hurricos/openwrt-mirror
1
0
Fork 0
mirror of git://git.openwrt.org/openwrt/openwrt.git synced 2025-10-31 14:04:26 -04:00
Code Issues Projects Releases Wiki Activity
21,074 Commits 10 Branches 85 Tags 262 MiB
08c7eae8f6
Commit Graph

62 Commits

Author SHA1 Message Date
Jo-Philipp Wich
d74c6ce7c5 firewall: revert processing order of redirects and rules, ensures that rules can be used to filter before redirects are reached 
SVN-Revision: 31014
 2012-03-18 23:34:06 +00:00
Jo-Philipp Wich
dd6c299d2e firewall: fix fw__uci_state_del() procedure (#11132) 
SVN-Revision: 30938
 2012-03-13 21:22:13 +00:00
Jo-Philipp Wich
fe2d387a8c firewall: bail out if uci is used in firewall include files 
SVN-Revision: 30694
 2012-02-23 18:50:47 +00:00
Jo-Philipp Wich
5609ad736e firewall: don't filter IPv4 ICMP types (#10928) 
SVN-Revision: 30363
 2012-02-07 18:35:48 +00:00
Jo-Philipp Wich
8094fa46da firewall: add support for "local" port forwards which target an internal address on the router itself 
SVN-Revision: 29687
 2012-01-08 15:29:24 +00:00
Jo-Philipp Wich
77dda8d67a firewall: - introduce per-section "option enabled" which defaults to "1" - useful to disable rules or zones without having to delete them - annotate default traffic rules with names - bump version 
SVN-Revision: 29577
 2011-12-20 01:10:15 +00:00
Jo-Philipp Wich
50a22f4f9e firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again 
SVN-Revision: 28669
 2011-10-29 18:02:45 +00:00
Jo-Philipp Wich
c7ac1b5b0c firewall: do not produce 0.0.0.0/0 if a symbolic masq_src or masq_dest is given but does not resolve to an ip 
SVN-Revision: 28628
 2011-10-27 18:14:55 +00:00
Jo-Philipp Wich
204bf6e5fe firewall: prevent ip6tables -t nat rules (#10265) 
SVN-Revision: 28535
 2011-10-23 12:25:57 +00:00
Jo-Philipp Wich
69df551be3 firewall: fix another instance of unquoted "*" 
SVN-Revision: 28529
 2011-10-22 21:38:10 +00:00
Jo-Philipp Wich
9a61d9e513 firewall: fix possible expansion of "*" when rules with "option src *" are processed 
SVN-Revision: 28527
 2011-10-22 20:11:25 +00:00
Jo-Philipp Wich
e0e73928da firewall: do not check for module availability, let iptables fail if a feature is not present (#7610) 
SVN-Revision: 28525
 2011-10-22 19:50:35 +00:00
Jo-Philipp Wich
995face56d firewall: make ESTABLISHED,RELATED rules match before INVALID, use conntrack instead of state match (#10038) 
SVN-Revision: 28148
 2011-09-01 20:37:22 +00:00
Jo-Philipp Wich
7a206885df firewall: prevent redundant rules if multiple ports and multiple icmp types are given in a rule block for both icmp and other protocols 
SVN-Revision: 27792
 2011-07-26 22:21:39 +00:00
Jo-Philipp Wich
90ac92e8be firewall: fix serious bug in state var handling (#9746) 
SVN-Revision: 27711
 2011-07-20 15:29:10 +00:00
Jo-Philipp Wich
