused by port_redir being set to src_dport in case dest_port
parameter is not.
As this logic is in place to mimic the old shell script based firewall
behavior for DNAT only set port_redir in case the redirect rule is
a DNAT rule.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
6 years agodefaults: fix check_kmod() function
Jo-Philipp Wich [Mon, 13 Aug 2018 11:58:22 +0000 (13:58 +0200)]
defaults: fix check_kmod() function

Fixes 06fa692 ("defaults: use a generic check_kmod() function")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agodefaults: use a generic check_kmod() function
Joe Holden [Fri, 13 Jul 2018 15:44:39 +0000 (16:44 +0100)]
defaults: use a generic check_kmod() function

Rather than having functions for check_offloading() et al, replace it with a
generic function.

Signed-off-by: Joe Holden <jwh@zorins.co.uk>
6 years agoAdd support for DSCP matches and target
Jo-Philipp Wich [Fri, 3 Aug 2018 20:29:59 +0000 (22:29 +0200)]
Add support for DSCP matches and target

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoubus: avoid dumping interface state with NULL message
Jo-Philipp Wich [Thu, 26 Jul 2018 06:02:01 +0000 (08:02 +0200)]
ubus: avoid dumping interface state with NULL message

Invoking ubus methods with NULL message is not supported anymore, so
make sure that network.interface/dump is called with an empty blob buffer
argument.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agofirewall3: make reject types selectable by user
Alin Nastac [Thu, 12 Jul 2018 08:36:02 +0000 (10:36 +0200)]
firewall3: make reject types selectable by user

RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
6 years agofirewall3: Fix GCC8 warnings by replacing sprintf with snprintf
Rosen Penev [Thu, 21 Jun 2018 23:09:56 +0000 (16:09 -0700)]
firewall3: Fix GCC8 warnings by replacing sprintf with snprintf

error: ‘%u’ directive writing between 1 and 10 bytes into a region of size
between 7 and 11 [-Werror=format-overflow=]
sprintf(buf, "%u-%u", port->port_min, port->port_max);
                 ^~
note: directive argument in the range [0, 2147483647]
sprintf(buf, "%u-%u", port->port_min, port->port_max);
             ^~~~~~~
note: ‘sprintf’ output between 4 and 17 bytes into a destination of size
13
sprintf(buf, "%u-%u", port->port_min, port->port_max);

Signed-off-by: Rosen Penev <rosenp@gmail.com>
6 years agozones: add interface/subnet bound LOG rules
Jo-Philipp Wich [Sat, 19 May 2018 18:36:44 +0000 (20:36 +0200)]
zones: add interface/subnet bound LOG rules

Emit LOG rules bound to the source/destination device or subnet to match the
same traffic handled by the terminal REJECT/DROP rules.

This fixes superflous logging of unrelated traffic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agooptions: treat time strings as UTC times
Jo-Philipp Wich [Thu, 12 Apr 2018 08:51:51 +0000 (10:51 +0200)]
options: treat time strings as UTC times

When parsing user supplied time strings, calculate an UTC time instant by
substracting the current zone offset from the result of mktime(3), then use
gmtime_r(3) to turn the time_t value back into a sanitized time structure.

This ensures that user supplied dates are not interpreted as local time.

Fixes FS#1483.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agohelpers: fix the set_helper in the rule structure
Pierre Lebleu [Wed, 9 May 2018 07:58:59 +0000 (09:58 +0200)]
helpers: fix the set_helper in the rule structure

The set_helper field has to be set by set_helper and not helper.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
6 years agohelpers.conf: support also tcp in the CT sip helper
Pierre Lebleu [Mon, 7 May 2018 14:17:17 +0000 (16:17 +0200)]
helpers.conf: support also tcp in the CT sip helper

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
6 years agohelpers: make the proto field as a list rather than one option
Pierre Lebleu [Mon, 7 May 2018 14:17:16 +0000 (16:17 +0200)]
helpers: make the proto field as a list rather than one option

The field proto in the struct fw3_cthelper should be implemented
as a list in order to support multiple protocols.

