oweals/firewall3.git
11 years agoAdd required ipset declarations for kernels < 3.7
Jo-Philipp Wich [Wed, 22 May 2013 13:56:59 +0000 (15:56 +0200)]
Add required ipset declarations for kernels < 3.7

11 years agoFurther fixes for zone reloads
Jo-Philipp Wich [Wed, 22 May 2013 10:09:49 +0000 (12:09 +0200)]
Further fixes for zone reloads

11 years agoOnly perform selective reload if firewall was already running, else do a normal start.
Jo-Philipp Wich [Wed, 22 May 2013 09:55:51 +0000 (11:55 +0200)]
Only perform selective reload if firewall was already running, else do a normal start.

11 years agoFix another crash bug if ipsets are supported but none is declared
Jo-Philipp Wich [Tue, 21 May 2013 18:03:13 +0000 (20:03 +0200)]
Fix another crash bug if ipsets are supported but none is declared

11 years agoFix rules for custom filter chains
Jo-Philipp Wich [Tue, 21 May 2013 14:44:47 +0000 (16:44 +0200)]
Fix rules for custom filter chains

11 years agoDo not print to pipe or close command if nothing was executed
Jo-Philipp Wich [Tue, 21 May 2013 14:43:56 +0000 (16:43 +0200)]
Do not print to pipe or close command if nothing was executed

11 years agoAdd missing libip6t_REJECT initialization
Jo-Philipp Wich [Fri, 17 May 2013 14:38:44 +0000 (16:38 +0200)]
Add missing libip6t_REJECT initialization

11 years agoOnly initialize extensions we actually use
Jo-Philipp Wich [Fri, 17 May 2013 14:32:42 +0000 (16:32 +0200)]
Only initialize extensions we actually use

11 years agoWait for ipsets to appear before continuing
Jo-Philipp Wich [Fri, 17 May 2013 13:17:48 +0000 (15:17 +0200)]
Wait for ipsets to appear before continuing

11 years agoRestore iptables-save include functionality
Jo-Philipp Wich [Thu, 16 May 2013 20:34:49 +0000 (22:34 +0200)]
Restore iptables-save include functionality

11 years agoAlso add comments for unnamed rules
Jo-Philipp Wich [Thu, 16 May 2013 20:24:20 +0000 (22:24 +0200)]
Also add comments for unnamed rules

11 years agoOnly process selected family for print
Jo-Philipp Wich [Thu, 16 May 2013 20:15:27 +0000 (22:15 +0200)]
Only process selected family for print

11 years agoInclude iptables command and table name in iptables debug output
Jo-Philipp Wich [Thu, 16 May 2013 20:05:19 +0000 (22:05 +0200)]
Include iptables command and table name in iptables debug output

11 years agoAdd debug prints for policy setting, don't commit ruleset in print mode
Jo-Philipp Wich [Thu, 16 May 2013 19:46:51 +0000 (21:46 +0200)]
Add debug prints for policy setting, don't commit ruleset in print mode

11 years agoRename struct fw3_rule_spec to struct fw3_chain_spec and move the declaration to...
Jo-Philipp Wich [Thu, 16 May 2013 19:26:56 +0000 (21:26 +0200)]
Rename struct fw3_rule_spec to struct fw3_chain_spec and move the declaration to options.h

11 years agoRemove now unused fw3_pr_rulespec()
Jo-Philipp Wich [Thu, 16 May 2013 19:25:15 +0000 (21:25 +0200)]
Remove now unused fw3_pr_rulespec()

11 years agoRemove now unused fw3_format_*() functions
Jo-Philipp Wich [Thu, 16 May 2013 19:23:49 +0000 (21:23 +0200)]
Remove now unused fw3_format_*() functions

11 years agoDrop iptables-restore and create rules through libiptc and libxtables
Jo-Philipp Wich [Tue, 14 May 2013 22:04:33 +0000 (00:04 +0200)]
Drop iptables-restore and create rules through libiptc and libxtables

11 years agoUse libiptc to clear current ruleset
Jo-Philipp Wich [Mon, 13 May 2013 17:47:12 +0000 (19:47 +0200)]
Use libiptc to clear current ruleset

11 years agoForce fsync() after writing statefile
Jo-Philipp Wich [Wed, 8 May 2013 13:12:13 +0000 (15:12 +0200)]
Force fsync() after writing statefile

11 years agoMake reload atomic
Jo-Philipp Wich [Wed, 8 May 2013 12:47:48 +0000 (14:47 +0200)]
Make reload atomic

