firewall4/root/usr/share, branch masterOpenWrt nftables firewallhttps://git.openwrt.org/project/firewall4/atom?h=master2025-03-17T17:36:00Zfw4: fix reading kernel version2025-03-17T17:36:00ZMieczyslaw Nalewaj2024-11-20T17:52:26Zurn:sha1:b6e5157527d361f99ad52eaa6da273cb0f2dfd59
Fix reading kernel version for kernels with revision 0 e.g. 6.12
Repair incorrect shift of the revision number causing incorrect value for > 255.
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
fw4: allow family `any` for ipsets not matching IP addresses2025-03-17T16:08:52ZJo-Philipp Wich2024-07-27T13:36:52Zurn:sha1:42d3b3d4ca214d967eabb1138be386ddd0665726
When filtering by MAC address, it is usually necessary to filter both IPv4
and IPv6.
If it is not allowed to set the family of ipset to any, it will be necessary
to create a separate, identical ipset for both IPv4 and IPv6.
Fixes: https://github.com/openwrt/firewall4/issues/16
Suggested-by: zsien <i@zsien.cn>
[fix redirect cases, reword commit subject, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Revert "fw4: allow family `any` for ipsets not matching IP addresses"2025-03-17T15:49:39ZJo-Philipp Wich2025-03-17T15:49:34Zurn:sha1:edfdfc6df48477e449935955d637b5f957f6c825
This reverts commit ad3cba79c19209beaff61279338b1146b343cdc1.
The proposed change does not cover all cases.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: allow family `any` for ipsets not matching IP addresses2025-03-17T15:41:09ZJo-Philipp Wich2024-07-27T13:36:52Zurn:sha1:ad3cba79c19209beaff61279338b1146b343cdc1
When filtering by MAC address, it is usually necessary to filter both IPv4
and IPv6.
If it is not allowed to set the family of ipset to any, it will be necessary
to create a separate, identical ipset for both IPv4 and IPv6.
Fixes: https://github.com/openwrt/firewall4/issues/16
Suggested-by: zsien <i@zsien.cn>
[reword commit subject, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: skip not existing netdev names in flowtable device list2024-06-03T14:49:40ZJo-Philipp Wich2024-06-03T14:49:40Zurn:sha1:dfbcc1cd127c78fc61bb870d36d2512b571d223b
In case interface configurations are present which refer to not existing
network devices, such device names might end up in the flowtable list,
leading to `No such file or directory` errors when attempting to load
the resulting ruleset.
Solve this issue by testing for each netdev name whether it refers to
an existing device.
Fixes: e009588 ("fw4: do not add physical devices for soft offload")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: do not add physical devices for soft offload2024-05-31T22:13:05ZJo-Philipp Wich2024-03-15T08:49:33Zurn:sha1:e00958884416f59b273595f941d198de63acc1dd
Let kernel heuristics take care of offloading decapsulation.
When software flow offloading is requested, avoid manually resolving and
adding lower physical devices to the flow table in order to let kernel
heuristics deal with the proper offloading en/decapsulation.
Fixes: https://github.com/openwrt/openwrt/issues/13410
Ref: https://github.com/openwrt/openwrt/issues/10224
Submitted-by: Andris PE <neandris@gmail.com>
[refactor code, reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: substitute double quotes in strings2024-05-21T06:54:02ZJo-Philipp Wich2024-05-21T06:54:02Zurn:sha1:4c01d1ebf99e8ecfa69758a9b4f450ecef7b93cd
The nftables parser has no concept of escape characters in quoted strings,
nor does it support alternative quoting styles so it is currently
impossible to emit double quoted strings containing double quotes.
This could cause nftables to choke on generated rulesets that contain
strings with embedded quotes, e.g. within firewall rule comments.
Since firewall3 (iptables based) historically allowed arbitrary characters
in comments and since we want to stay backwards compatible with existing
uci configurations we can not restrict the allowed input values either.
Work around the issue by substituting all double quotes with single quotes
when quoting strings for interpolation into the ruleset.
Fixes: https://github.com/openwrt/luci/issues/7091
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ruleset: apply egress MSS fixup later to apply final MTU before wire2023-11-03T13:33:55ZAndris PE2023-06-21T10:06:24Zurn:sha1:698a53354fd280aae097efe08803c0c9a10c14c2
Reduce scope of MSS fixup to TCP SYN packets only and relocate the fixing
of egress MSS to the mangle/postrouting chain in order to properly apply
final known MTU size.
Fixes: openwrt/openwrt#12112
Signed-off-by: Andris PE <neandris@gmail.com>
[fix S-o-b tag, fix commit author, reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ruleset: do not emit redundant drop invalid rules2023-11-03T13:24:47ZAndris PE2023-10-14T09:51:00Zurn:sha1:7392792e768b4d5c373f66ec400fd4100df1b4e0
The wan interface drop rule unnecessarily persists when invalid state
is dropped globally and the rule cannot catch anything at all, so remove
it as the effect is achieved by default and to global extent.
Fixes: 119ee1a ("ruleset: drop ctstate invalid traffic for masq-enabled zones")
Signed-off-by: Andris PE <neandris@gmail.com>
[fix S-o-b tag, fix commit author, reword commit subject and message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ruleset: reduce ksoftirqd load by refering to looopback by numeric id2023-11-03T13:11:06ZAndris PE2023-09-19T15:23:59Zurn:sha1:a5553dae70439c7e4fa910490fcf12a1ffff5bd2
Reduce ksoftirq load by half using more efficient reference to loopback
which always has index equal to one.
Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and
similar iperf3 cases clamping against 100% CPU usage.
Signed-off-by: Andris PE <neandris@gmail.com>
[fix S-o-b tag, fix commit author, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>