firewall: config: remove restictions on DHCPv6 allow rule Remove restrictions on source and destination addresses, which aren't specified on RFC8415, and for some reason in openwrt are configured to allow both link-local and ULA addresses. As cleared out in issue #5066 there are some ISPs that use Gloabal Unicast addresses, so fix this rule to allow them. Fixes: #5066 Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com> [rebase onto firewall3, clarify subject, bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
iptables: move libiptext* to their own packages iptables-nft doesn't depend on libip{4,6}tc, so move libiptext* libs in their own packages to clean up dependencies Rename libxtables-nft to libiptext-nft Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
firewall: update to latest HEAD 0f16ea5 options.c: add DSCP code LE Least Effort 24ba465 firewall3: remove redundant syn check df1306a firewall3: fix locking issue 3624c37 firewall3: support table load on access on Linux 5.15+ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
firewall/firewall4: provide uci-firewall Provide uci-firewall via PROVIDES in both firewall and firewall4. This will allow us to change the dependency of luci-app-firewall to uci-firewall, making it possible to use it with either implementation. Move CONFLICTS from firewall4 to firewall, to solve this recursive dependency problem: tmp/.config-package.in:307:error: recursive dependency detected! tmp/.config-package.in:307: symbol PACKAGE_firewall is selected by PACKAGE_firewall4 tmp/.config-package.in:328: symbol PACKAGE_firewall4 depends on PACKAGE_firewall Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Reviewed-by: Jo-Philipp Wich <jo@mein.io>
firewall3: update to latest git HEAD This includes several improvements and fixes: 61db17e rules: fix device and chain usage for DSCP/MARK targets 7b844f4 zone: avoid duplicates in devices list c2c72c6 firewall3: remove last remaining sprintf() 12f6f14 iptables: fix serializing multiple weekdays 00f27ab firewall3: fix duplicate defaults section detection e8f2d8f ipsets: allow blank/commented lines with loadfile 8c2f9fa fw3: zones: limit zone names to 11 bytes 78d52a2 options: fix parsing of boolean attributes Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
firewall: bump to version 2020-07-05 Changes since last source version e9b90df zones: apply tcp mss clamping also on ingress path 050816a redirects: fix segmentation fault f62a52b treewide: replace unsafe string functions 23cc543 improve reload logic 9d7f49d redurects: add support to define multiple zones for dnat reflection rules f87d0b0 firewall3: defaults: fix uci flow_offloading option fe9602c rules: fix typo 7cc2a84 defaults: robustify flow table detection. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
firewall: add rule for traceroute support Running your firewall's "wan" zone in REJECT zone (1) exposes the presence of the router, (2) depending on the sophistication of fingerprinting tools might identify the OS and release running on the firewall which then identifies known vulnerabilities with it and (3) perhaps most importantly of all, your firewall can be used in a DDoS reflection attack with spoofed traffic generating ICMP Unreachables or TCP RST's to overwhelm a victim or saturate his link. This rule, when enabled, allows traceroute to work even when the default input policy of the firewall for the wan zone has been set to DROP. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
firewall: improve ipset support Bump to latest git HEAD 509e673 firewall3: Improve ipset support The enabled option did not work properly for ipsets, as it was not checked on create/destroy of a set. After this commit, sets are only created/destroyed if enabled is set to true. Add support for reloading, or recreating, ipsets on firewall reload. By setting "reload_set" to true, the set will be destroyed and then re-created when the firewall is reloaded. Add support for the counters and comment extensions. By setting "counters" or "comment" to true, then counters or comments are added to the set. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>