Skip to content
Snippets Groups Projects
Select Git revision
0 results
Search by author
  • Any Author
0 authors
  1. Sep 18, 2019
  3. Sep 15, 2019
  5. Sep 08, 2019
  7. Sep 03, 2019
  9. Aug 22, 2019
    • Alexander Couzens's avatar
      iptables.c: lock the xtables.lock · 8c404ef0
      Alexander Couzens authored 
      
When using fw3 together with other applications or scripts a race
conditions might occur. When fw3 is preparing the new tables, another
application can use the executable `iptables` which modifies the
kernel-tables.  libxtables will notify this and fails when fw3 is
committing the changes resulting in a failed firewall.

Now waits in a while loop until the lock is gone, activate the lock
itself and applies changes.

To reproduce the bug the following two scripts should run in parrallel,
after a few seconds the latter stop and leaves a broken firewall:

    while true; do iptables -N locking; done

and

    while [ "$(iptables -w -L OUTPUT | wc -l)" -gt 2 ]; do fw3 reload; done

The following message will appear

        Warning: iptc_commit(): Resource temporarily unavailable

and connectivity is gone.

Tested in an LXC and Qemu container.

Signed-off-by: Alexander Couzens's avatarAlexander Couzens <lynxis@fe80.eu>
[fixed waiting for unlock and commit message]
Signed-off-by: default avatarPaul Spooren <mail@aparcar.org>
      8c404ef0
    • Alexander Couzens's avatar
      utils: implement fw3_lock_path() & fw3_unlock_path() · c1d3a4df
      Alexander Couzens authored 
      
To lock a second lock file at the same time, introduce fw3_{un,}lock_path.
fw3_lock_path support the path as parameter in difference to fw3_lock which
only locks the fw3 lock file (/var/run/fw3.lock)

Signed-off-by: Alexander Couzens's avatarAlexander Couzens <lynxis@fe80.eu>
      c1d3a4df
  11. Aug 19, 2019
    • Kristian Evensen's avatar
      firewall3: ipset: Handle reload_set properly · bf29c1e7
      Kristian Evensen authored 
      
The reload_set option was added in commit 509e673d ("firewall3:
Improve ipset support"), and the purpose of the option is to control if
a set should be flushed or not on a firewall reload.

In some cases, the option unfortunately does not work properly. I had
fixed the errors locally, but failed to submit a v2 of "Improve ipset
support". This patch contains my local fixes, and after the following
changes are applied then the option (as well as ipset support) works as
at least I expect.

The following errors have been fixed:

* "family" was not written to the state file, causing all sets read from
this file was considered as ipv4. Save family to ensure that sets are
handled correctly on firewall reload.

* The default value of "reload_set" is false, meaning that the
reload-check in "fw3_create_ipsets()" is always true (on reload). A
consequence of this is that new sets are never created on firewall
reload. In order to ensure that new sets are created, only consider
"reload_set" if the set exists. If a set (from configuration) does not
exist, we always want to create it.

* On reload and before "fw3_destroy_ipsets()" are called, we need to
update run_state to ensure that sets are updated correctly. We need to
check if the sets in run_state is found in cfg_state, if not the set
should be destroyed (done by forcing reload_set to true). If the set is
found, then we copy the value of reload_set to the set in run_state so
that the elements are updated as the user expects.

Since we now always copy the value of reload_set from cfg_state, there
is no need to write reload_set to run_state.

Signed-off-by: default avatarKristian Evensen <kristian.evensen@gmail.com>
      bf29c1e7
  13. Aug 16, 2019
    • Kristian Evensen's avatar
      firewall3: Improve ipset support · 509e673d
      Kristian Evensen authored 
      
This patch is an attempt at improving the ipset support in firewall3.
The following changes have been made:

* The enabled option did not work properly for ipsets, as it was not
checked on create/destroy of a set. After this commit, sets are only
created/destroyed if enabled is set to true.

* Add support for reloading, or recreating, ipsets on firewall reload.
By setting "reload_set" to true, the set will be destroyed and then
re-created when the firewall is reloaded. My use-case for "reload_set"
was to reset sets populated by dnsmasq, without having to restart the
firewall or resort to scripts.

* Add support for the counters and comment extensions. By setting
"counters" or "comment" to true, then counters or comments are added to
the set.