11 years agoFamily "any" is not applicable to ipsets, default to v4 and disallow "any"
Jo-Philipp Wich [Mon, 6 May 2013 13:10:28 +0000 (15:10 +0200)]
Family "any" is not applicable to ipsets, default to v4 and disallow "any"

11 years agoSimplify ipset external checks and optionally initialize ispet name from external...
Jo-Philipp Wich [Thu, 2 May 2013 15:43:32 +0000 (17:43 +0200)]
Simplify ipset external checks and optionally initialize ispet name from external value

11 years agoCheck whether ipset exists before referencing it in rules or redirects
Jo-Philipp Wich [Thu, 2 May 2013 14:44:50 +0000 (16:44 +0200)]
Check whether ipset exists before referencing it in rules or redirects

11 years agoRecord device-network relation in state file, fix zone hotplug events
Jo-Philipp Wich [Thu, 2 May 2013 13:26:47 +0000 (15:26 +0200)]
Record device-network relation in state file, fix zone hotplug events

11 years agoRecord default policies in state file
Jo-Philipp Wich [Tue, 30 Apr 2013 19:33:37 +0000 (21:33 +0200)]
Record default policies in state file

11 years agoStore ipset storage method and matches in state file, keep iprange and ports if set
Jo-Philipp Wich [Tue, 30 Apr 2013 19:18:15 +0000 (21:18 +0200)]
Store ipset storage method and matches in state file, keep iprange and ports if set

11 years agoSend quit comment in fw3_destroy_ipsets() and initialize ipset objects with enabled...
Jo-Philipp Wich [Tue, 30 Apr 2013 19:03:34 +0000 (21:03 +0200)]
Send quit comment in fw3_destroy_ipsets() and initialize ipset objects with enabled = true

11 years agoDon't track family of ipsets
Jo-Philipp Wich [Tue, 30 Apr 2013 18:59:35 +0000 (20:59 +0200)]
Don't track family of ipsets

11 years agoFix parsing of ipset datatypes
Jo-Philipp Wich [Tue, 30 Apr 2013 18:26:44 +0000 (20:26 +0200)]
Fix parsing of ipset datatypes

11 years agoTrack ipsets in state file
Jo-Philipp Wich [Tue, 30 Apr 2013 18:09:20 +0000 (20:09 +0200)]
Track ipsets in state file

11 years agoWrite statefile flags in hexadecimal format
Jo-Philipp Wich [Tue, 30 Apr 2013 18:05:35 +0000 (20:05 +0200)]
Write statefile flags in hexadecimal format

11 years agoAllow hex notation in int type options
Jo-Philipp Wich [Tue, 30 Apr 2013 18:03:14 +0000 (20:03 +0200)]
Allow hex notation in int type options

11 years agoAdd common fw3_address_to_string() helper function
Jo-Philipp Wich [Tue, 30 Apr 2013 17:56:39 +0000 (19:56 +0200)]
Add common fw3_address_to_string() helper function

11 years agoRemove referenced to unused FW3_FLAG_DELETED flag
Jo-Philipp Wich [Tue, 30 Apr 2013 17:40:41 +0000 (19:40 +0200)]
Remove referenced to unused FW3_FLAG_DELETED flag

11 years agoRemove unused "running" argument form fw3_lookup_ipset()
Jo-Philipp Wich [Tue, 30 Apr 2013 17:40:04 +0000 (19:40 +0200)]
Remove unused "running" argument form fw3_lookup_ipset()

11 years agoRemove unused "running" argument form fw3_lookup_zone()
Jo-Philipp Wich [Tue, 30 Apr 2013 17:34:37 +0000 (19:34 +0200)]
Remove unused "running" argument form fw3_lookup_zone()

11 years agoSplit runtime and config states, store runtime state in UCI format
Jo-Philipp Wich [Sat, 27 Apr 2013 15:20:56 +0000 (17:20 +0200)]
Split runtime and config states, store runtime state in UCI format

11 years agoAdd support for fwmark matches and targets
Jo-Philipp Wich [Fri, 5 Apr 2013 14:02:31 +0000 (16:02 +0200)]
Add support for fwmark matches and targets

11 years agoIncrease compatibility to old firewall by initializing protocol of rules and redirect...
Jo-Philipp Wich [Fri, 22 Mar 2013 15:27:34 +0000 (16:27 +0100)]
Increase compatibility to old firewall by initializing protocol of rules and redirects to tcp+udp if not specified

11 years agoFix parsing of '*' device and 'all' protocol value
Jo-Philipp Wich [Fri, 22 Mar 2013 14:07:14 +0000 (15:07 +0100)]
Fix parsing of '*' device and 'all' protocol value

