project/firewall3.git
7 years agoOnly emit different ip family warnings if the ip wasn't automatically resolved
Jo-Philipp Wich [Sun, 26 May 2013 15:22:11 +0000 (17:22 +0200)]
Only emit different ip family warnings if the ip wasn't automatically resolved

7 years agoMark fw3_address objects that got resolved by fw3_parse_network()
Jo-Philipp Wich [Sun, 26 May 2013 15:19:39 +0000 (17:19 +0200)]
Mark fw3_address objects that got resolved by fw3_parse_network()

7 years agoChange wording of inferred destination warning for redirects
Jo-Philipp Wich [Sun, 26 May 2013 15:15:47 +0000 (17:15 +0200)]
Change wording of inferred destination warning for redirects

7 years agoReplace fw3_free_zone() with the generic implementation
Jo-Philipp Wich [Sun, 26 May 2013 15:13:49 +0000 (17:13 +0200)]
Replace fw3_free_zone() with the generic implementation

7 years agoAvoid segfault when freeing rules whose target could not be found
Jo-Philipp Wich [Sun, 26 May 2013 14:22:01 +0000 (16:22 +0200)]
Avoid segfault when freeing rules whose target could not be found

7 years agoInfer destination zone of DNAT redirects from dest_ip option
Jo-Philipp Wich [Sun, 26 May 2013 14:15:33 +0000 (16:15 +0200)]
Infer destination zone of DNAT redirects from dest_ip option

7 years agoAdd fw3_resolve_zone_addresses() helper to obtain a list of all subnets covered by...
Jo-Philipp Wich [Sun, 26 May 2013 14:02:24 +0000 (16:02 +0200)]
Add fw3_resolve_zone_addresses() helper to obtain a list of all subnets covered by a zone

7 years agoRemove fw3_ubus_address_free() and use fw3_free_list() instead
Jo-Philipp Wich [Sun, 26 May 2013 13:59:53 +0000 (15:59 +0200)]
Remove fw3_ubus_address_free() and use fw3_free_list() instead

7 years agoAdd fw3_free_list() helper
Jo-Philipp Wich [Sun, 26 May 2013 13:58:17 +0000 (15:58 +0200)]
Add fw3_free_list() helper

7 years agoFix output rules with "option dest *"
Jo-Philipp Wich [Sat, 25 May 2013 16:08:20 +0000 (18:08 +0200)]
Fix output rules with "option dest *"

7 years agoAllow devices for src_ip, src_dip and dest_ip options
Jo-Philipp Wich [Sat, 25 May 2013 16:00:04 +0000 (18:00 +0200)]
Allow devices for src_ip, src_dip and dest_ip options

7 years agoPass -Wl,--whole-archive and -Wl,--no-whole-archive during linking to avoid duplicate...
Jo-Philipp Wich [Fri, 24 May 2013 11:48:52 +0000 (13:48 +0200)]
Pass -Wl,--whole-archive and -Wl,--no-whole-archive during linking to avoid duplicate symbol issues with libgcc

7 years agoDon't leak memory when encountering unknown match or target
Jo-Philipp Wich [Thu, 23 May 2013 12:38:56 +0000 (14:38 +0200)]
Don't leak memory when encountering unknown match or target

7 years agoUse weak function pointers to call extension init functions, this makes firewall3...
Jo-Philipp Wich [Thu, 23 May 2013 11:32:42 +0000 (13:32 +0200)]
Use weak function pointers to call extension init functions, this makes firewall3 independant from the features compiled into iptables

7 years agoLimit zone names to 14 bytes
Jo-Philipp Wich [Wed, 22 May 2013 14:09:59 +0000 (16:09 +0200)]
Limit zone names to 14 bytes

7 years agoAdd required ipset declarations for kernels < 3.7
Jo-Philipp Wich [Wed, 22 May 2013 13:56:59 +0000 (15:56 +0200)]
Add required ipset declarations for kernels < 3.7

7 years agoFurther fixes for zone reloads
Jo-Philipp Wich [Wed, 22 May 2013 10:09:49 +0000 (12:09 +0200)]
Further fixes for zone reloads

7 years agoOnly perform selective reload if firewall was already running, else do a normal start.
Jo-Philipp Wich [Wed, 22 May 2013 09:55:51 +0000 (11:55 +0200)]
Only perform selective reload if firewall was already running, else do a normal start.

