firewall4/root/sbin, branch masterOpenWrt nftables firewallhttps://git.openwrt.org/project/firewall4/atom?h=master2025-03-17T15:44:40Zinit: remove unnecessary stop logic2025-03-17T15:44:40ZAndris PE2024-09-02T15:38:59Zurn:sha1:00fc6943a29732375addf72a12f2381df5b25428
Always remove table and service state to have consistent cleaned up
system state on exit even if user intentionally dropped our table.
Removes dependency on grep as a consequence.
Ref: https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
Supersedes: https://github.com/openwrt/firewall4/pull/33
Signed-off-by: Andris PE <neandris@gmail.com>
cli: introduce test mode and refuse firewall restart on errors2022-09-01T10:19:14ZJo-Philipp Wich2022-09-01T10:11:44Zurn:sha1:f5fcdcf2c51f6f0a4b116c352000c4fe0523be77
- Introduce a new `fw4 [-q] check` command which tests the rendered ruleset
using nftables' --check mode. This is useful to assert complex rulesets
using external includes for correctness.
- Extend the `fw4 restart` command to check the rendered ruleset before
flushing the existing ruleset.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: add support for configurable includes2022-06-15T11:32:17ZJo-Philipp Wich2022-06-13T13:49:14Zurn:sha1:11256ff0374fb594e31b0a4e3857f3810ba2933d
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: prefer /dev/stdin if available2022-05-31T18:55:36ZJo-Philipp Wich2022-05-31T18:55:36Zurn:sha1:210991df51587bdb736b4fc74b1200ec6cf6ecc7
The nftables executable treats `-` and `/dev/stdin` specially when processing
nft scripts from stdin; it will buffer the contents in order to be able to
print detailled error diagnostics. The `/proc/self/fd/0` path used by `fw4`
does not get this special treatment which will lead to nftables error
messages without any reported context.
Make the `fw4` executable prefer `/dev/stdin` in case it exists and fall back
to using `/proc/self/fd/0` as before.
Ref: https://github.com/openwrt/openwrt/issues/9927
Ref: https://git.openwrt.org/50bc06e774f89517f98c89c76a7626f35c3ff659
Ref: https://git.netfilter.org/nftables/tree/src/libnftables.c?h=v1.0.3#n733
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: make `fw4 restart` behavior more robust2022-05-31T07:36:20ZJo-Philipp Wich2022-05-31T07:36:20Zurn:sha1:4e5e3226260a7a67dce325314d0926745727bab0
Start the firewall on `fw4 restart` even if it was not previously started.
Ref: #9935
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
treewide: forward compatibility changes2022-03-22T20:05:17ZJo-Philipp Wich2022-03-22T18:17:22Zurn:sha1:fde80708d63d54be18037c598d1e6aef0c65ca08
Adapt testsuite code and fw4 wrapper to current ucode HEAD semantics,
in particular ensure that main.uc is invoked as template since ucode now
defaults to raw mode for cli invocations.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
treewide: move executables to /sbin2022-01-06T12:46:35ZStijn Tintel2022-01-06T09:00:52Zurn:sha1:4ead2a6792a1b2071d037c380e87836ceb07f681
In firewall3, the fw3 executable is installed in /sbin. As
luci-app-firewall looks for the fw3 executable in /sbin, the firewall
menu is hidden when firewall4 is installed. Move both executables to
/sbin so the firewall app will show when firewall4 is installed.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>