11 years agoFix DNAT port remapping rules by not emitting 0.0.0.0 in --to-destination
Jo-Philipp Wich [Thu, 21 Mar 2013 14:17:47 +0000 (15:17 +0100)]
Fix DNAT port remapping rules by not emitting 0.0.0.0 in --to-destination

11 years agoProperly handle deleted zones and ipsets on restarts
Jo-Philipp Wich [Tue, 19 Mar 2013 15:00:51 +0000 (16:00 +0100)]
Properly handle deleted zones and ipsets on restarts

11 years agoAccept network names in per-zone subnet option
Jo-Philipp Wich [Tue, 19 Mar 2013 13:48:03 +0000 (14:48 +0100)]
Accept network names in per-zone subnet option

11 years agoAlso read addresses from "ipv6-prefix-assignment" ifstatus table
Jo-Philipp Wich [Tue, 19 Mar 2013 12:21:41 +0000 (13:21 +0100)]
Also read addresses from "ipv6-prefix-assignment" ifstatus table

11 years agoRework option parsing to support emitting multiple values from within a parse handler
Jo-Philipp Wich [Mon, 18 Mar 2013 18:20:22 +0000 (19:20 +0100)]
Rework option parsing to support emitting multiple values from within a parse handler

11 years agoImplement support for "network" datatype and use it for masq_src / masq_dest
Jo-Philipp Wich [Mon, 18 Mar 2013 15:38:33 +0000 (16:38 +0100)]
Implement support for "network" datatype and use it for masq_src / masq_dest

11 years agoDo not accept option src_mac for SNAT rules
Jo-Philipp Wich [Mon, 18 Mar 2013 14:55:11 +0000 (15:55 +0100)]
Do not accept option src_mac for SNAT rules

11 years agoConsolidate and unify argument order for functions
Jo-Philipp Wich [Thu, 14 Mar 2013 15:07:41 +0000 (16:07 +0100)]
Consolidate and unify argument order for functions

11 years agoOnly perform locking for start, stop, restart, reload and flush operations, this...
Jo-Philipp Wich [Thu, 14 Mar 2013 14:21:18 +0000 (15:21 +0100)]
Only perform locking for start, stop, restart, reload and flush operations, this allows using fw3 network and fw3 device in includes

11 years agoImplement reload option for includes to decide whether includes should get reloaded...
Jo-Philipp Wich [Thu, 14 Mar 2013 13:48:37 +0000 (14:48 +0100)]
Implement reload option for includes to decide whether includes should get reloaded on firewall reloads (useful when they tap into internal chains)

11 years agoMake nat reflection src address configurable by introducing a reflection_src paramete...
Jo-Philipp Wich [Wed, 13 Mar 2013 15:25:56 +0000 (16:25 +0100)]
Make nat reflection src address configurable by introducing a reflection_src parameter which can be set to "external" or "internal"

11 years agoEmit hotplug calls when flushing / creating zone chains
Jo-Philipp Wich [Tue, 12 Mar 2013 18:43:41 +0000 (19:43 +0100)]
Emit hotplug calls when flushing / creating zone chains

11 years agoUnify fw3_default and fw3_target enums
Jo-Philipp Wich [Wed, 13 Mar 2013 13:01:52 +0000 (14:01 +0100)]
Unify fw3_default and fw3_target enums

11 years agoTrack used networks and devices in state file
Jo-Philipp Wich [Tue, 12 Mar 2013 18:34:16 +0000 (19:34 +0100)]
Track used networks and devices in state file

11 years agoUnify print_chains() implementations in utils.c fw3_pr_rulespec()
Jo-Philipp Wich [Tue, 12 Mar 2013 15:08:46 +0000 (16:08 +0100)]
Unify print_chains() implementations in utils.c fw3_pr_rulespec()

11 years agoInclude limits.h to fix compilation against eglibc
Jo-Philipp Wich [Mon, 11 Mar 2013 20:47:50 +0000 (21:47 +0100)]
Include limits.h to fix compilation against eglibc

11 years agoRework zone flush logic
Jo-Philipp Wich [Mon, 11 Mar 2013 11:46:32 +0000 (12:46 +0100)]
Rework zone flush logic

11 years agoChange fw3_no_family() macro to take bit field value directly
Jo-Philipp Wich [Sun, 10 Mar 2013 20:21:03 +0000 (21:21 +0100)]
Change fw3_no_family() macro to take bit field value directly

11 years agoCosmetic output changes
Jo-Philipp Wich [Sun, 10 Mar 2013 19:41:20 +0000 (20:41 +0100)]
Cosmetic output changes

