Jo-Philipp Wich [Mon, 8 Aug 2016 14:48:47 +0000 (16:48 +0200)]
zones: allow untracked traffic as well
Now that we only allow ctstate NEW traffic by default we also need to
whitelist traffic explicitely marked by --notrack.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 8 Aug 2016 14:25:37 +0000 (16:25 +0200)]
defaults: disable drop_invalid by default
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Mon, 8 Aug 2016 13:52:28 +0000 (15:52 +0200)]
zones: restrict default ACCEPT rules to NEW ctstate
Restrict the per-zone default accept rules to only accept streams with
conntrack state NEW when drop_invalid is disabled.
This commit hardens the firewall in order to allow disabling drop_invalid
by default since ctstate INVALID also matches desired traffic like IPv6
neighbour discovery messages.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Florian Fainelli [Mon, 11 Jul 2016 19:07:08 +0000 (12:07 -0700)]
cmake: Find uci.h
Add a CMake FIND_PATH and INCLUDE_DIRECTORIES searching for uci.h. Some
external toolchains which do not include standard locations would fail
to find the header otherwise.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Jo-Philipp Wich [Tue, 7 Jun 2016 12:13:25 +0000 (14:13 +0200)]
treewide: replace jow@openwrt.org with jo@mein.io
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Alin Năstac [Fri, 29 Apr 2016 13:00:01 +0000 (15:00 +0200)]
load running state after lock is acquired
When running "/etc/init.d/firewall reload & fw3 -q restart", the
fw3 instance that handle the reload might try to read the running
state after firewall was stopped by the fw3 instance that does the
restarting. Since a NULL run_state will transform reload operation in
start operation, the resulted iptables chains will contain duplicate
sets of rules.
Daniel Golle [Thu, 28 Apr 2016 12:25:02 +0000 (14:25 +0200)]
set mark for locally generated traffic in OUTPUT chain
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Alexandru Ardelean [Wed, 27 Apr 2016 06:16:51 +0000 (09:16 +0300)]
defaults.c: remove toplevel_rule struct
Since commit
60f1444 , this struct is no longer used.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Jo-Philipp Wich [Fri, 29 Jan 2016 17:22:34 +0000 (18:22 +0100)]
defaults: emit ctstate INVALID drop rules by default
Enable the creation of state invalid catch rules by default to prevent
unnatted traffic from leaking onto the wan.
Fixes OpenWrt ticket #21738.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Len White [Fri, 29 Jan 2016 07:10:44 +0000 (02:10 -0500)]
iptables: fix inversion flags
Signed-off-by: Len White <lwhite@nrw.ca>
Jo-Philipp Wich [Sun, 24 Jan 2016 17:07:26 +0000 (18:07 +0100)]
Remove commented code
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Sun, 24 Jan 2016 16:43:30 +0000 (17:43 +0100)]
Use xt_id match to track own rules
Instead of relying on the delegate_* chains to isolate own toplevel
rules from user supplied ones, use the xt_id match to attach a magic
value to fw3 rules which allows selective cleanup regardless of the
container chain.
Also add an experimental "fw3 gc" call to garbage collect empty chains.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Tue, 26 May 2015 12:50:21 +0000 (14:50 +0200)]
redirects: only emit REDIRECT rules if dest_ip is unset
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Tue, 26 May 2015 10:29:52 +0000 (12:29 +0200)]
Rework match initialization
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Tue, 5 May 2015 15:21:22 +0000 (17:21 +0200)]
Link libext dynamically
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Fri, 22 May 2015 18:18:09 +0000 (20:18 +0200)]
iptables: initialize multiport match
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Thu, 21 May 2015 13:04:11 +0000 (15:04 +0200)]
ubus: allow proto handlers to override device in announced rules
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Fri, 17 Apr 2015 14:12:14 +0000 (16:12 +0200)]
ubus: print rule name when reporting errors
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Fri, 17 Apr 2015 14:06:39 +0000 (16:06 +0200)]
ubus: store rule origin as comment
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Hans Dedecker [Wed, 25 Feb 2015 15:00:56 +0000 (16:00 +0100)]
firewall3: fix null pointer access when no target is present
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Jo-Philipp Wich [Tue, 13 Jan 2015 11:46:37 +0000 (12:46 +0100)]
redirects: fix possible null pointer access
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Ulrich Weber [Mon, 5 Jan 2015 14:58:34 +0000 (15:58 +0100)]
firewall3: fix left shift on 64 bit systems in fw3_bitlen2netmask
otherwise 0.0.0.0/0 is set as 0.0.0.0/255.255.255.255 on x86_64
Signed-off-by: Ulrich Weber <uw@ocedo.com>
Jo-Philipp Wich [Thu, 8 Jan 2015 13:17:16 +0000 (14:17 +0100)]
redirects: respect src_dip option for reflection rules
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Fri, 19 Sep 2014 18:09:19 +0000 (20:09 +0200)]
options: allow '*' as value for protocols and families
No functional change, just a little bit of consistency with src / dest
specifiers where '*' means 'any' or 'all'. To follow the principle of
least surprise, allow the some for family and protocol options.