78fa88ca81 firewall: rework state variable handling, use uci_toggle_state() where applicable and properly handle duplicates in add and del state helpers (#9152, #9710) 
SVN-Revision: 27618
 2011-07-15 15:03:57 +00:00
Jo-Philipp Wich
a92ed1808c firewall: make sure that -m mac is used with --mac-source, follow up to r27508 
SVN-Revision: 27519
 2011-07-07 10:28:31 +00:00
Daniel Dickinson
ca7383e701 firewall: also correct another variable missed in previous commit 
SVN-Revision: 27508
 2011-07-07 08:59:40 +00:00
Daniel Dickinson
c8531fca5d firewall: fix wrong variable names for protocol command line parameter - were missed during r27500 
SVN-Revision: 27507
 2011-07-07 08:54:29 +00:00
Jo-Philipp Wich
dd4934a943 firewall: - solve scoping issues when multiple values are used, thanks Daniel Dickinson - ignore src_port/dest_port for proto icmp rules, ignore icmp_type for non-icmp rules - properly handle icmp when proto is given in numerical form (1, 58) - support negated icmp types 
SVN-Revision: 27500
 2011-07-06 22:10:46 +00:00
Daniel Dickinson
05c45f0f5e firewall: fix udp rules for tcpudp proto rules using src_port and dest_port after modification by the parsing of the tcp rule 
SVN-Revision: 27469
 2011-07-06 06:26:12 +00:00
Jo-Philipp Wich
8f0fb81dfe firewall: restore local port relocation ability from r26617 
SVN-Revision: 27318
 2011-06-30 01:36:09 +00:00
Jo-Philipp Wich
68a1c8e1e3 firewall: - allow multiple ports, protocols, macs, icmp types per rule - implement "limit" and "limit_burst" options for rules - implement "extra" option to rules and redirects for passing arbritary flags to iptables - implement negations for "src_port", "dest_port", "src_dport", "src_mac", "proto" and "icmp_type" options - allow wildcard (*) "src" and "dest" options in rules to allow specifying "any" source or destination - validate symbolic icmp-type names against the selected iptables binary - properly handle forwarded ICMPv6 traffic in the default configuration 
SVN-Revision: 27317
 2011-06-30 01:31:23 +00:00
Jo-Philipp Wich
9f37422f2f firewall: ensure that fw_get_subnet4() sets an empty value if no (valid) IPv4 addr was found 
SVN-Revision: 27198
 2011-06-16 22:18:45 +00:00
Jo-Philipp Wich
c014101d73 firewall: allow symbolic names of interfaces and aliases in masq_src and masq_dest 
SVN-Revision: 27196
 2011-06-16 21:54:59 +00:00
Jo-Philipp Wich
2e9e4c435f firewall: revert accidential committed changes from r26805 
SVN-Revision: 26806
 2011-05-02 12:55:36 +00:00
Jo-Philipp Wich
ad23dd94b6 firewall: provide examples of ssh port relocation on firewall and IPsec passthrough Two examples of potentially useful configurations (commented out, of course): 
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a
LAN-based machine if desired, or if not, simply obscures the port from external attack.