7 years agoFix another crash bug if ipsets are supported but none is declared
Jo-Philipp Wich [Tue, 21 May 2013 18:03:13 +0000 (20:03 +0200)]
Fix another crash bug if ipsets are supported but none is declared

7 years agoFix rules for custom filter chains
Jo-Philipp Wich [Tue, 21 May 2013 14:44:47 +0000 (16:44 +0200)]
Fix rules for custom filter chains

7 years agoDo not print to pipe or close command if nothing was executed
Jo-Philipp Wich [Tue, 21 May 2013 14:43:56 +0000 (16:43 +0200)]
Do not print to pipe or close command if nothing was executed

7 years agoAdd missing libip6t_REJECT initialization
Jo-Philipp Wich [Fri, 17 May 2013 14:38:44 +0000 (16:38 +0200)]
Add missing libip6t_REJECT initialization

7 years agoOnly initialize extensions we actually use
Jo-Philipp Wich [Fri, 17 May 2013 14:32:42 +0000 (16:32 +0200)]
Only initialize extensions we actually use

7 years agoWait for ipsets to appear before continuing
Jo-Philipp Wich [Fri, 17 May 2013 13:17:48 +0000 (15:17 +0200)]
Wait for ipsets to appear before continuing

7 years agoRestore iptables-save include functionality
Jo-Philipp Wich [Thu, 16 May 2013 20:34:49 +0000 (22:34 +0200)]
Restore iptables-save include functionality

7 years agoAlso add comments for unnamed rules
Jo-Philipp Wich [Thu, 16 May 2013 20:24:20 +0000 (22:24 +0200)]
Also add comments for unnamed rules

7 years agoOnly process selected family for print
Jo-Philipp Wich [Thu, 16 May 2013 20:15:27 +0000 (22:15 +0200)]
Only process selected family for print

7 years agoInclude iptables command and table name in iptables debug output
Jo-Philipp Wich [Thu, 16 May 2013 20:05:19 +0000 (22:05 +0200)]
Include iptables command and table name in iptables debug output

7 years agoAdd debug prints for policy setting, don't commit ruleset in print mode
Jo-Philipp Wich [Thu, 16 May 2013 19:46:51 +0000 (21:46 +0200)]
Add debug prints for policy setting, don't commit ruleset in print mode

7 years agoRename struct fw3_rule_spec to struct fw3_chain_spec and move the declaration to...
Jo-Philipp Wich [Thu, 16 May 2013 19:26:56 +0000 (21:26 +0200)]
Rename struct fw3_rule_spec to struct fw3_chain_spec and move the declaration to options.h

7 years agoRemove now unused fw3_pr_rulespec()
Jo-Philipp Wich [Thu, 16 May 2013 19:25:15 +0000 (21:25 +0200)]
Remove now unused fw3_pr_rulespec()

7 years agoRemove now unused fw3_format_*() functions
Jo-Philipp Wich [Thu, 16 May 2013 19:23:49 +0000 (21:23 +0200)]
Remove now unused fw3_format_*() functions

7 years agoDrop iptables-restore and create rules through libiptc and libxtables
Jo-Philipp Wich [Tue, 14 May 2013 22:04:33 +0000 (00:04 +0200)]
Drop iptables-restore and create rules through libiptc and libxtables

7 years agoUse libiptc to clear current ruleset
Jo-Philipp Wich [Mon, 13 May 2013 17:47:12 +0000 (19:47 +0200)]
Use libiptc to clear current ruleset