option proto '*' is equivalent to option proto 'all'
option family '*' is equivalent to option family 'any'
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Thu, 18 Sep 2014 10:09:12 +0000 (12:09 +0200)]
utils: rework fw3_bitlen2netmask() IPv6 mask calculation
The previous code wrote beyound the end of the destination buffer under
certain circumstances, causing possible heap corruptions.
Rewrite the IPv6 mask calculation code to use a safe byte-wise assignment
loop instead of two memset() calls and one byte assignment in the middle.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Wed, 17 Sep 2014 21:57:39 +0000 (23:57 +0200)]
redirect: emit -j REDIRECT rules for local port forwards
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Wed, 17 Sep 2014 17:49:53 +0000 (19:49 +0200)]
utils: fix invalid memory access in fw3_bitlen2netmask()
When fw3_bitlen2netmask() is invoked with a bit length of 128, the next
byte after the end of struct in6_addr is errorneously zeroed, leading to
a heap corruption on at least x86_64 with uclibc and possibly others.
Prevent the invalid writes by explicitely testing for a bit count < 128.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Mon, 11 Aug 2014 17:42:59 +0000 (19:42 +0200)]
utils: ifa_addr may be NULL, skip such entries
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Wed, 6 Aug 2014 17:00:18 +0000 (19:00 +0200)]
Selectively flush conntrack
Record active IP addresses in firewall state file and trigger
conntrack flush for changed IP addresses on firewall reload.
Additionally trigger a complete flush on the first firewall
start in order to clear out streams which might have bypassed
the masquerading rules.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Mon, 21 Jul 2014 14:06:04 +0000 (16:06 +0200)]
zones: make forward policy destination bound
The zone forwarding policy was installed source bound which resulted
in zones with forward accept policy to allow traffic anywhere while
only traffic between the zones network is supposed to be allowed in this
case.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Sat, 19 Jul 2014 12:42:47 +0000 (14:42 +0200)]
options: fix logic flaw when parsing ipaddr/mask notation
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Fri, 18 Jul 2014 13:43:56 +0000 (15:43 +0200)]
Use netmasks instead of prefix lengths internally
Iptables supports using non-continuous netmasks like FFFF::FFFF which would
match the first and last 16bit of an IPv6 address while ignoring the parts
in between which is useful fordeclaring rules targeting hosts on rotating
prefixes.
Instead of storing parsed netmasks as bitcount internally, use a full mask
which is passed to iptables as-is.
Also support a new shorthand notation "addr/-N" which will construct a mask
that matches the *last* N bits of an address - useful for matching the host
part only of an IPv4 address, e.g.
option dest_ip '::c23f:eff:fe7a:a094/-64'
This will convert to a netmask of "::ffff:ffff:ffff:ffff".