11 years agoOnly run includes and set sysctls if either v4 or v6 firewall was actually started
Jo-Philipp Wich [Sun, 10 Mar 2013 19:36:33 +0000 (20:36 +0100)]
Only run includes and set sysctls if either v4 or v6 firewall was actually started

11 years agoIntroduce fw3_no_family() helper macro and use it
Jo-Philipp Wich [Sun, 10 Mar 2013 19:29:48 +0000 (20:29 +0100)]
Introduce fw3_no_family() helper macro and use it

11 years agoRemove src_flags and running_src_flags from fw3_zone struct, rename dst_flags and...
Jo-Philipp Wich [Sun, 10 Mar 2013 19:19:46 +0000 (20:19 +0100)]
Remove src_flags and running_src_flags from fw3_zone struct, rename dst_flags and running_dst_flags to flags and running_flags

11 years agoDon't store zone src_flags in statefile anymore, read and write numeric state values...
Jo-Philipp Wich [Sun, 10 Mar 2013 19:14:06 +0000 (20:14 +0100)]
Don't store zone src_flags in statefile anymore, read and write numeric state values in hex notation

11 years agoIntroduce new enum values for zone src policies and map src policy to dst_flags bitfi...
Jo-Philipp Wich [Sun, 10 Mar 2013 19:09:16 +0000 (20:09 +0100)]
Introduce new enum values for zone src policies and map src policy to dst_flags bitfield, making the src_flags bitfield unnecessary

11 years agoSeparate running from current state flags in ipset handling, remove ipsets per family
Jo-Philipp Wich [Sun, 10 Mar 2013 18:39:39 +0000 (19:39 +0100)]
Separate running from current state flags in ipset handling, remove ipsets per family

11 years agoGet rid of redundant fw3_defaults object, instead add a running_flags bitfield to...
Jo-Philipp Wich [Sun, 10 Mar 2013 18:16:55 +0000 (19:16 +0100)]
Get rid of redundant fw3_defaults object, instead add a running_flags bitfield to the existing fw3_defaults structure

11 years agoProperly handle per zone user chain rules by fixing multiple logic errors
Jo-Philipp Wich [Sun, 10 Mar 2013 17:17:21 +0000 (18:17 +0100)]
Properly handle per zone user chain rules by fixing multiple logic errors

 * Track running zone state in separate bit fields
 * Track IPv4 and IPv6 custom chain state separately
 * Extend flag bitfields to 32 bit

11 years agoadd support for per-zone user chains
Jo-Philipp Wich [Thu, 7 Mar 2013 13:34:02 +0000 (14:34 +0100)]
add support for per-zone user chains

11 years agoSupport abstract "tcpudp" protocol
Jo-Philipp Wich [Thu, 7 Mar 2013 10:05:15 +0000 (11:05 +0100)]
Support abstract "tcpudp" protocol

11 years agointroduce support for enabled option in zones, forwards, rules, redirects, ipsets...
Jo-Philipp Wich [Sat, 2 Mar 2013 17:02:58 +0000 (18:02 +0100)]
introduce support for enabled option in zones, forwards, rules, redirects, ipsets and includes

11 years agouse dup'ed string in fw3_parse_monthdays()
Jo-Philipp Wich [Thu, 28 Feb 2013 13:07:22 +0000 (14:07 +0100)]
use dup'ed string in fw3_parse_monthdays()

11 years agogeneralize enum parsing
Jo-Philipp Wich [Thu, 28 Feb 2013 12:20:33 +0000 (13:20 +0100)]
generalize enum parsing

11 years agoremove unused notrack chain
Jo-Philipp Wich [Wed, 27 Feb 2013 21:56:01 +0000 (22:56 +0100)]
remove unused notrack chain

11 years agoclear conntrack table on flush
Jo-Philipp Wich [Wed, 27 Feb 2013 13:49:09 +0000 (14:49 +0100)]
clear conntrack table on flush

11 years agocosmetic change in printing of forward rules
Jo-Philipp Wich [Wed, 27 Feb 2013 13:40:51 +0000 (14:40 +0100)]
cosmetic change in printing of forward rules

11 years agoadd debug flag to monitor fw3_pr() calls, set policies to drop during reload
Jo-Philipp Wich [Wed, 27 Feb 2013 13:16:44 +0000 (14:16 +0100)]
add debug flag to monitor fw3_pr() calls, set policies to drop during reload

11 years agoadd support for setting sysctls, remove tcp_westwood option, its not present on curre...
Jo-Philipp Wich [Fri, 22 Feb 2013 13:30:21 +0000 (14:30 +0100)]
add support for setting sysctls, remove tcp_westwood option, its not present on current kernels