Signed-off-by: default avatarKristian Evensen <kristian.evensen@gmail.com>
re-ordered additional variables
dropped enum OPT_COMMENT & OPT_COUNTERS as unused
implemented exponential delay whilst waiting for ipset deletion/creation
fixed delays made firewall unresponsive for too long on reloads
Signed-off-by: default avatarKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
      509e673d
  15. Jun 12, 2019
  17. Jan 02, 2019
  19. Dec 20, 2018
  21. Dec 06, 2018
  23. Aug 13, 2018
  25. Aug 07, 2018
  27. Aug 03, 2018
  29. Jul 26, 2018
  31. Jul 16, 2018
  33. Jul 02, 2018
    • Rosen Penev's avatar
      firewall3: Fix GCC8 warnings by replacing sprintf with snprintf · 72684e5b
      Rosen Penev authored 
      
error: ‘%u’ directive writing between 1 and 10 bytes into a region of size
between 7 and 11 [-Werror=format-overflow=]
sprintf(buf, "%u-%u", port->port_min, port->port_max);
                 ^~
note: directive argument in the range [0, 2147483647]
sprintf(buf, "%u-%u", port->port_min, port->port_max);
             ^~~~~~~
note: ‘sprintf’ output between 4 and 17 bytes into a destination of size
13
sprintf(buf, "%u-%u", port->port_min, port->port_max);

Signed-off-by: default avatarRosen Penev <rosenp@gmail.com>
      72684e5b
  35. May 19, 2018
  37. May 16, 2018
    • Jo-Philipp Wich's avatar
      options: treat time strings as UTC times · 0e77bf29
      Jo-Philipp Wich authored 
      
When parsing user supplied time strings, calculate an UTC time instant by
substracting the current zone offset from the result of mktime(3), then use
gmtime_r(3) to turn the time_t value back into a sanitized time structure.

This ensures that user supplied dates are not interpreted as local time.

Fixes FS#1483.

Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      0e77bf29
  39. May 14, 2018
  41. Apr 05, 2018
  43. Mar 20, 2018
  45. Mar 13, 2018
  47. Mar 10, 2018
    • Jo-Philipp Wich's avatar
      ipsets: add support for specifying entries · 41c2ab5e
      Jo-Philipp Wich authored 
      
Introduce a new list option "entry" which can be used to specify entries
to add to the ipset, e.g.

    config ipset
      option name test
      ...
      list entry 1.2.3.4,8080
      list entry 5.6.7.8,8081

Also introduce a new option "loadfile" which refers to an external file
containing set entries to add, with one item per line.

Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      41c2ab5e
  49. Mar 02, 2018
  51. Feb 26, 2018
    • Stijn Tintel's avatar
      zones: allow per-table log control · a3ef503e
      Stijn Tintel authored 
      
When enabling logging for a zone, logging is enabled in the filter and
mangle tables. The log rule in the mangle table enables mtu_fix logging,
which has the tendency to flood logs. Allow per-table log control by
making the log boolean a bit field that can be used to enabled logging
in the filter and/or mangle tables.

Signed-off-by: default avatarStijn Tintel <stijn@linux-ipv6.be>
      a3ef503e
  53. Feb 20, 2018
    • Jo-Philipp Wich's avatar
      helpers: implement explicit CT helper assignment support · f50a5248
      Jo-Philipp Wich authored 
      
Implement support for explicit per-zone conntrack helper assignment in
the raw table in order to compensate for the now disabled automatic
helper assignment in recent Linux kernels.

This commit adds, along with the required infrastructure, a new per-
zone uci option "helper" which can be used to tie one or more CT helpers
to a given zone.

For example the following configuration:

    config zone
      option name lan
      option network lan
      list helper ftp
      list helper sip

... will assign the FTP and SIP conntrack helpers as specified in
/usr/share/fw3/helpers.conf to traffic originating from the LAN zone.

Additionally, a new boolean option "auto_helper" has been defined for
both "config defaults" and "config zone" sections, with the former
option overruling the latter.

When the default true "option auto_helper" is set, all available helpers
are automatically attached to each non-masq zone (i.e. "lan" by default).

When one or more "list helper" options are specified, the zone has
masquerading enabled or "auto_helper" is set to false, then the automatic
helper attachment is disabled for the corresponding zone.

Furthermore, this commit introduces support for a new 'HELPER' target in
"config rule" sections, along with "option helper" to match helper traffic
and "option set_helper" to assign CT helpers to a stream.

Finally, "config redirect" sections support "option helper" too now,
which causes fw3 to emit helper setting rules for forwarded DNAT traffic.

When "option helper" is not defined for a redirect and when the global
option "auto_helper" is not disabled, fw3 will pick a suitable helper
based on the destination protocol and port and assign it to DNATed traffic.

Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      f50a5248
  55. Feb 13, 2018
  57. Nov 07, 2017
  59. May 27, 2017
  61. May 26, 2017
  63. May 17, 2017