1. 18 Sep, 2019 1 commit
  2. 15 Sep, 2019 1 commit
  3. 08 Sep, 2019 1 commit
  4. 03 Sep, 2019 1 commit
  5. 22 Aug, 2019 2 commits
    • Alexander Couzens's avatar
      iptables.c: lock the xtables.lock · 8c404ef0
      Alexander Couzens authored
      When using fw3 together with other applications or scripts a race
      conditions might occur. When fw3 is preparing the new tables, another
      application can use the executable `iptables` which modifies the
      kernel-tables.  libxtables will notify this and fails when fw3 is
      committing the changes resulting in a failed firewall.
      
      Now waits in a while loop until the lock is gone, activate the lock
      itself and applies changes.
      
      To reproduce the bug the following two scripts should run in parrallel,
      after a few seconds the latter stop and leaves a broken firewall:
      
          while true; do iptables -N locking; done
      
      and
      
          while [ "$(iptables -w -L OUTPUT | wc -l)" -gt 2 ]; do fw3 reload; done
      
      The following message will appear
      
              Warning: iptc_commit(): Resource temporarily unavailable
      
      and connectivity is gone.
      
      Tested in an LXC and Qemu container.
      Signed-off-by: Alexander Couzens's avatarAlexander Couzens <lynxis@fe80.eu>
      [fixed waiting for unlock and commit message]
      Signed-off-by: aparcar's avatarPaul Spooren <mail@aparcar.org>
      8c404ef0
    • Alexander Couzens's avatar
      utils: implement fw3_lock_path() & fw3_unlock_path() · c1d3a4df
      Alexander Couzens authored
      To lock a second lock file at the same time, introduce fw3_{un,}lock_path.
      fw3_lock_path support the path as parameter in difference to fw3_lock which
      only locks the fw3 lock file (/var/run/fw3.lock)
      Signed-off-by: Alexander Couzens's avatarAlexander Couzens <lynxis@fe80.eu>
      c1d3a4df
  6. 19 Aug, 2019 1 commit
    • Kristian Evensen's avatar
      firewall3: ipset: Handle reload_set properly · bf29c1e7
      Kristian Evensen authored
      The reload_set option was added in commit 509e673d ("firewall3:
      Improve ipset support"), and the purpose of the option is to control if
      a set should be flushed or not on a firewall reload.
      
      In some cases, the option unfortunately does not work properly. I had
      fixed the errors locally, but failed to submit a v2 of "Improve ipset
      support". This patch contains my local fixes, and after the following
      changes are applied then the option (as well as ipset support) works as
      at least I expect.
      
      The following errors have been fixed:
      
      * "family" was not written to the state file, causing all sets read from
      this file was considered as ipv4. Save family to ensure that sets are
      handled correctly on firewall reload.
      
      * The default value of "reload_set" is false, meaning that the
      reload-check in "fw3_create_ipsets()" is always true (on reload). A
      consequence of this is that new sets are never created on firewall
      reload. In order to ensure that new sets are created, only consider
      "reload_set" if the set exists. If a set (from configuration) does not
      exist, we always want to create it.
      
      * On reload and before "fw3_destroy_ipsets()" are called, we need to
      update run_state to ensure that sets are updated correctly. We need to
      check if the sets in run_state is found in cfg_state, if not the set
      should be destroyed (done by forcing reload_set to true). If the set is
      found, then we copy the value of reload_set to the set in run_state so
      that the elements are updated as the user expects.
      
      Since we now always copy the value of reload_set from cfg_state, there
      is no need to write reload_set to run_state.
      Signed-off-by: default avatarKristian Evensen <kristian.evensen@gmail.com>
      bf29c1e7
  7. 16 Aug, 2019 1 commit
    • Kristian Evensen's avatar
      firewall3: Improve ipset support · 509e673d
      Kristian Evensen authored
      This patch is an attempt at improving the ipset support in firewall3.
      The following changes have been made:
      
      * The enabled option did not work properly for ipsets, as it was not
      checked on create/destroy of a set. After this commit, sets are only
      created/destroyed if enabled is set to true.
      
      * Add support for reloading, or recreating, ipsets on firewall reload.
      By setting "reload_set" to true, the set will be destroyed and then
      re-created when the firewall is reloaded. My use-case for "reload_set"
      was to reset sets populated by dnsmasq, without having to restart the
      firewall or resort to scripts.
      