7 years agoForce fsync() after writing statefile
Jo-Philipp Wich [Wed, 8 May 2013 13:12:13 +0000 (15:12 +0200)]
Force fsync() after writing statefile

7 years agoMake reload atomic
Jo-Philipp Wich [Wed, 8 May 2013 12:47:48 +0000 (14:47 +0200)]
Make reload atomic

7 years agoFamily "any" is not applicable to ipsets, default to v4 and disallow "any"
Jo-Philipp Wich [Mon, 6 May 2013 13:10:28 +0000 (15:10 +0200)]
Family "any" is not applicable to ipsets, default to v4 and disallow "any"

7 years agoSimplify ipset external checks and optionally initialize ispet name from external...
Jo-Philipp Wich [Thu, 2 May 2013 15:43:32 +0000 (17:43 +0200)]
Simplify ipset external checks and optionally initialize ispet name from external value

7 years agoCheck whether ipset exists before referencing it in rules or redirects
Jo-Philipp Wich [Thu, 2 May 2013 14:44:50 +0000 (16:44 +0200)]
Check whether ipset exists before referencing it in rules or redirects

7 years agoRecord device-network relation in state file, fix zone hotplug events
Jo-Philipp Wich [Thu, 2 May 2013 13:26:47 +0000 (15:26 +0200)]
Record device-network relation in state file, fix zone hotplug events

7 years agoRecord default policies in state file
Jo-Philipp Wich [Tue, 30 Apr 2013 19:33:37 +0000 (21:33 +0200)]
Record default policies in state file

7 years agoStore ipset storage method and matches in state file, keep iprange and ports if set
Jo-Philipp Wich [Tue, 30 Apr 2013 19:18:15 +0000 (21:18 +0200)]
Store ipset storage method and matches in state file, keep iprange and ports if set

7 years agoSend quit comment in fw3_destroy_ipsets() and initialize ipset objects with enabled...
Jo-Philipp Wich [Tue, 30 Apr 2013 19:03:34 +0000 (21:03 +0200)]
Send quit comment in fw3_destroy_ipsets() and initialize ipset objects with enabled = true

7 years agoDon't track family of ipsets
Jo-Philipp Wich [Tue, 30 Apr 2013 18:59:35 +0000 (20:59 +0200)]
Don't track family of ipsets

7 years agoFix parsing of ipset datatypes
Jo-Philipp Wich [Tue, 30 Apr 2013 18:26:44 +0000 (20:26 +0200)]
Fix parsing of ipset datatypes

7 years agoTrack ipsets in state file
Jo-Philipp Wich [Tue, 30 Apr 2013 18:09:20 +0000 (20:09 +0200)]
Track ipsets in state file

7 years agoWrite statefile flags in hexadecimal format
Jo-Philipp Wich [Tue, 30 Apr 2013 18:05:35 +0000 (20:05 +0200)]
Write statefile flags in hexadecimal format

7 years agoAllow hex notation in int type options
Jo-Philipp Wich [Tue, 30 Apr 2013 18:03:14 +0000 (20:03 +0200)]
Allow hex notation in int type options

7 years agoAdd common fw3_address_to_string() helper function
Jo-Philipp Wich [Tue, 30 Apr 2013 17:56:39 +0000 (19:56 +0200)]
Add common fw3_address_to_string() helper function

7 years agoRemove referenced to unused FW3_FLAG_DELETED flag
Jo-Philipp Wich [Tue, 30 Apr 2013 17:40:41 +0000 (19:40 +0200)]
Remove referenced to unused FW3_FLAG_DELETED flag

7 years agoRemove unused "running" argument form fw3_lookup_ipset()
Jo-Philipp Wich [Tue, 30 Apr 2013 17:40:04 +0000 (19:40 +0200)]
Remove unused "running" argument form fw3_lookup_ipset()

7 years agoRemove unused "running" argument form fw3_lookup_zone()
Jo-Philipp Wich [Tue, 30 Apr 2013 17:34:37 +0000 (19:34 +0200)]
Remove unused "running" argument form fw3_lookup_zone()