For example, the helper for SIP should be able to support both
TCP and UDP within only one entry in the config file.

config helper
        option name 'sip'
        option description 'SIP VoIP connection tracking'
        option module 'nf_conntrack_sip'
        option family 'any'
        option proto 'tcpudp'
        option port '5060'

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
6 years agodefaults: add support for setting --hw on the xt_FLOWOFFLOAD rule
Felix Fietkau [Thu, 5 Apr 2018 12:44:40 +0000 (14:44 +0200)]
defaults: add support for setting --hw on the xt_FLOWOFFLOAD rule

Enables hardware offload support where supported

Signed-off-by: Felix Fietkau <nbd@nbd.name>
6 years agohelpers.conf: add CT rtsp helper
Hans Dedecker [Tue, 20 Mar 2018 20:45:47 +0000 (21:45 +0100)]
helpers.conf: add CT rtsp helper

Add rtsp conntrack helper listening on IPv4 tcp port 554

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
6 years agoReword rule comments
Jo-Philipp Wich [Tue, 13 Mar 2018 14:54:49 +0000 (15:54 +0100)]
Reword rule comments

Reword various rule comments to be more explicit and also annotate the flow
offloading rule while we're at it.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agodefaults: add support for xt_FLOWOFFLOAD rule
Jo-Philipp Wich [Tue, 13 Mar 2018 14:45:38 +0000 (15:45 +0100)]
defaults: add support for xt_FLOWOFFLOAD rule

Introduce a new defaults section option "flow_offloading" which,
when enabled, causes fw3 to emit a -j FLOWOFFLOAD rule in the
forwarding chain.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoipsets: add support for specifying entries
Jo-Philipp Wich [Sat, 10 Mar 2018 12:45:44 +0000 (13:45 +0100)]
ipsets: add support for specifying entries

Introduce a new list option "entry" which can be used to specify entries
to add to the ipset, e.g.

    config ipset
      option name test
      ...
      list entry 1.2.3.4,8080
      list entry 5.6.7.8,8081

Also introduce a new option "loadfile" which refers to an external file
containing set entries to add, with one item per line.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoiptables: fix possible NULL pointer access on constructing rule masks
Jo-Philipp Wich [Fri, 2 Mar 2018 10:36:39 +0000 (11:36 +0100)]
iptables: fix possible NULL pointer access on constructing rule masks

Due to a misplaced parenthesis, rule_mask() may try to access
r->target->userspacesize through a r->target NULL pointer.

Fix this problem by correcting the parenthesis placement in the memset
expression, using the originally intented operator precedence.

Spotted in the cz.nic fork of firewall3.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agozones: allow per-table log control
Stijn Tintel [Mon, 26 Feb 2018 22:06:03 +0000 (23:06 +0100)]
zones: allow per-table log control

When enabling logging for a zone, logging is enabled in the filter and
mangle tables. The log rule in the mangle table enables mtu_fix logging,
which has the tendency to flood logs. Allow per-table log control by
making the log boolean a bit field that can be used to enabled logging
in the filter and/or mangle tables.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
6 years agohelpers: implement explicit CT helper assignment support
Jo-Philipp Wich [Mon, 19 Feb 2018 17:16:26 +0000 (18:16 +0100)]
helpers: implement explicit CT helper assignment support

Implement support for explicit per-zone conntrack helper assignment in
the raw table in order to compensate for the now disabled automatic
helper assignment in recent Linux kernels.

This commit adds, along with the required infrastructure, a new per-
zone uci option "helper" which can be used to tie one or more CT helpers
to a given zone.

For example the following configuration:

    config zone
      option name lan
      option network lan
      list helper ftp
      list helper sip

... will assign the FTP and SIP conntrack helpers as specified in
/usr/share/fw3/helpers.conf to traffic originating from the LAN zone.

Additionally, a new boolean option "auto_helper" has been defined for
both "config defaults" and "config zone" sections, with the former
option overruling the latter.

When the default true "option auto_helper" is set, all available helpers
are automatically attached to each non-masq zone (i.e. "lan" by default).