      * Add support for the counters and comment extensions. By setting
      "counters" or "comment" to true, then counters or comments are added to
      the set.
      Signed-off-by: default avatarKristian Evensen <kristian.evensen@gmail.com>
      re-ordered additional variables
      dropped enum OPT_COMMENT & OPT_COUNTERS as unused
      implemented exponential delay whilst waiting for ipset deletion/creation
      fixed delays made firewall unresponsive for too long on reloads
      Signed-off-by: default avatarKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
      509e673d
  8. 12 Jun, 2019 1 commit
  9. 02 Jan, 2019 1 commit
  10. 20 Dec, 2018 2 commits
  11. 06 Dec, 2018 1 commit
  12. 13 Aug, 2018 1 commit
  13. 07 Aug, 2018 1 commit
  14. 03 Aug, 2018 1 commit
  15. 26 Jul, 2018 1 commit
  16. 16 Jul, 2018 1 commit
  17. 02 Jul, 2018 1 commit
    • Rosen Penev's avatar
      firewall3: Fix GCC8 warnings by replacing sprintf with snprintf · 72684e5b
      Rosen Penev authored
      error: ‘%u’ directive writing between 1 and 10 bytes into a region of size
      between 7 and 11 [-Werror=format-overflow=]
      sprintf(buf, "%u-%u", port->port_min, port->port_max);
                       ^~
      note: directive argument in the range [0, 2147483647]
      sprintf(buf, "%u-%u", port->port_min, port->port_max);
                   ^~~~~~~
      note: ‘sprintf’ output between 4 and 17 bytes into a destination of size
      13
      sprintf(buf, "%u-%u", port->port_min, port->port_max);
      Signed-off-by: default avatarRosen Penev <rosenp@gmail.com>
      72684e5b
  18. 19 May, 2018 1 commit
  19. 16 May, 2018 1 commit
    • Jo-Philipp Wich's avatar
      options: treat time strings as UTC times · 0e77bf29
      Jo-Philipp Wich authored
      When parsing user supplied time strings, calculate an UTC time instant by
      substracting the current zone offset from the result of mktime(3), then use
      gmtime_r(3) to turn the time_t value back into a sanitized time structure.
      
      This ensures that user supplied dates are not interpreted as local time.
      
      Fixes FS#1483.
      Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      0e77bf29
  20. 14 May, 2018 3 commits
  21. 05 Apr, 2018 1 commit
  22. 20 Mar, 2018 1 commit
  23. 13 Mar, 2018 2 commits
  24. 10 Mar, 2018 1 commit
    • Jo-Philipp Wich's avatar
      ipsets: add support for specifying entries · 41c2ab5e
      Jo-Philipp Wich authored
      Introduce a new list option "entry" which can be used to specify entries
      to add to the ipset, e.g.
      
          config ipset
            option name test
            ...
            list entry 1.2.3.4,8080
            list entry 5.6.7.8,8081
      
      Also introduce a new option "loadfile" which refers to an external file
      containing set entries to add, with one item per line.
      Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      41c2ab5e
  25. 02 Mar, 2018 1 commit
  26. 26 Feb, 2018 1 commit
    • Stijn Tintel's avatar
      zones: allow per-table log control · a3ef503e
      Stijn Tintel authored
      When enabling logging for a zone, logging is enabled in the filter and
      mangle tables. The log rule in the mangle table enables mtu_fix logging,
      which has the tendency to flood logs. Allow per-table log control by
      making the log boolean a bit field that can be used to enabled logging
      in the filter and/or mangle tables.
      Signed-off-by: default avatarStijn Tintel <stijn@linux-ipv6.be>
      a3ef503e
  27. 20 Feb, 2018 1 commit
    • Jo-Philipp Wich's avatar
      helpers: implement explicit CT helper assignment support · f50a5248
      Jo-Philipp Wich authored
      Implement support for explicit per-zone conntrack helper assignment in
      the raw table in order to compensate for the now disabled automatic
      helper assignment in recent Linux kernels.
      
      This commit adds, along with the required infrastructure, a new per-
      zone uci option "helper" which can be used to tie one or more CT helpers
      to a given zone.
      
      For example the following configuration:
      
          config zone
            option name lan
            option network lan
            list helper ftp
            list helper sip
      
      ... will assign the FTP and SIP conntrack helpers as specified in
      /usr/share/fw3/helpers.conf to traffic originating from the LAN zone.
      
      Additionally, a new boolean option "auto_helper" has been defined for
      both "config defaults" and "config zone" sections, with the former
      option overruling the latter.
      
      When the default true "option auto_helper" is set, all available helpers
      are automatically attached to each non-masq zone (i.e. "lan" by default).
      
      When one or more "list helper" options are specified, the zone has
      masquerading enabled or "auto_helper" is set to false, then the automatic
      helper attachment is disabled for the corresponding zone.
      
      Furthermore, this commit introduces support for a new 'HELPER' target in
      "config rule" sections, along with "option helper" to match helper traffic
      and "option set_helper" to assign CT helpers to a stream.
      
      Finally, "config redirect" sections support "option helper" too now,
      which causes fw3 to emit helper setting rules for forwarded DNAT traffic.
      
      When "option helper" is not defined for a redirect and when the global
      option "auto_helper" is not disabled, fw3 will pick a suitable helper
      based on the destination protocol and port and assign it to DNATed traffic.
      Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      f50a5248
  28. 13 Feb, 2018 3 commits
  29. 07 Nov, 2017 1 commit
  30. 27 May, 2017 1 commit
  31. 26 May, 2017 2 commits
  32. 17 May, 2017 1 commit