options: treat time strings as UTC times When parsing user supplied time strings, calculate an UTC time instant by substracting the current zone offset from the result of mktime(3), then use gmtime_r(3) to turn the time_t value back into a sanitized time structure. This ensures that user supplied dates are not interpreted as local time. Fixes FS#1483. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
helpers: make the proto field as a list rather than one option The field proto in the struct fw3_cthelper should be implemented as a list in order to support multiple protocols. For example, the helper for SIP should be able to support both TCP and UDP within only one entry in the config file. config helper option name 'sip' option description 'SIP VoIP connection tracking' option module 'nf_conntrack_sip' option family 'any' option proto 'tcpudp' option port '5060' Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
ipsets: add support for specifying entries Introduce a new list option "entry" which can be used to specify entries to add to the ipset, e.g. config ipset option name test ... list entry 1.2.3.4,8080 list entry 5.6.7.8,8081 Also introduce a new option "loadfile" which refers to an external file containing set entries to add, with one item per line. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
iptables: fix possible NULL pointer access on constructing rule masks Due to a misplaced parenthesis, rule_mask() may try to access r->target->userspacesize through a r->target NULL pointer. Fix this problem by correcting the parenthesis placement in the memset expression, using the originally intented operator precedence. Spotted in the cz.nic fork of firewall3. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
zones: allow per-table log control When enabling logging for a zone, logging is enabled in the filter and mangle tables. The log rule in the mangle table enables mtu_fix logging, which has the tendency to flood logs. Allow per-table log control by making the log boolean a bit field that can be used to enabled logging in the filter and/or mangle tables. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
helpers: implement explicit CT helper assignment support Implement support for explicit per-zone conntrack helper assignment in the raw table in order to compensate for the now disabled automatic helper assignment in recent Linux kernels. This commit adds, along with the required infrastructure, a new per- zone uci option "helper" which can be used to tie one or more CT helpers to a given zone. For example the following configuration: config zone option name lan option network lan list helper ftp list helper sip ... will assign the FTP and SIP conntrack helpers as specified in /usr/share/fw3/helpers.conf to traffic originating from the LAN zone. Additionally, a new boolean option "auto_helper" has been defined for both "config defaults" and "config zone" sections, with the former option overruling the latter. When the default true "option auto_helper" is set, all available helpers are automatically attached to each non-masq zone (i.e. "lan" by default). When one or more "list helper" options are specified, the zone has masquerading enabled or "auto_helper" is set to false, then the automatic helper attachment is disabled for the corresponding zone. Furthermore, this commit introduces support for a new 'HELPER' target in "config rule" sections, along with "option helper" to match helper traffic and "option set_helper" to assign CT helpers to a stream. Finally, "config redirect" sections support "option helper" too now, which causes fw3 to emit helper setting rules for forwarded DNAT traffic. When "option helper" is not defined for a redirect and when the global option "auto_helper" is not disabled, fw3 will pick a suitable helper based on the destination protocol and port and assign it to DNATed traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ubus: let fw3_ubus_address() return the number of resolved addresses Change fw3_ubus_address() to return the number of addresses resolved from the given network name, this will be required to handle failed resolving in higher layers later on. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
options: improve handling of negations when parsing space separated values Improve the space separated list parser to interprete "val1 ! val2" as ("val1", "!val2") instead of ("val1", "!", "val2"). This corrects parsing of sections like ... config rule option sec_ip '! 1.1.1.0/24' ... which previously errored out with: Warning: Option @rule[0].src_ip has invalid value '!' Fixes FS#806. Signed-off-by: Jo-Philipp Wich <jo@mein.io>