When one or more "list helper" options are specified, the zone has
masquerading enabled or "auto_helper" is set to false, then the automatic
helper attachment is disabled for the corresponding zone.

Furthermore, this commit introduces support for a new 'HELPER' target in
"config rule" sections, along with "option helper" to match helper traffic
and "option set_helper" to assign CT helpers to a stream.

Finally, "config redirect" sections support "option helper" too now,
which causes fw3 to emit helper setting rules for forwarded DNAT traffic.

When "option helper" is not defined for a redirect and when the global
option "auto_helper" is not disabled, fw3 will pick a suitable helper
based on the destination protocol and port and assign it to DNATed traffic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agozones: disable masq when resolving of all masq_src or masq_dest items failed
Jo-Philipp Wich [Wed, 7 Jun 2017 14:20:24 +0000 (16:20 +0200)]
zones: disable masq when resolving of all masq_src or masq_dest items failed

Avoid generating 0.0.0.0/0 masquerade rules when resolving of the
corresponding symbolic masq_src or masq_dest value failed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agooptions: emit an empty address item when resolving networks fails
Jo-Philipp Wich [Wed, 7 Jun 2017 14:18:30 +0000 (16:18 +0200)]
options: emit an empty address item when resolving networks fails

Adjust fw3_parse_network() to emit an empty address item with
.set = false, .resolved = true when we failed to resolve the network
name into any ip address.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoubus: let fw3_ubus_address() return the number of resolved addresses
Jo-Philipp Wich [Wed, 7 Jun 2017 13:17:42 +0000 (15:17 +0200)]
ubus: let fw3_ubus_address() return the number of resolved addresses

Change fw3_ubus_address() to return the number of addresses resolved from
the given network name, this will be required to handle failed resolving
in higher layers later on.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agofirewall3: ubus: parse the firewall data within the service itself
Pierre Lebleu [Fri, 3 Nov 2017 16:12:09 +0000 (17:12 +0100)]
firewall3: ubus: parse the firewall data within the service itself

It gives the ability to create firewall rules within the service
itself and independently of the instances.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agooptions: remove stray continue statement
Jo-Philipp Wich [Sat, 27 May 2017 10:29:55 +0000 (12:29 +0200)]
options: remove stray continue statement

The continue statement was mistakingly copy-pasted from other error
handling code.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agooptions: improve handling of negations when parsing space separated values
Jo-Philipp Wich [Fri, 26 May 2017 16:42:05 +0000 (18:42 +0200)]
options: improve handling of negations when parsing space separated values

Improve the space separated list parser to interprete "val1 ! val2"
as ("val1", "!val2") instead of ("val1", "!", "val2").

This corrects parsing of sections like ...

    config rule
        option sec_ip '! 1.1.1.0/24'

... which previously errored out with:

    Warning: Option @rule[0].src_ip has invalid value '!'

Fixes FS#806.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoiptables: support -i, -o, -s and -d in option extra
Jo-Philipp Wich [Fri, 26 May 2017 16:25:32 +0000 (18:25 +0200)]
iptables: support -i, -o, -s and -d in option extra

Allow "option extra" to specify "-i", "-o", "-s" and "-d" arguments which
previously caused rules to get rejected with "Bad argument" errors.

Partially fixes FS#806.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoubus: increase ubus network interface dump timeout
Hans Dedecker [Wed, 17 May 2017 12:49:17 +0000 (14:49 +0200)]
ubus: increase ubus network interface dump timeout

When netifd is being stressed (eg doing reconfig using multiple interfaces)
ubus timeouts can be observed when invoking network interface dump.
Increase the ubus timeout to 2000 msec similar to the service ubus timeout.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agoiptables: add exception handling
Jo-Philipp Wich [Tue, 2 May 2017 13:01:02 +0000 (15:01 +0200)]
iptables: add exception handling

Override libxtables standard error handler to not exit the program but to
longjmp() back to error handling code which is simply skipping the rule.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agofirewall3: add check_snat() function
Pierre Lebleu [Thu, 4 May 2017 08:52:59 +0000 (10:52 +0200)]
firewall3: add check_snat() function