(b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26805
 2011-05-02 12:54:31 +00:00
Jo-Philipp Wich
2a386cee99 firewall: prevent excessive uci state data aggregation (#9152) 
SVN-Revision: 26740
 2011-04-20 11:49:09 +00:00
Jo-Philipp Wich
a9977eca91 firewall: allow local redirection of ports 
Allow a redirect like:

config redirect
        option src 'wan'
        option dest 'lan'
        option src_dport '22001'
        option dest_port '22'
        option proto 'tcp'

note the absence of the "dest_ip" field, meaning to terminate the connection on the firewall itself.

This patch makes three changes:

(1) moves the conntrack module into the conntrack package (but not any of the conntrack_* helpers).
(2) fixes a bug where the wrong table is used when the "dest_ip" field is absent.
(3) accepts incoming connections on the destination port on the input_ZONE table, but only for DNATted
    connections.

In the above example,

ssh -p 22 root@myrouter

would fail from the outside, but:

ssh -p 22001 root@myrouter

would succeed.  This is handy if:

(1) you want to avoid ssh probes on your router, or
(2) you want to redirect incoming connections on port 22 to some machine inside your firewall, but
    still want to allow firewall access from outside.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26617
 2011-04-12 20:03:59 +00:00
Jo-Philipp Wich
af82471525 firewall: prevent duplicate values in interface state vars 
SVN-Revision: 26382
 2011-03-30 20:29:17 +00:00
Jo-Philipp Wich
13333a6742 firewall: move include sourcing into a subshell, this makes the firewall init immune against exit in the include scripts 
SVN-Revision: 25835
 2011-03-02 19:20:29 +00:00
Jo-Philipp Wich
1ca64678bb firewall: fix rule generation for v4 or v6 only zones (#8955) 
SVN-Revision: 25813
 2011-03-01 18:04:14 +00:00
Jo-Philipp Wich
04b20727d8 firewall: fix wrong rule order if multiple protocols are used 
SVN-Revision: 25179
 2011-01-27 22:19:53 +00:00
Jo-Philipp Wich
a43f5b5038 firewall: insert SNAT and DNAT rules according to the order of the configuration file (#8052) 
SVN-Revision: 23318
 2010-10-08 12:11:55 +00:00
Jo-Philipp Wich
1a0d7a3612 firewall: fix chain selection logic, option dest must be ignored for notrack targets 
SVN-Revision: 23143
 2010-09-28 11:38:31 +00:00
Jo-Philipp Wich
6a335579b8 fireall: - support negations for src_ip, dest_ip, src_dip options in rules and redirects - add NOTRACK target to rule sections, allows to define fine grained notrack rules 
SVN-Revision: 23141
 2010-09-28 10:42:56 +00:00
Jo-Philipp Wich
b07620df31 firewall: protect iptables invocations with locks in interface ops, it might run concurrently due to hotplug invocations on network restart 
SVN-Revision: 23090
 2010-09-19 15:01:47 +00:00
Jo-Philipp Wich
f90328f26e firewall: make invalid redirects and duplicate zones non-fatal, print a notice and discard them 
SVN-Revision: 23080
 2010-09-16 11:47:35 +00:00
Jo-Philipp Wich
7557011cb1 firewall: run ifdown hotplug events synchronized, fixes a racecondition on "ifup iface" when ifdown and ifup events are delivered with a small dealy 
SVN-Revision: 23064
 2010-09-15 01:53:36 +00:00
Jo-Philipp Wich
1fe50da4bb firewall: deliver remove hotplug events for all active zones/networks when restarting the firewall 
SVN-Revision: 23062
 2010-09-14 23:11:12 +00:00
Jo-Philipp Wich
f3dd8278bb firewall: - simplify masquerade rule setup - remove various subshell invocations - speedup fw() by not relying on xargs and pipes - rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source 
SVN-Revision: 23024
 2010-09-11 20:04:34 +00:00
Jo-Philipp Wich
5ab58aa39c firewall: - fix possible endless loop when the family option is used for forwardings - only generate forwarding rules in SNAT redirect sections if src_dip is specified 
SVN-Revision: 22938
 2010-09-05 20:17:23 +00:00
Jo-Philipp Wich
eb79296cc1 firewall: introduce SNAT support for redirect sections 
SVN-Revision: 22937
 2010-09-05 19:03:17 +00:00
Jo-Philipp Wich
ca5bf9e291 firewall: - handle NAT reflection in firewall hotplug, solves synchronizing issues on boot - introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation 
SVN-Revision: 22888
 2010-09-04 15:49:13 +00:00
Jo-Philipp Wich
ee4dd61b10 firewall: - fix processing of rules with an ip family option - append interface rules at the end of internal zone chains, simplifies injecting user or addon rules - support simple file logging (option log + option log_limit per zone) 
SVN-Revision: 22847
 2010-08-31 01:54:08 +00:00
Jo-Philipp Wich
e62a9791ee firewall: allow redirecting only destination port (#7197) 
SVN-Revision: 22227
 2010-07-16 06:03:15 +00:00
Jo-Philipp Wich
d6d1dd47d3 firewall: fix another notrack related bug 
SVN-Revision: 22218
 2010-07-15 23:24:01 +00:00
Jo-Philipp Wich
f8fa598bf4 firewall: - notrack support was broken in multiple ways, fix it - also consider a zone conntracked if any redirect references it (#7196) 
SVN-Revision: 22215
 2010-07-15 22:01:48 +00:00
Jo-Philipp Wich
48c357ec01 firewall: - support alias ifnames different from parent ifname - properly handle multiple subnets per alias (v4+v6) 
SVN-Revision: 21656
 2010-06-02 00:59:35 +00:00
Jo-Philipp Wich
07b571a239 firewall: Initial alias interface support. This allows to define zones covering alias interfaces and associated entries like rules and forwardings. 
SVN-Revision: 21653
 2010-06-01 21:58:48 +00:00