7 years agoSplit runtime and config states, store runtime state in UCI format
Jo-Philipp Wich [Sat, 27 Apr 2013 15:20:56 +0000 (17:20 +0200)]
Split runtime and config states, store runtime state in UCI format

7 years agoAdd support for fwmark matches and targets
Jo-Philipp Wich [Fri, 5 Apr 2013 14:02:31 +0000 (16:02 +0200)]
Add support for fwmark matches and targets

7 years agoIncrease compatibility to old firewall by initializing protocol of rules and redirect...
Jo-Philipp Wich [Fri, 22 Mar 2013 15:27:34 +0000 (16:27 +0100)]
Increase compatibility to old firewall by initializing protocol of rules and redirects to tcp+udp if not specified

7 years agoFix parsing of '*' device and 'all' protocol value
Jo-Philipp Wich [Fri, 22 Mar 2013 14:07:14 +0000 (15:07 +0100)]
Fix parsing of '*' device and 'all' protocol value

7 years agoFix DNAT port remapping rules by not emitting 0.0.0.0 in --to-destination
Jo-Philipp Wich [Thu, 21 Mar 2013 14:17:47 +0000 (15:17 +0100)]
Fix DNAT port remapping rules by not emitting 0.0.0.0 in --to-destination

7 years agoProperly handle deleted zones and ipsets on restarts
Jo-Philipp Wich [Tue, 19 Mar 2013 15:00:51 +0000 (16:00 +0100)]
Properly handle deleted zones and ipsets on restarts

7 years agoAccept network names in per-zone subnet option
Jo-Philipp Wich [Tue, 19 Mar 2013 13:48:03 +0000 (14:48 +0100)]
Accept network names in per-zone subnet option

7 years agoAlso read addresses from "ipv6-prefix-assignment" ifstatus table
Jo-Philipp Wich [Tue, 19 Mar 2013 12:21:41 +0000 (13:21 +0100)]
Also read addresses from "ipv6-prefix-assignment" ifstatus table

7 years agoRework option parsing to support emitting multiple values from within a parse handler
Jo-Philipp Wich [Mon, 18 Mar 2013 18:20:22 +0000 (19:20 +0100)]
Rework option parsing to support emitting multiple values from within a parse handler

7 years agoImplement support for "network" datatype and use it for masq_src / masq_dest
Jo-Philipp Wich [Mon, 18 Mar 2013 15:38:33 +0000 (16:38 +0100)]
Implement support for "network" datatype and use it for masq_src / masq_dest

7 years agoDo not accept option src_mac for SNAT rules
Jo-Philipp Wich [Mon, 18 Mar 2013 14:55:11 +0000 (15:55 +0100)]
Do not accept option src_mac for SNAT rules

7 years agoConsolidate and unify argument order for functions
Jo-Philipp Wich [Thu, 14 Mar 2013 15:07:41 +0000 (16:07 +0100)]
Consolidate and unify argument order for functions

7 years agoOnly perform locking for start, stop, restart, reload and flush operations, this...
Jo-Philipp Wich [Thu, 14 Mar 2013 14:21:18 +0000 (15:21 +0100)]
Only perform locking for start, stop, restart, reload and flush operations, this allows using fw3 network and fw3 device in includes

7 years agoImplement reload option for includes to decide whether includes should get reloaded...
Jo-Philipp Wich [Thu, 14 Mar 2013 13:48:37 +0000 (14:48 +0100)]
Implement reload option for includes to decide whether includes should get reloaded on firewall reloads (useful when they tap into internal chains)

7 years agoMake nat reflection src address configurable by introducing a reflection_src paramete...
Jo-Philipp Wich [Wed, 13 Mar 2013 15:25:56 +0000 (16:25 +0100)]
Make nat reflection src address configurable by introducing a reflection_src parameter which can be set to "external" or "internal"