The snat rule check is done by a function to avoid the walking
through the list twice.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: display the section type for UBUS rules
Pierre Lebleu [Thu, 4 May 2017 08:52:58 +0000 (10:52 +0200)]
firewall3: display the section type for UBUS rules

It gives the ability to display the section type for
rules pushed via procd services and netifd interface
firewall data.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: add UBUS support for include scripts
Pierre Lebleu [Thu, 4 May 2017 08:52:57 +0000 (10:52 +0200)]
firewall3: add UBUS support for include scripts

It gives the ability to include scripts via procd
services and netifd interface firewall data.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: add UBUS support for ipset sections
Pierre Lebleu [Thu, 4 May 2017 08:52:56 +0000 (10:52 +0200)]
firewall3: add UBUS support for ipset sections

It gives the ability to create ipset rules via procd
services and netifd interface firewall data.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: add UBUS support for forwarding sections
Pierre Lebleu [Thu, 4 May 2017 08:52:55 +0000 (10:52 +0200)]
firewall3: add UBUS support for forwarding sections

It gives the ability to create forward rules via procd
services and netifd interface firewall data.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: add UBUS support for redirect sections
Pierre Lebleu [Thu, 4 May 2017 08:52:54 +0000 (10:52 +0200)]
firewall3: add UBUS support for redirect sections

It gives the ability to create redirect rules via
procd services and netifd interface firewall data.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: add fw3_attr_parse_name_type() function
Pierre Lebleu [Thu, 4 May 2017 08:52:53 +0000 (10:52 +0200)]
firewall3: add fw3_attr_parse_name_type() function

Move the name and type parsing out of the rule file
in order to make it reusable by others.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: replace warn_rule() by warn_section()
Pierre Lebleu [Thu, 4 May 2017 08:52:52 +0000 (10:52 +0200)]
firewall3: replace warn_rule() by warn_section()

Replace the wan_rule() by warn_section() in order to
make it reusable by the other section type.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agofirewall3: check the return value of fw3_parse_options()
Pierre Lebleu [Thu, 4 May 2017 08:50:56 +0000 (10:50 +0200)]
firewall3: check the return value of fw3_parse_options()

The return value of fw3_parse_options() should be checked.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
7 years agobuild: use -Wno-format-truncation instead of -Wno-error=format-truncation
Felix Fietkau [Tue, 9 May 2017 10:42:37 +0000 (12:42 +0200)]
build: use -Wno-format-truncation instead of -Wno-error=format-truncation

Fixes build error with older gcc

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agoutils: replace sprintf use with snprintf to avoid overflows
Felix Fietkau [Thu, 4 May 2017 14:21:17 +0000 (16:21 +0200)]
utils: replace sprintf use with snprintf to avoid overflows

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agobuild: disable the format-truncation warning error to fix gcc 7 build errors
Felix Fietkau [Thu, 4 May 2017 14:17:51 +0000 (16:17 +0200)]
build: disable the format-truncation warning error to fix gcc 7 build errors

Signed-off-by: Felix Fietkau <nbd@nbd.name>
7 years agozones: drop outgoing invalid traffic in masqueraded zones
Jo-Philipp Wich [Sun, 9 Apr 2017 12:35:32 +0000 (14:35 +0200)]
zones: drop outgoing invalid traffic in masqueraded zones

Install conntrack state invalid drop rules to catch outgoing, un-natted
traffic in zones with enabled masquerading.

Also introduce a new option "masq_allow_invalid" it inhibit this new
drop rules.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agorules: fix UCI context in error reporting
Jo-Philipp Wich [Sun, 9 Apr 2017 13:19:52 +0000 (15:19 +0200)]
rules: fix UCI context in error reporting

Commit e678dcb "Add support for netifd-generated rules" broke the UCI
context reporting for rule warnings. Refactor the code to restore this
functionality.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoubus: fix interface name and proto lookup
Hans Dedecker [Thu, 13 Apr 2017 13:49:04 +0000 (15:49 +0200)]
ubus: fix interface name and proto lookup

Lookup of iface_name and iface_proto in the json data were switched
in fw3_ubus_rules

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7 years agofirewall3: fix handling of UTC times
Jo-Philipp Wich [Wed, 22 Feb 2017 09:46:58 +0000 (10:46 +0100)]
firewall3: fix handling of UTC times

The --utc parameter is deprecated and UTC times are the default now.
To achieve local time, the --kenreltz param has to be passed instead
so invert the logic and swap --utc with --kerneltz.

