firewall3: add check_snat() function The snat rule check is done by a function to avoid the walking through the list twice. Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
firewall3: add fw3_attr_parse_name_type() function Move the name and type parsing out of the rule file in order to make it reusable by others. Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
global: remove automatic notrack rules With recent Kernel versions and the introduction of the conntrack routing cache there is no need to maintain performance hacks in userspace anymore, so simply drop the generation of automatic -j CT --notrack rules for zones. This also fixes some cases where traffic is not matched for zones that do not explicitely enforce connection tracking. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
treewide: replace jow@openwrt.org with jo@mein.io Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use xt_id match to track own rules Instead of relying on the delegate_* chains to isolate own toplevel rules from user supplied ones, use the xt_id match to attach a magic value to fw3 rules which allows selective cleanup regardless of the container chain. Also add an experimental "fw3 gc" call to garbage collect empty chains. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
ubus: print rule name when reporting errors Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Add support for netifd-generated rules Signed-off-by: Steven Barth <steven@midlink.org>
Add support for device and direction parameters Signed-off-by: Steven Barth <steven@midlink.org>
snat: add support for connlimiting port-range SNAT Signed-off-by: Steven Barth <steven@midlink.org>
snat: ICMP can be port-natted as well Signed-off-by: Steven Barth <steven@midlink.org>
nat: allow ACCEPT-target to explicitely disable NAT Signed-off-by: Steven Barth <steven@midlink.org>
Initial support for "config nat" rules - this allows configuring zone-independant SNAT and MASQUERADE rules