7 years agoEmit hotplug calls when flushing / creating zone chains
Jo-Philipp Wich [Tue, 12 Mar 2013 18:43:41 +0000 (19:43 +0100)]
Emit hotplug calls when flushing / creating zone chains

7 years agoUnify fw3_default and fw3_target enums
Jo-Philipp Wich [Wed, 13 Mar 2013 13:01:52 +0000 (14:01 +0100)]
Unify fw3_default and fw3_target enums

7 years agoTrack used networks and devices in state file
Jo-Philipp Wich [Tue, 12 Mar 2013 18:34:16 +0000 (19:34 +0100)]
Track used networks and devices in state file

7 years agoUnify print_chains() implementations in utils.c fw3_pr_rulespec()
Jo-Philipp Wich [Tue, 12 Mar 2013 15:08:46 +0000 (16:08 +0100)]
Unify print_chains() implementations in utils.c fw3_pr_rulespec()

7 years agoInclude limits.h to fix compilation against eglibc
Jo-Philipp Wich [Mon, 11 Mar 2013 20:47:50 +0000 (21:47 +0100)]
Include limits.h to fix compilation against eglibc

7 years agoRework zone flush logic
Jo-Philipp Wich [Mon, 11 Mar 2013 11:46:32 +0000 (12:46 +0100)]
Rework zone flush logic

7 years agoChange fw3_no_family() macro to take bit field value directly
Jo-Philipp Wich [Sun, 10 Mar 2013 20:21:03 +0000 (21:21 +0100)]
Change fw3_no_family() macro to take bit field value directly

7 years agoCosmetic output changes
Jo-Philipp Wich [Sun, 10 Mar 2013 19:41:20 +0000 (20:41 +0100)]
Cosmetic output changes

7 years agoOnly run includes and set sysctls if either v4 or v6 firewall was actually started
Jo-Philipp Wich [Sun, 10 Mar 2013 19:36:33 +0000 (20:36 +0100)]
Only run includes and set sysctls if either v4 or v6 firewall was actually started

7 years agoIntroduce fw3_no_family() helper macro and use it
Jo-Philipp Wich [Sun, 10 Mar 2013 19:29:48 +0000 (20:29 +0100)]
Introduce fw3_no_family() helper macro and use it

7 years agoRemove src_flags and running_src_flags from fw3_zone struct, rename dst_flags and...
Jo-Philipp Wich [Sun, 10 Mar 2013 19:19:46 +0000 (20:19 +0100)]
Remove src_flags and running_src_flags from fw3_zone struct, rename dst_flags and running_dst_flags to flags and running_flags

7 years agoDon't store zone src_flags in statefile anymore, read and write numeric state values...
Jo-Philipp Wich [Sun, 10 Mar 2013 19:14:06 +0000 (20:14 +0100)]
Don't store zone src_flags in statefile anymore, read and write numeric state values in hex notation

7 years agoIntroduce new enum values for zone src policies and map src policy to dst_flags bitfi...
Jo-Philipp Wich [Sun, 10 Mar 2013 19:09:16 +0000 (20:09 +0100)]
Introduce new enum values for zone src policies and map src policy to dst_flags bitfield, making the src_flags bitfield unnecessary

7 years agoSeparate running from current state flags in ipset handling, remove ipsets per family
Jo-Philipp Wich [Sun, 10 Mar 2013 18:39:39 +0000 (19:39 +0100)]
Separate running from current state flags in ipset handling, remove ipsets per family

7 years agoGet rid of redundant fw3_defaults object, instead add a running_flags bitfield to...
Jo-Philipp Wich [Sun, 10 Mar 2013 18:16:55 +0000 (19:16 +0100)]
Get rid of redundant fw3_defaults object, instead add a running_flags bitfield to the existing fw3_defaults structure

7 years agoProperly handle per zone user chain rules by fixing multiple logic errors
Jo-Philipp Wich [Sun, 10 Mar 2013 17:17:21 +0000 (18:17 +0100)]
Properly handle per zone user chain rules by fixing multiple logic errors

