firewall4/root/etc, branch master OpenWrt nftables firewall https://git.openwrt.org/project/firewall4/atom?h=master 2025-03-17T15:46:41Z config: drop to-be-forwarded-nowhere packets on wans 2025-03-17T15:46:41Z Andris PE 2024-02-29T14:17:03Z urn:sha1:97962771aa3c490d6186e64015f85dd66254fdf0 Dropping packets with no clear forward destination is nicer than rejecting them. Especially when some providers punish users for spoofing caused by their noisy infra. Fixes: https://github.com/openwrt/openwrt/issues/13340 Signed-Off-By: Andris PE <neandris@gmail.com> init: use the reload data trigger to reload firewall on procd data changes 2024-12-18T09:34:15Z Felix Fietkau 2024-12-17T19:05:44Z urn:sha1:18fc0ead19faf06b8ce7ec5be84957278e942dfa This allows properly handling dynamic changes to firewall rules added via procd data. Signed-off-by: Felix Fietkau <nbd@nbd.name> config: drop input traffic by default 2022-11-02T15:24:20Z Baptiste Jonglez 2022-11-02T15:06:47Z urn:sha1:6443ec7805295de07f6051662065a16b4a194f19 This is necessary with firewall4 to avoid a hard-to-diagnose race condition during boot, causing DNAT rules not to be taken into account correctly. The root cause is that, during boot, the ruleset is mostly empty, and interface-related rules (including DNAT rules) are added incrementally. If a packet hits the input chain before the DNAT rules are setup, it can create buggy conntrack entries that will persist indefinitely. This new default should be safe because firewall4 explicitly accepts authorized traffic and rejects the rest. Thus, in normal operations, the default policy is not used. Fixes: #10749 Ref: https://github.com/openwrt/openwrt/issues/10749 Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> hotplug: reliably handle interfaces with ubus zone hints 2022-05-20T10:12:38Z Jo-Philipp Wich 2022-05-20T10:12:38Z urn:sha1:628d7917ea03a24de43a35fd90894cf8d5d62dc0 So far, the firewall hotplug did not initiate a reload for interfaces which are not covered in the firewall configuration but provide a zone hint in their ubus data section. Extend the hotplug script to handle this case by checking whether a zone hint is present and if the requested zone exists in the configuration if a direct zone lookup fails. Fixes: #9611 Signed-off-by: Jo-Philipp Wich <jo@mein.io> config: remove restictions on DHCPv6 allow rule 2022-05-04T13:22:53Z Tiago Gaspar 2022-05-04T09:36:07Z urn:sha1:72b196da6852673a12aa7fb5e251d90bc9a191d4 Remove restrictions on source and destination addresses, which aren't specified on RFC8415, and for some reason in openwrt are configured to allow both link-local and ULA addresses. As cleared out in issue #5066 there are some ISPs that use Gloabal Unicast addresses, so fix this rule to allow them. Fixes: #5066 Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com> init: fix boot action in init script 2022-02-07T18:01:30Z Jo-Philipp Wich 2022-02-07T18:01:04Z urn:sha1:ac99eba7d39c2ba8fa0c5335ea1e8943d8885c24 We need to call `start()` instead of `start_service()` from `boot()` in order to properly register the firewall service. Signed-off-by: Jo-Philipp Wich <jo@mein.io> Initial commit 2021-03-19T18:26:04Z Jo-Philipp Wich 2021-03-19T18:26:04Z urn:sha1:59dbb982b7fefa480196dec03ba51c4f8c4dd7ae Signed-off-by: Jo-Philipp Wich <jo@mein.io>