firewall3, branch masterOpenWrt firewall configuration utilityhttps://git.openwrt.org/project/firewall3/atom?h=master2025-10-03T17:31:11Zbuild: require CMake >= 3.10 due to dropped legacy support2025-10-03T17:31:11ZHauke Mehrtens2025-10-03T17:31:11Zurn:sha1:3a65fde5a3e675fdf2a24cb3f5d12d0a426be36e
CMake version 4.0 and later require minimum version of 3.5 or later.
Update to minimum version 3.10 which is the last not deprecated minimum
version.
CMake 3.10 was released in November 2017 and is included in Ubuntu 18.04.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
defaults.c: fix ipv6 flow offloading2024-10-18T06:00:26ZFelix Fietkau2024-10-18T06:00:20Zurn:sha1:1aef9791a21e3d15d4357060f09a7bb9ed3d6e4e
The xt_FLOWOFFLOAD target expects that par->thoff points to the beginning
of the TCP header. For IPv4 that is always the case. However, on IPv6, the
field is only initialized, if a protocol match was performed.
Simply matching any protocol (protocol = 0) is enough to trigger the thoff
initialization, so add it to the emitted rule.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
iptables: fix regression with unintended free in need_protomatch2023-06-10T19:08:23ZChristian Marangi2023-06-10T16:56:11Zurn:sha1:bf1d5fdf623473419f8f738fc9071fee84cb13e5
xtables_find_match memory allocation is funny. It can return something
allocated in a linked list or return a just allocated match clone and is
never freed.
This caused confusion and made a broken patch where an unintended free
is done in the case of entry not cloned.
xtables_find_match have a way to comunicate that the entry is cloned by
returning a looping linked list where the next entry is the same entry.
We can use this to understand where the entry has to be freed.
Fixes: ffba75c9cd8f ("iptables: free xtables_match if found in need_protomatch")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Tested-by: Rui Salvaterra <rsalvaterra@gmail.com>
iptables: free xtables_match if found in need_protomatch2023-05-29T12:46:49ZChristian Marangi2023-05-29T12:46:49Zurn:sha1:ffba75c9cd8f96ef34b7b3ab35315ce66ba8f37d
Fix Coverity Scan ID 1529284 by freeing the xtables_match from
xtables_find_match if found.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Revert "firewall3: support table load on access on Linux 5.15+"2022-02-21T23:22:06ZRui Salvaterra2022-02-17T10:24:04Zurn:sha1:4cd7d4f36bea731bf901cb067456f1d460294926
Handled more elegantly in the previous commit.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
firewall3: remove unnecessary fw3_has_table2022-02-21T23:21:09ZWenli Looi2021-06-10T04:51:06Zurn:sha1:50979cc9c3805a72145440299b5c78e1be25c473
Given that firewall3 already skips the table when fw3_ipt_open fails,
there is no need for fw3_has_table.
Furthermore, /proc/net/ip_tables_names is not reliable under linux
containers (e.g. Docker/LXC/LXD). This patch will remove the need for
existing hacks required for OpenWrt to run on those platforms.
Reviewed-by: Rui Salvaterra <rsalvaterra@gmail.com>
Tested-by: Rui Salvaterra <rsalvaterra@gmail.com>
Tested-by: Ansuel Smith <ansuelsmth@gmail.com>
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
options.c: add DSCP code LE Least Effort2022-01-09T23:33:32ZKevin Darbyshire-Bryant2022-01-08T23:42:27Zurn:sha1:0f16ea5f055722a532d4e68c7ba34ed084b48b37
RFC-8622 implements a low priority DSCP marking called 'Least Effort' or
'LE' Instead of prioritising traffic in varying degrees, this defines a
scum class of packet that really is the lowest of the low and you may
consider forwarding if you really have nothing better to do.
This patch adds LE class support to firewall3.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
firewall3: remove redundant syn check2022-01-08T11:33:58ZKevin Darbyshire-Bryant2021-04-25T17:40:52Zurn:sha1:24ba465b8a6793588d116297a017aefbf6f339d3
syn_flood chain entry is guarded by '--syn' checks in the calling chains, so the
syn_flood chain doesn't need to check packet flags, it only needs to count and
potentially drop.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
firewall3: fix locking issue2022-01-08T11:33:49ZFlorian Eckert2021-11-19T08:51:02Zurn:sha1:df1306a96127e91ff2d513a0a67345baaf61d113
By calling the command 'fw3 reload' several times at the same time, I
noticed that the locking was not working properly. It happened from time
to time that some firewall rules were present twice in the system!
By removing the 'unlink' systemcall, this error no longer occurred on my
systems.
Since fw3 does not run as a service, it makes no sense to delete this
lock file every time a filehandler is no longer open on this lock file,
because fw3 binary is not running.
If fw3 does run as a service then we can remove this lock file on
service stop. But this is not the case for fw3.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
firewall3: support table load on access on Linux 5.15+2022-01-08T11:33:39ZAnsuel Smith2022-01-07T17:22:17Zurn:sha1:3624c3786601699b6e7f9d18209fad0d7c6fe4e9
With Linux 5.15+, tables are loaded on access. Firewall3 uses the
ip{,6}_tables_names proc entries to check if a table exists. In this new
implementation, the proc entries can contain wrong data if a table is present
but never used, and firewall3 will incorrectly think that the table is
unavailable. This causes configuration problems, since after a normal boot the
proc entries contain only the "filter" table and are missing "raw", "mangle" and
"nat".
To fix this, "poke" the tables to load them, simply by opening and closing them
without doing any operation. This simple operation is sufficient to make the
missing tables appear in the proc entries.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[Reword the commit message and code comment]
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>