1. 13 May, 2019 1 commit
  2. 07 Feb, 2019 2 commits
    • Alexander Couzens's avatar
      iptables.c: lock the xtables.lock · 8b28043f
      Alexander Couzens authored
      When using fw3 together with other applications or scripts a race conditions
      might occure. When fw3 is preparing the new tables, another
      application can use the executable `iptables` which modifies the kernel-tables.
      libxtables will notifiy this and fails when fw3 is committing the changes resulting
      in a failed firewall.
      8b28043f
    • Alexander Couzens's avatar
      utils: implement fw3_lock_path() & fw3_unlock_path() · 4270d7dd
      Alexander Couzens authored
      To lock a second lock file at the same time, introduce fw3_{un,}lock_path.
      fw3_lock_path support the path as parameter in difference to fw3_lock which
      only locks the fw3 lock file (/var/run/fw3.lock)
      4270d7dd
  3. 02 Jan, 2019 1 commit
  4. 20 Dec, 2018 2 commits
  5. 06 Dec, 2018 1 commit
  6. 13 Aug, 2018 1 commit
  7. 07 Aug, 2018 1 commit
  8. 03 Aug, 2018 1 commit
  9. 26 Jul, 2018 1 commit
  10. 16 Jul, 2018 1 commit
  11. 02 Jul, 2018 1 commit
    • Rosen Penev's avatar
      firewall3: Fix GCC8 warnings by replacing sprintf with snprintf · 72684e5b
      Rosen Penev authored
      error: ‘%u’ directive writing between 1 and 10 bytes into a region of size
      between 7 and 11 [-Werror=format-overflow=]
      sprintf(buf, "%u-%u", port->port_min, port->port_max);
                       ^~
      note: directive argument in the range [0, 2147483647]
      sprintf(buf, "%u-%u", port->port_min, port->port_max);
                   ^~~~~~~
      note: ‘sprintf’ output between 4 and 17 bytes into a destination of size
      13
      sprintf(buf, "%u-%u", port->port_min, port->port_max);
      Signed-off-by: default avatarRosen Penev <rosenp@gmail.com>
      72684e5b
  12. 19 May, 2018 1 commit
  13. 16 May, 2018 1 commit
    • Jo-Philipp Wich's avatar
      options: treat time strings as UTC times · 0e77bf29
      Jo-Philipp Wich authored
      When parsing user supplied time strings, calculate an UTC time instant by
      substracting the current zone offset from the result of mktime(3), then use
      gmtime_r(3) to turn the time_t value back into a sanitized time structure.
      
      This ensures that user supplied dates are not interpreted as local time.
      
      Fixes FS#1483.
      Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      0e77bf29
  14. 14 May, 2018 3 commits
  15. 05 Apr, 2018 1 commit
  16. 20 Mar, 2018 1 commit
  17. 13 Mar, 2018 2 commits
  18. 10 Mar, 2018 1 commit
    • Jo-Philipp Wich's avatar
      ipsets: add support for specifying entries · 41c2ab5e
      Jo-Philipp Wich authored
      Introduce a new list option "entry" which can be used to specify entries
      to add to the ipset, e.g.
      
          config ipset
            option name test
            ...
            list entry 1.2.3.4,8080
            list entry 5.6.7.8,8081
      
      Also introduce a new option "loadfile" which refers to an external file
      containing set entries to add, with one item per line.
      Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      41c2ab5e
  19. 02 Mar, 2018 1 commit
  20. 26 Feb, 2018 1 commit
    • Stijn Tintel's avatar
      zones: allow per-table log control · a3ef503e
      Stijn Tintel authored
      When enabling logging for a zone, logging is enabled in the filter and
      mangle tables. The log rule in the mangle table enables mtu_fix logging,
      which has the tendency to flood logs. Allow per-table log control by
      making the log boolean a bit field that can be used to enabled logging
      in the filter and/or mangle tables.
      Signed-off-by: default avatarStijn Tintel <stijn@linux-ipv6.be>
      a3ef503e
  21. 20 Feb, 2018 1 commit
    • Jo-Philipp Wich's avatar
      helpers: implement explicit CT helper assignment support · f50a5248
      Jo-Philipp Wich authored
      Implement support for explicit per-zone conntrack helper assignment in
      the raw table in order to compensate for the now disabled automatic
      helper assignment in recent Linux kernels.
      
      This commit adds, along with the required infrastructure, a new per-
      zone uci option "helper" which can be used to tie one or more CT helpers
      to a given zone.
      
      For example the following configuration:
      
          config zone
            option name lan
            option network lan
            list helper ftp
            list helper sip
      
      ... will assign the FTP and SIP conntrack helpers as specified in
      /usr/share/fw3/helpers.conf to traffic originating from the LAN zone.
      
      Additionally, a new boolean option "auto_helper" has been defined for
      both "config defaults" and "config zone" sections, with the former
      option overruling the latter.
      
      When the default true "option auto_helper" is set, all available helpers
      are automatically attached to each non-masq zone (i.e. "lan" by default).
      
      When one or more "list helper" options are specified, the zone has
      masquerading enabled or "auto_helper" is set to false, then the automatic
      helper attachment is disabled for the corresponding zone.
      
      Furthermore, this commit introduces support for a new 'HELPER' target in
      "config rule" sections, along with "option helper" to match helper traffic
      and "option set_helper" to assign CT helpers to a stream.
      
      Finally, "config redirect" sections support "option helper" too now,
      which causes fw3 to emit helper setting rules for forwarded DNAT traffic.
      
      When "option helper" is not defined for a redirect and when the global
      option "auto_helper" is not disabled, fw3 will pick a suitable helper
      based on the destination protocol and port and assign it to DNATed traffic.
      Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      f50a5248
  22. 13 Feb, 2018 3 commits
  23. 07 Nov, 2017 1 commit
  24. 27 May, 2017 1 commit
  25. 26 May, 2017 2 commits
  26. 17 May, 2017 1 commit
  27. 12 May, 2017 1 commit
  28. 09 May, 2017 5 commits