Fixes #548.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoiptables: support xtables API > 11
Jo-Philipp Wich [Tue, 7 Feb 2017 21:10:19 +0000 (22:10 +0100)]
iptables: support xtables API > 11

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agozones: do not check conntrack state in zone_*_dest_ACCEPT chains
Jo-Philipp Wich [Fri, 13 Jan 2017 17:19:43 +0000 (18:19 +0100)]
zones: do not check conntrack state in zone_*_dest_ACCEPT chains

Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.

Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoglobal: remove automatic notrack rules
Jo-Philipp Wich [Tue, 29 Nov 2016 11:27:42 +0000 (12:27 +0100)]
global: remove automatic notrack rules

With recent Kernel versions and the introduction of the conntrack routing
cache there is no need to maintain performance hacks in userspace anymore,
so simply drop the generation of automatic -j CT --notrack rules for zones.

This also fixes some cases where traffic is not matched for zones that do
not explicitely enforce connection tracking.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoforwards: properly propagate conntrack flag
Jo-Philipp Wich [Mon, 7 Nov 2016 14:27:49 +0000 (15:27 +0100)]
forwards: properly propagate conntrack flag

In the following topology:

    config zone
      option name A

    config zone
      option name B

    config zone
      option name C
      option conntrack 1

    config forwarding
      option src A
      option dest B

    config forwarding
      option src A
      option dest C

... the conntrack flag needs to be propagated into both zones A and B as well.

Since A is connected with C, A will inherit C's conntrack requirement which
means that B will need to inherit the flag as well since it is connected to A.

The current code fails to apply the conntrack requirement flag recursively to
zones, leading to stray NOTRACK rules which break conntrack based traffic
policing.

Change the implementation to iteratively reapply the conntrack fixup logic
until no more zones had been changed in order to ensure that all directly and
indirectly connected zones receive the conntrack requirement flag.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: move includes into iptables.c to avoid kernel header clashes
Jo-Philipp Wich [Sun, 6 Nov 2016 18:14:47 +0000 (19:14 +0100)]
iptables: move includes into iptables.c to avoid kernel header clashes

In order to avoid header clashes and redefinition errors in compilation
units which include iptables.h, move all includes into the iptables.c
file and only provide a forward declaration for struct fw3_ipt_rule.

This allows us to hide all xtables specific direct and indirect includes
in order to only expose a clean interface which does not rely on any kernel
header bits.

Within iptables.c, reshuffle the includes and predeclare some guard defines
to allow compilation on both glibc as well as patched and unpatched musl
systems.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agomusl-compat: avoid kernel header conflicts
Ralph Sennhauser [Sun, 6 Nov 2016 09:59:43 +0000 (10:59 +0100)]
musl-compat: avoid kernel header conflicts

The conflict between Musls net/if.h and linux/if.h is an old well known
one and taken care of by a series of linux-headers patches in OpenWrt.
Since Linux 4.8-rc5 Firewall3 also indirectly pulls in linux/in.h and
linux/in6.h leading to new conflicts.

As Firewall3 is fine with just the libc headers prevent inclusion of the
corresponding kernel headers.

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
8 years agoiptables: remove usage of xt_id
Jo-Philipp Wich [Sun, 6 Nov 2016 16:18:36 +0000 (17:18 +0100)]
iptables: remove usage of xt_id

Instead of relying on the nonstandard xt_id match, use the xt_comment match
to tag own rules. Any rule with a comment starting with "!fw3" is considered
to be firewall3 internal.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agomain: make failing ubus connection nonfatal
Jo-Philipp Wich [Sun, 6 Nov 2016 15:58:09 +0000 (16:58 +0100)]
main: make failing ubus connection nonfatal

The ubus network runtime information is not strictly required to use firewall3,
so make a failing ubus connection nonfatal.