 * Track running zone state in separate bit fields
 * Track IPv4 and IPv6 custom chain state separately
 * Extend flag bitfields to 32 bit

7 years agoadd support for per-zone user chains
Jo-Philipp Wich [Thu, 7 Mar 2013 13:34:02 +0000 (14:34 +0100)]
add support for per-zone user chains

7 years agoSupport abstract "tcpudp" protocol
Jo-Philipp Wich [Thu, 7 Mar 2013 10:05:15 +0000 (11:05 +0100)]
Support abstract "tcpudp" protocol

7 years agointroduce support for enabled option in zones, forwards, rules, redirects, ipsets...
Jo-Philipp Wich [Sat, 2 Mar 2013 17:02:58 +0000 (18:02 +0100)]
introduce support for enabled option in zones, forwards, rules, redirects, ipsets and includes

7 years agouse dup'ed string in fw3_parse_monthdays()
Jo-Philipp Wich [Thu, 28 Feb 2013 13:07:22 +0000 (14:07 +0100)]
use dup'ed string in fw3_parse_monthdays()

7 years agogeneralize enum parsing
Jo-Philipp Wich [Thu, 28 Feb 2013 12:20:33 +0000 (13:20 +0100)]
generalize enum parsing

7 years agoremove unused notrack chain
Jo-Philipp Wich [Wed, 27 Feb 2013 21:56:01 +0000 (22:56 +0100)]
remove unused notrack chain

7 years agoclear conntrack table on flush
Jo-Philipp Wich [Wed, 27 Feb 2013 13:49:09 +0000 (14:49 +0100)]
clear conntrack table on flush

7 years agocosmetic change in printing of forward rules
Jo-Philipp Wich [Wed, 27 Feb 2013 13:40:51 +0000 (14:40 +0100)]
cosmetic change in printing of forward rules

7 years agoadd debug flag to monitor fw3_pr() calls, set policies to drop during reload
Jo-Philipp Wich [Wed, 27 Feb 2013 13:16:44 +0000 (14:16 +0100)]
add debug flag to monitor fw3_pr() calls, set policies to drop during reload

7 years agoadd support for setting sysctls, remove tcp_westwood option, its not present on curre...
Jo-Philipp Wich [Fri, 22 Feb 2013 13:30:21 +0000 (14:30 +0100)]
add support for setting sysctls, remove tcp_westwood option, its not present on current kernels

7 years agorun/load includes on start
Jo-Philipp Wich [Fri, 22 Feb 2013 12:32:12 +0000 (13:32 +0100)]
run/load includes on start

7 years agoadd reload command to selectively rebuild rules (to be invoked from hotplug handler...
Jo-Philipp Wich [Fri, 22 Feb 2013 11:49:33 +0000 (12:49 +0100)]
add reload command to selectively rebuild rules (to be invoked from hotplug handler) and make the restart command flush and recreate all rules

7 years agoadd support for includes
Jo-Philipp Wich [Fri, 22 Feb 2013 00:41:53 +0000 (01:41 +0100)]
add support for includes

7 years agouse hasbit() to test for invert flag of weekdays and monthdays
Jo-Philipp Wich [Thu, 21 Feb 2013 22:59:06 +0000 (23:59 +0100)]
use hasbit() to test for invert flag of weekdays and monthdays

7 years agoadd time match support
Jo-Philipp Wich [Thu, 21 Feb 2013 21:42:01 +0000 (22:42 +0100)]
add time match support

7 years agoremove now unsed fw3_free_list() helper
Jo-Philipp Wich [Thu, 21 Feb 2013 19:00:59 +0000 (20:00 +0100)]
remove now unsed fw3_free_list() helper

7 years agoremove ip range list hack since fw3_address can now represent true ranges
Jo-Philipp Wich [Thu, 21 Feb 2013 18:45:19 +0000 (19:45 +0100)]
remove ip range list hack since fw3_address can now represent true ranges