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Thu, 10 Jul 2014 16:38:35 +0000 (18:38 +0200)]
ubus: handle attribute access after NULL check in parse_subnets()
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Thu, 10 Jul 2014 09:15:03 +0000 (11:15 +0200)]
ubus: fix fw3_ubus_address()
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Thu, 10 Jul 2014 09:03:13 +0000 (11:03 +0200)]
ubus: fix fw3_ubus_device() to only return a pointer if a device was found
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Thu, 3 Jul 2014 08:52:48 +0000 (10:52 +0200)]
options: fix fw3_parse_network() when destination pointer is not a list
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Felix Fietkau [Wed, 2 Jul 2014 18:23:10 +0000 (20:23 +0200)]
ubus: add support for fetching firewall rules from procd
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Mon, 30 Jun 2014 17:25:25 +0000 (19:25 +0200)]
ubus: use blobmsg_parse to validate device attributes and decouple the found device name from the order in which elements appear
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Mon, 30 Jun 2014 17:17:53 +0000 (19:17 +0200)]
make fw3_ubus_address take a list_head * argument instead of allocating & returning one
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Mon, 30 Jun 2014 16:46:08 +0000 (18:46 +0200)]
use calloc instead of malloc+memset
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Mon, 30 Jun 2014 16:40:38 +0000 (18:40 +0200)]
ubus: use blobmsg_parse to validate data from network.interface:dump
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Steven Barth [Thu, 26 Jun 2014 12:12:51 +0000 (14:12 +0200)]
Add fw3 zone call to list devices in a zone
Signed-off-by: Steven Barth <steven@midlink.org>
Steven Barth [Sun, 13 Apr 2014 16:48:39 +0000 (18:48 +0200)]
Add support for netifd-generated rules
Signed-off-by: Steven Barth <steven@midlink.org>
Steven Barth [Sun, 13 Apr 2014 16:41:06 +0000 (18:41 +0200)]
Add support for device and direction parameters
Signed-off-by: Steven Barth <steven@midlink.org>
Steven Barth [Mon, 14 Apr 2014 06:49:55 +0000 (08:49 +0200)]
snat: add support for connlimiting port-range SNAT
Signed-off-by: Steven Barth <steven@midlink.org>
Steven Barth [Sun, 13 Apr 2014 16:33:39 +0000 (18:33 +0200)]
Fix building with newer toolchains
Signed-off-by: Steven Barth <steven@midlink.org>
Steven Barth [Thu, 10 Apr 2014 20:39:42 +0000 (22:39 +0200)]
snat: ICMP can be port-natted as well
Signed-off-by: Steven Barth <steven@midlink.org>
Steven Barth [Thu, 10 Apr 2014 12:26:57 +0000 (14:26 +0200)]
nat: allow ACCEPT-target to explicitely disable NAT
Signed-off-by: Steven Barth <steven@midlink.org>
Jo-Philipp Wich [Fri, 11 Apr 2014 16:25:37 +0000 (18:25 +0200)]
Reapply SNAT/MASQUERADE rules on firewall reloads
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Sun, 6 Apr 2014 20:25:14 +0000 (22:25 +0200)]
Initial support for "config nat" rules - this allows configuring zone-independant SNAT and MASQUERADE rules
Felix Fietkau [Thu, 20 Mar 2014 13:15:12 +0000 (14:15 +0100)]
utils: define _GNU_SOURCE to get clearenv()
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Jo-Philipp Wich [Thu, 20 Feb 2014 23:29:57 +0000 (23:29 +0000)]
Several ipset bugfixes
- Do not consider bitmap storage for IPv6 family sets
- Move ipset family parameter before any additional option
- Only emit family parameter for hash sets
- Do not allow IPv6 iprange for IPv4 sets and vice versa
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Tue, 17 Dec 2013 17:58:45 +0000 (17:58 +0000)]
Change set_default() to take value as integer, required for tcp_ecn > 1
Jo-Philipp Wich [Tue, 17 Dec 2013 17:52:34 +0000 (17:52 +0000)]
Treat option tcp_ecn as integer, not bool
Jo-Philipp Wich [Tue, 17 Dec 2013 17:50:42 +0000 (17:50 +0000)]
Properly check strtol() results when paring values as integers
Jo-Philipp Wich [Mon, 18 Nov 2013 12:51:47 +0000 (12:51 +0000)]
Clean up dead code
Jo-Philipp Wich [Mon, 18 Nov 2013 12:37:38 +0000 (12:37 +0000)]
Skip redirects with invalid options
Jo-Philipp Wich [Mon, 18 Nov 2013 12:37:30 +0000 (12:37 +0000)]
Skip rules with invalid options
Jo-Philipp Wich [Mon, 18 Nov 2013 12:36:45 +0000 (12:36 +0000)]
Change fw3_parse_options() to indicate whether all options where parsed successfully
Jo-Philipp Wich [Wed, 6 Nov 2013 23:56:36 +0000 (23:56 +0000)]
Use a global -m conntrack --ctstate DNAT rule to accept all port forwards of a given zone in filter
Steven Barth [Wed, 23 Oct 2013 10:00:09 +0000 (12:00 +0200)]
Improve ubus support
* Use network.interface dump call instead of individual status calls
to reduce overall netifd lookups and invokes to 1 per fw3 process.