This allows testing and running firewall3 on an ordinary desktop linux system,
given an appropriate configuration which uses "option device" instead of
"option network" for zone declarations.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: rework extension loader
Jo-Philipp Wich [Sun, 6 Nov 2016 15:47:23 +0000 (16:47 +0100)]
iptables: rework extension loader

Now that we wrap xtables_register_match() and xtables_register_target() we do
not need to load the extensions ourselves anymore since there is no need to
keep the library handles for dlclose().

Switch to libxtables own loader by invoking xtables_find_match() and
xtables_find_target() with XTF_TRY_LOAD .

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: declare _GNU_SOURCE to define RTLD_NEXT
Jo-Philipp Wich [Sun, 6 Nov 2016 14:20:23 +0000 (15:20 +0100)]
iptables: declare _GNU_SOURCE to define RTLD_NEXT

This is required to build firewall3 on non-musl systems.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: optional loading of static extensions
Ralph Sennhauser [Sun, 6 Nov 2016 07:33:37 +0000 (08:33 +0100)]
iptables: optional loading of static extensions

Make loading of static extensions optional to support vanilla iptables
in it's default configuration by setting DISABLE_STATIC_EXTENSIONS
instead of hackery.

In case iptables is built with --disable-static libext.a, libext4.a and
libext6.a which OpenWrt installs in the form of libiptext.so,
libiptext4.so, libiptext6.so to save a couple more bytes are of no use
or non-existent one could say. So this commit avoids requiring a
tampered with iptables.

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
[Jo-Philipp Wich: stub init_extensions*() instead to reduce amount of ifdefs]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: fix loading standard target
Ralph Sennhauser [Sat, 5 Nov 2016 16:40:38 +0000 (17:40 +0100)]
iptables: fix loading standard target

In case iptables is built with --disable-static xt_standard needs to be
loaded just like the other extensions.

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
[Jo-Philipp Wich: minor code style change to if/return instead of if/else]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: add support for version 1.6.0
Ralph Sennhauser [Fri, 4 Nov 2016 13:41:10 +0000 (14:41 +0100)]
iptables: add support for version 1.6.0

Account for the struct xtables_globals change and add API version 11 to
the supported APIs.

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
8 years agozones: properly handle multiple masq_src / masq_dest negations (FS#248)
Jo-Philipp Wich [Tue, 1 Nov 2016 22:19:24 +0000 (23:19 +0100)]
zones: properly handle multiple masq_src / masq_dest negations (FS#248)

Properly implement masquerade exceptions by using -j RETURN rules to jump out
of the postrouting container chain and only emit the permutated -j MASQUERADE
rules for non-negated addresses.

Fixes FD#248.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoiptables: use different approach for managing loadable extensions
Jo-Philipp Wich [Tue, 9 Aug 2016 09:00:45 +0000 (11:00 +0200)]
iptables: use different approach for managing loadable extensions

Since musl libc does not support unloading libraries via dlclose() and since
we should not explicitely call library constructors we need to use an
alternative approach to track the match registrations performed by iptables
shared objects.

This commit changes the iptables glue code to keep a global registry of non-
builtin matches and targets.

We implement the bookkeeping by intercepting xtables_register_match() and
xtables_register_target() calls in order to record any extension registration
attempt performed by a loadable iptables library.

The code subsequently uses the global list of dynamically loaded extensions
to re-register dynamic matches and targets for each address family / table
combination.

As a consequence we can get rid of the lib vector in the iptables handle
and remove the dlclose() handling entirely. This simplifies the
load_extension() as well.

