zones: add interface/subnet bound LOG rules Emit LOG rules bound to the source/destination device or subnet to match the same traffic handled by the terminal REJECT/DROP rules. This fixes superflous logging of unrelated traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Reword rule comments Reword various rule comments to be more explicit and also annotate the flow offloading rule while we're at it. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
zones: allow per-table log control When enabling logging for a zone, logging is enabled in the filter and mangle tables. The log rule in the mangle table enables mtu_fix logging, which has the tendency to flood logs. Allow per-table log control by making the log boolean a bit field that can be used to enabled logging in the filter and/or mangle tables. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
helpers: implement explicit CT helper assignment support Implement support for explicit per-zone conntrack helper assignment in the raw table in order to compensate for the now disabled automatic helper assignment in recent Linux kernels. This commit adds, along with the required infrastructure, a new per- zone uci option "helper" which can be used to tie one or more CT helpers to a given zone. For example the following configuration: config zone option name lan option network lan list helper ftp list helper sip ... will assign the FTP and SIP conntrack helpers as specified in /usr/share/fw3/helpers.conf to traffic originating from the LAN zone. Additionally, a new boolean option "auto_helper" has been defined for both "config defaults" and "config zone" sections, with the former option overruling the latter. When the default true "option auto_helper" is set, all available helpers are automatically attached to each non-masq zone (i.e. "lan" by default). When one or more "list helper" options are specified, the zone has masquerading enabled or "auto_helper" is set to false, then the automatic helper attachment is disabled for the corresponding zone. Furthermore, this commit introduces support for a new 'HELPER' target in "config rule" sections, along with "option helper" to match helper traffic and "option set_helper" to assign CT helpers to a stream. Finally, "config redirect" sections support "option helper" too now, which causes fw3 to emit helper setting rules for forwarded DNAT traffic. When "option helper" is not defined for a redirect and when the global option "auto_helper" is not disabled, fw3 will pick a suitable helper based on the destination protocol and port and assign it to DNATed traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
zones: disable masq when resolving of all masq_src or masq_dest items failed Avoid generating 0.0.0.0/0 masquerade rules when resolving of the corresponding symbolic masq_src or masq_dest value failed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
firewall3: check the return value of fw3_parse_options() The return value of fw3_parse_options() should be checked. Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
zones: drop outgoing invalid traffic in masqueraded zones Install conntrack state invalid drop rules to catch outgoing, un-natted traffic in zones with enabled masquerading. Also introduce a new option "masq_allow_invalid" it inhibit this new drop rules. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
zones: do not check conntrack state in zone_*_dest_ACCEPT chains Packets which are merely forwarded by the router and which are neither involved in any DNAT/SNAT nor originate locally, are considered INVALID from a conntrack point of view, causing them to get dropped in the zone_*_dest_ACCEPT chains, since those only allow stream with state NEW or UNTRACKED. Remove the ctstate restriction on dest accept chains to properly pass- through unrelated 3rd party traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
global: remove automatic notrack rules With recent Kernel versions and the introduction of the conntrack routing cache there is no need to maintain performance hacks in userspace anymore, so simply drop the generation of automatic -j CT --notrack rules for zones. This also fixes some cases where traffic is not matched for zones that do not explicitely enforce connection tracking. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
zones: properly handle multiple masq_src / masq_dest negations (FS#248) Properly implement masquerade exceptions by using -j RETURN rules to jump out of the postrouting container chain and only emit the permutated -j MASQUERADE rules for non-negated addresses. Fixes FD#248. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
utils.h: Avoid name clashes for setbit/delbit/hasbit Rename to fw3_{set,del,has}bit to avoid name clashes with sys/param.h: /opt/toolchains/stbgcc-4.8-1.5/arm-linux-gnueabihf/sys-root/usr/include/sys/param.h:80:0: note: this is the location of the previous definition #define setbit(a,i) ((a)[(i)/NBBY] |= 1<<((i)%NBBY)) Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
zones: allow untracked traffic as well Now that we only allow ctstate NEW traffic by default we also need to whitelist traffic explicitely marked by --notrack. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
zones: restrict default ACCEPT rules to NEW ctstate Restrict the per-zone default accept rules to only accept streams with conntrack state NEW when drop_invalid is disabled. This commit hardens the firewall in order to allow disabling drop_invalid by default since ctstate INVALID also matches desired traffic like IPv6 neighbour discovery messages. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
treewide: replace jow@openwrt.org with jo@mein.io Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use xt_id match to track own rules Instead of relying on the delegate_* chains to isolate own toplevel rules from user supplied ones, use the xt_id match to attach a magic value to fw3 rules which allows selective cleanup regardless of the container chain. Also add an experimental "fw3 gc" call to garbage collect empty chains. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
redirects: respect src_dip option for reflection rules Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Selectively flush conntrack Record active IP addresses in firewall state file and trigger conntrack flush for changed IP addresses on firewall reload. Additionally trigger a complete flush on the first firewall start in order to clear out streams which might have bypassed the masquerading rules. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
zones: make forward policy destination bound The zone forwarding policy was installed source bound which resulted in zones with forward accept policy to allow traffic anywhere while only traffic between the zones network is supposed to be allowed in this case. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
make fw3_ubus_address take a list_head * argument instead of allocating & returning one Signed-off-by: Felix Fietkau <nbd@openwrt.org>
use calloc instead of malloc+memset Signed-off-by: Felix Fietkau <nbd@openwrt.org>