* Allow protocol handlers to assign a firewall zone for an interface
in the data section to allow for dynamic firewall zone assignment.
Jo-Philipp Wich [Thu, 10 Oct 2013 20:36:08 +0000 (20:36 +0000)]
Use fw3_ipt_rule_replace() when setting up zone interface rules
This avoids duplicate rules in the final ruleset when multiple interfaces,
subnets or devices in a zone specification resolve to the same values.
Jo-Philipp Wich [Thu, 10 Oct 2013 19:59:08 +0000 (19:59 +0000)]
Use fw3_ipt_rule_replace() when setting up reflection
This avoids duplicate rules in the final ruleset when the target zone
contains multiple interfaces.
Jo-Philipp Wich [Thu, 10 Oct 2013 19:38:57 +0000 (19:38 +0000)]
Allow any protocol for reflection rules
Jo-Philipp Wich [Wed, 14 Aug 2013 14:58:04 +0000 (16:58 +0200)]
Reorganize chain layout for raw/NOTRACK rules to fix support for custom rules with target "NOTRACK"
Jo-Philipp Wich [Wed, 14 Aug 2013 14:50:49 +0000 (16:50 +0200)]
Use "-j CT --notrack" instead of deprecated "-j NOTRACK"
Jo-Philipp Wich [Wed, 14 Aug 2013 14:46:36 +0000 (16:46 +0200)]
Revert "Make sure that NOTRACK is linked into firewall3 if it is part of libext*.a"
This reverts commit
95cc95c7fec2d68fa8e27cc8e8e4b8dbacababf8.
Jo-Philipp Wich [Wed, 14 Aug 2013 14:30:45 +0000 (16:30 +0200)]
Make sure that NOTRACK is linked into firewall3 if it is part of libext*.a
Jo-Philipp Wich [Tue, 16 Jul 2013 12:12:15 +0000 (14:12 +0200)]
Treat redirects as port redirections if the specified dest_ip belongs to the router itself, this is a compatibility fix to firewall2.
Jo-Philipp Wich [Sat, 29 Jun 2013 13:25:40 +0000 (15:25 +0200)]
Properly dereference struct ether_addr
Jo-Philipp Wich [Sat, 29 Jun 2013 13:07:29 +0000 (15:07 +0200)]
Do not rely on ether_ntoa() when formatting mac addresses.
The ether_ntoa() in libc does not include leading zeroes in the formatted
address, this causes the address to not get recognized by iptables 1.4.10
which expects a fixed length for mac strings.
Jo-Philipp Wich [Tue, 18 Jun 2013 14:26:11 +0000 (16:26 +0200)]
Don't mistreat unknown protocol names as "any protocol"
Jo-Philipp Wich [Tue, 18 Jun 2013 14:11:56 +0000 (16:11 +0200)]
Fix processing of CIDRs with mask 0
Jo-Philipp Wich [Thu, 13 Jun 2013 15:14:07 +0000 (17:14 +0200)]
Fix processing of negated options
Jo-Philipp Wich [Thu, 13 Jun 2013 12:46:17 +0000 (14:46 +0200)]
Properly handle reject target in rules with specific destination
Jo-Philipp Wich [Thu, 6 Jun 2013 10:56:18 +0000 (12:56 +0200)]
Keep all basic chains on reload and only flush them, this allows user rules to jump to targets like "reject" or "notrack"
Jo-Philipp Wich [Thu, 6 Jun 2013 10:35:50 +0000 (12:35 +0200)]
Fix endian issue in compare_addr(), solves auto detection of "option dest" for redirects on little endian systems
Jo-Philipp Wich [Thu, 6 Jun 2013 09:40:02 +0000 (11:40 +0200)]
For ingress rules, only jump into zone_name_src_ACTION chains if the target is not ACCEPT and if logging is enabled in the src zone, this cuts some overhead
Jo-Philipp Wich [Thu, 6 Jun 2013 09:37:00 +0000 (11:37 +0200)]
Implement limit and limit_burst options for rules.