Fixes FS#31.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoutils.h: Avoid name clashes for setbit/delbit/hasbit
Florian Fainelli [Fri, 2 Sep 2016 02:10:15 +0000 (19:10 -0700)]
utils.h: Avoid name clashes for setbit/delbit/hasbit

Rename to fw3_{set,del,has}bit to avoid name clashes with sys/param.h:

/opt/toolchains/stbgcc-4.8-1.5/arm-linux-gnueabihf/sys-root/usr/include/sys/param.h:80:0: note: this is the location of the previous definition
 #define setbit(a,i)     ((a)[(i)/NBBY] |= 1<<((i)%NBBY))

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
8 years agozones: allow untracked traffic as well
Jo-Philipp Wich [Mon, 8 Aug 2016 14:48:47 +0000 (16:48 +0200)]
zones: allow untracked traffic as well

Now that we only allow ctstate NEW traffic by default we also need to
whitelist traffic explicitely marked by --notrack.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agodefaults: disable drop_invalid by default
Jo-Philipp Wich [Mon, 8 Aug 2016 14:25:37 +0000 (16:25 +0200)]
defaults: disable drop_invalid by default

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agozones: restrict default ACCEPT rules to NEW ctstate
Jo-Philipp Wich [Mon, 8 Aug 2016 13:52:28 +0000 (15:52 +0200)]
zones: restrict default ACCEPT rules to NEW ctstate

Restrict the per-zone default accept rules to only accept streams with
conntrack state NEW when drop_invalid is disabled.

This commit hardens the firewall in order to allow disabling drop_invalid
by default since ctstate INVALID also matches desired traffic like IPv6
neighbour discovery messages.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agocmake: Find uci.h
Florian Fainelli [Mon, 11 Jul 2016 19:07:08 +0000 (12:07 -0700)]
cmake: Find uci.h

Add a CMake FIND_PATH and INCLUDE_DIRECTORIES searching for uci.h. Some
external toolchains which do not include standard locations would fail
to find the header otherwise.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
8 years agotreewide: replace jow@openwrt.org with jo@mein.io
Jo-Philipp Wich [Tue, 7 Jun 2016 12:13:25 +0000 (14:13 +0200)]
treewide: replace jow@openwrt.org with jo@mein.io

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
8 years agoload running state after lock is acquired
Alin Năstac [Fri, 29 Apr 2016 13:00:01 +0000 (15:00 +0200)]
load running state after lock is acquired

When running "/etc/init.d/firewall reload & fw3 -q restart", the
fw3 instance that handle the reload might try to read the running
state after firewall was stopped by the fw3 instance that does the
restarting. Since a NULL run_state will transform reload operation in
start operation, the resulted iptables chains will contain duplicate
sets of rules.

8 years agoset mark for locally generated traffic in OUTPUT chain
Daniel Golle [Thu, 28 Apr 2016 12:25:02 +0000 (14:25 +0200)]
set mark for locally generated traffic in OUTPUT chain

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
8 years agodefaults.c: remove toplevel_rule struct
Alexandru Ardelean [Wed, 27 Apr 2016 06:16:51 +0000 (09:16 +0300)]
defaults.c: remove toplevel_rule struct

Since commit 60f1444 , this struct is no longer used.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
8 years agodefaults: emit ctstate INVALID drop rules by default
Jo-Philipp Wich [Fri, 29 Jan 2016 17:22:34 +0000 (18:22 +0100)]
defaults: emit ctstate INVALID drop rules by default

Enable the creation of state invalid catch rules by default to prevent
unnatted traffic from leaking onto the wan.

Fixes OpenWrt ticket #21738.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
8 years agoiptables: fix inversion flags
Len White [Fri, 29 Jan 2016 07:10:44 +0000 (02:10 -0500)]
iptables: fix inversion flags

Signed-off-by: Len White <lwhite@nrw.ca>
8 years agoRemove commented code
Jo-Philipp Wich [Sun, 24 Jan 2016 17:07:26 +0000 (18:07 +0100)]
Remove commented code

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
8 years agoUse xt_id match to track own rules
Jo-Philipp Wich [Sun, 24 Jan 2016 16:43:30 +0000 (17:43 +0100)]
Use xt_id match to track own rules

Instead of relying on the delegate_* chains to isolate own toplevel
rules from user supplied ones, use the xt_id match to attach a magic
value to fw3 rules which allows selective cleanup regardless of the
container chain.

Also add an experimental "fw3 gc" call to garbage collect empty chains.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>