11 years agorun/load includes on start
Jo-Philipp Wich [Fri, 22 Feb 2013 12:32:12 +0000 (13:32 +0100)]
run/load includes on start

11 years agoadd reload command to selectively rebuild rules (to be invoked from hotplug handler...
Jo-Philipp Wich [Fri, 22 Feb 2013 11:49:33 +0000 (12:49 +0100)]
add reload command to selectively rebuild rules (to be invoked from hotplug handler) and make the restart command flush and recreate all rules

11 years agoadd support for includes
Jo-Philipp Wich [Fri, 22 Feb 2013 00:41:53 +0000 (01:41 +0100)]
add support for includes

11 years agouse hasbit() to test for invert flag of weekdays and monthdays
Jo-Philipp Wich [Thu, 21 Feb 2013 22:59:06 +0000 (23:59 +0100)]
use hasbit() to test for invert flag of weekdays and monthdays

11 years agoadd time match support
Jo-Philipp Wich [Thu, 21 Feb 2013 21:42:01 +0000 (22:42 +0100)]
add time match support

11 years agoremove now unsed fw3_free_list() helper
Jo-Philipp Wich [Thu, 21 Feb 2013 19:00:59 +0000 (20:00 +0100)]
remove now unsed fw3_free_list() helper

11 years agoremove ip range list hack since fw3_address can now represent true ranges
Jo-Philipp Wich [Thu, 21 Feb 2013 18:45:19 +0000 (19:45 +0100)]
remove ip range list hack since fw3_address can now represent true ranges

11 years agointroduce support for ip ranges
Jo-Philipp Wich [Thu, 21 Feb 2013 18:34:58 +0000 (19:34 +0100)]
introduce support for ip ranges

11 years agounify object freeing
Jo-Philipp Wich [Thu, 21 Feb 2013 17:49:56 +0000 (18:49 +0100)]
unify object freeing

11 years agorework runtime state tracking
Jo-Philipp Wich [Wed, 20 Feb 2013 20:05:45 +0000 (21:05 +0100)]
rework runtime state tracking

11 years agoonly emit zone flush commands if the zone is active for the current family
Jo-Philipp Wich [Wed, 20 Feb 2013 10:50:02 +0000 (11:50 +0100)]
only emit zone flush commands if the zone is active for the current family

11 years agorework ipset removal logic to only purge sets that are not in use by any family
Jo-Philipp Wich [Tue, 19 Feb 2013 23:58:02 +0000 (00:58 +0100)]
rework ipset removal logic to only purge sets that are not in use by any family

11 years agoprint a notification if forwards are skipped due to zone family mismatch
Jo-Philipp Wich [Tue, 19 Feb 2013 22:53:21 +0000 (23:53 +0100)]
print a notification if forwards are skipped due to zone family mismatch

11 years agodo not save state when printing rules
Jo-Philipp Wich [Tue, 19 Feb 2013 21:36:31 +0000 (22:36 +0100)]
do not save state when printing rules

11 years agointroduce global string array for enum names, remove private arrays
Jo-Philipp Wich [Tue, 19 Feb 2013 18:48:20 +0000 (19:48 +0100)]
introduce global string array for enum names, remove private arrays

11 years agotrack used family for ipsets
Jo-Philipp Wich [Tue, 19 Feb 2013 18:32:39 +0000 (19:32 +0100)]
track used family for ipsets

11 years agomake enum values unique to allow using them in bitfields directly, increase flag...
Jo-Philipp Wich [Tue, 19 Feb 2013 18:29:04 +0000 (19:29 +0100)]
make enum values unique to allow using them in bitfields directly, increase flag members to 16 bit

11 years agoconvert remaining occurences to hasbit() / setbit() helper macros
Jo-Philipp Wich [Tue, 19 Feb 2013 18:07:13 +0000 (19:07 +0100)]
convert remaining occurences to hasbit() / setbit() helper macros

11 years agorename flag fields in structures
Jo-Philipp Wich [Tue, 19 Feb 2013 17:58:22 +0000 (18:58 +0100)]
rename flag fields in structures

11 years agoproperly deal with only v4 or only v6 start/stop/restart
Jo-Philipp Wich [Tue, 19 Feb 2013 00:22:52 +0000 (01:22 +0100)]
properly deal with only v4 or only v6 start/stop/restart

11 years agoselectively delete chains in filter and nat tables
Jo-Philipp Wich [Mon, 18 Feb 2013 01:54:15 +0000 (02:54 +0100)]
selectively delete chains in filter and nat tables

11 years agorecord used zone chains in state file
Jo-Philipp Wich [Sun, 17 Feb 2013 23:25:48 +0000 (00:25 +0100)]
record used zone chains in state file