Jo-Philipp Wich [Wed, 5 Jun 2013 10:49:17 +0000 (12:49 +0200)]
Use zone_name_src_ACTION chain for input rules with non-wildcard source
Jo-Philipp Wich [Wed, 5 Jun 2013 10:01:34 +0000 (12:01 +0200)]
Extend ipset option syntax to support specifying directions inplace.
Jo-Philipp Wich [Tue, 4 Jun 2013 11:11:53 +0000 (13:11 +0200)]
Fix wrong signature of fw3_xt_print_matches()
Jo-Philipp Wich [Tue, 4 Jun 2013 10:53:51 +0000 (12:53 +0200)]
Add abstract fw3_xt_print_matches() and fw3_xt_print_target() functions since the output of ->save differs between xtables 5 and 10... sigh
Jo-Philipp Wich [Tue, 4 Jun 2013 10:12:26 +0000 (12:12 +0200)]
Fix wrong chain emitted for zone forward policy, the terminal chain is source, not destination bound.
Jo-Philipp Wich [Mon, 3 Jun 2013 16:28:10 +0000 (18:28 +0200)]
Decouple handle destroying from committing, add fw3_ipt_close() instead
Jo-Philipp Wich [Mon, 3 Jun 2013 15:43:06 +0000 (17:43 +0200)]
Do not let libxtables implicitely load extensions, do it directly from fw3 and track the loaded objects for properly closing when destroying the handle.
Jo-Philipp Wich [Mon, 27 May 2013 14:50:50 +0000 (16:50 +0200)]
Make IPv6 support optional
Jo-Philipp Wich [Mon, 27 May 2013 13:46:15 +0000 (15:46 +0200)]
Add abstract fw3_xt_reset() implementation
Jo-Philipp Wich [Mon, 27 May 2013 11:52:15 +0000 (13:52 +0200)]
Dynamically create rules for available libext*.a libraries, clean up rules
Jo-Philipp Wich [Mon, 27 May 2013 09:17:06 +0000 (11:17 +0200)]
Fix compatibility with older libiptc/libip6tc
Jo-Philipp Wich [Sun, 26 May 2013 15:22:11 +0000 (17:22 +0200)]
Only emit different ip family warnings if the ip wasn't automatically resolved
Jo-Philipp Wich [Sun, 26 May 2013 15:19:39 +0000 (17:19 +0200)]
Mark fw3_address objects that got resolved by fw3_parse_network()
Jo-Philipp Wich [Sun, 26 May 2013 15:15:47 +0000 (17:15 +0200)]
Change wording of inferred destination warning for redirects
Jo-Philipp Wich [Sun, 26 May 2013 15:13:49 +0000 (17:13 +0200)]
Replace fw3_free_zone() with the generic implementation
Jo-Philipp Wich [Sun, 26 May 2013 14:22:01 +0000 (16:22 +0200)]
Avoid segfault when freeing rules whose target could not be found
Jo-Philipp Wich [Sun, 26 May 2013 14:15:33 +0000 (16:15 +0200)]
Infer destination zone of DNAT redirects from dest_ip option
Jo-Philipp Wich [Sun, 26 May 2013 14:02:24 +0000 (16:02 +0200)]
Add fw3_resolve_zone_addresses() helper to obtain a list of all subnets covered by a zone
Jo-Philipp Wich [Sun, 26 May 2013 13:59:53 +0000 (15:59 +0200)]
Remove fw3_ubus_address_free() and use fw3_free_list() instead
Jo-Philipp Wich [Sun, 26 May 2013 13:58:17 +0000 (15:58 +0200)]
Add fw3_free_list() helper
Jo-Philipp Wich [Sat, 25 May 2013 16:08:20 +0000 (18:08 +0200)]
Fix output rules with "option dest *"