firewall4, branch masterOpenWrt nftables firewallhttps://git.openwrt.org/project/firewall4/atom?h=master2025-03-17T17:36:00Zfw4: fix reading kernel version2025-03-17T17:36:00ZMieczyslaw Nalewaj2024-11-20T17:52:26Zurn:sha1:b6e5157527d361f99ad52eaa6da273cb0f2dfd59
Fix reading kernel version for kernels with revision 0 e.g. 6.12
Repair incorrect shift of the revision number causing incorrect value for > 255.
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
fw4: allow family `any` for ipsets not matching IP addresses2025-03-17T16:08:52ZJo-Philipp Wich2024-07-27T13:36:52Zurn:sha1:42d3b3d4ca214d967eabb1138be386ddd0665726
When filtering by MAC address, it is usually necessary to filter both IPv4
and IPv6.
If it is not allowed to set the family of ipset to any, it will be necessary
to create a separate, identical ipset for both IPv4 and IPv6.
Fixes: https://github.com/openwrt/firewall4/issues/16
Suggested-by: zsien <i@zsien.cn>
[fix redirect cases, reword commit subject, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Revert "fw4: allow family `any` for ipsets not matching IP addresses"2025-03-17T15:49:39ZJo-Philipp Wich2025-03-17T15:49:34Zurn:sha1:edfdfc6df48477e449935955d637b5f957f6c825
This reverts commit ad3cba79c19209beaff61279338b1146b343cdc1.
The proposed change does not cover all cases.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
config: drop to-be-forwarded-nowhere packets on wans2025-03-17T15:46:41ZAndris PE2024-02-29T14:17:03Zurn:sha1:97962771aa3c490d6186e64015f85dd66254fdf0
Dropping packets with no clear forward destination is nicer than rejecting
them. Especially when some providers punish users for spoofing caused by
their noisy infra.
Fixes: https://github.com/openwrt/openwrt/issues/13340
Signed-Off-By: Andris PE <neandris@gmail.com>
init: remove unnecessary stop logic2025-03-17T15:44:40ZAndris PE2024-09-02T15:38:59Zurn:sha1:00fc6943a29732375addf72a12f2381df5b25428
Always remove table and service state to have consistent cleaned up
system state on exit even if user intentionally dropped our table.
Removes dependency on grep as a consequence.
Ref: https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
Supersedes: https://github.com/openwrt/firewall4/pull/33
Signed-off-by: Andris PE <neandris@gmail.com>
fw4: allow family `any` for ipsets not matching IP addresses2025-03-17T15:41:09ZJo-Philipp Wich2024-07-27T13:36:52Zurn:sha1:ad3cba79c19209beaff61279338b1146b343cdc1
When filtering by MAC address, it is usually necessary to filter both IPv4
and IPv6.
If it is not allowed to set the family of ipset to any, it will be necessary
to create a separate, identical ipset for both IPv4 and IPv6.
Fixes: https://github.com/openwrt/firewall4/issues/16
Suggested-by: zsien <i@zsien.cn>
[reword commit subject, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
init: use the reload data trigger to reload firewall on procd data changes2024-12-18T09:34:15ZFelix Fietkau2024-12-17T19:05:44Zurn:sha1:18fc0ead19faf06b8ce7ec5be84957278e942dfa
This allows properly handling dynamic changes to firewall rules added via
procd data.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
fw4: skip not existing netdev names in flowtable device list2024-06-03T14:49:40ZJo-Philipp Wich2024-06-03T14:49:40Zurn:sha1:dfbcc1cd127c78fc61bb870d36d2512b571d223b
In case interface configurations are present which refer to not existing
network devices, such device names might end up in the flowtable list,
leading to `No such file or directory` errors when attempting to load
the resulting ruleset.
Solve this issue by testing for each netdev name whether it refers to
an existing device.
Fixes: e009588 ("fw4: do not add physical devices for soft offload")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: do not add physical devices for soft offload2024-05-31T22:13:05ZJo-Philipp Wich2024-03-15T08:49:33Zurn:sha1:e00958884416f59b273595f941d198de63acc1dd
Let kernel heuristics take care of offloading decapsulation.
When software flow offloading is requested, avoid manually resolving and
adding lower physical devices to the flow table in order to let kernel
heuristics deal with the proper offloading en/decapsulation.
Fixes: https://github.com/openwrt/openwrt/issues/13410
Ref: https://github.com/openwrt/openwrt/issues/10224
Submitted-by: Andris PE <neandris@gmail.com>
[refactor code, reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: substitute double quotes in strings2024-05-21T06:54:02ZJo-Philipp Wich2024-05-21T06:54:02Zurn:sha1:4c01d1ebf99e8ecfa69758a9b4f450ecef7b93cd
The nftables parser has no concept of escape characters in quoted strings,
nor does it support alternative quoting styles so it is currently
impossible to emit double quoted strings containing double quotes.
This could cause nftables to choke on generated rulesets that contain
strings with embedded quotes, e.g. within firewall rule comments.
Since firewall3 (iptables based) historically allowed arbitrary characters
in comments and since we want to stay backwards compatible with existing
uci configurations we can not restrict the allowed input values either.
Work around the issue by substituting all double quotes with single quotes
when quoting strings for interpolation into the ruleset.
Fixes: https://github.com/openwrt/luci/issues/7091
Signed-off-by: Jo-Philipp Wich <jo@mein.io>