- Do not consider bitmap storage for IPv6 family sets
- Move ipset family parameter before any additional option
- Only emit family parameter for hash sets
- Do not allow IPv6 iprange for IPv4 sets and vice versa
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 39647
The firewall3 implementation as well as the shell implementation predating it
used to process the tcp_ecnoption as boolean while it actually is an integer.
Change the code to parse tcp_ecn as integer.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 39122
- instead of writing one (or more) ACCEPT rules in the filter table
for each redirect install a global ctstate DNAT accept rule per zone
- discard rules and redirects which have invalid options set instead
of silently skipping the invalid values
SVN-Revision: 38849
* Use network.interface dump call instead of individual status calls
to reduce overall netifd lookups and invokes to 1 per fw3 process.
* Allow protocol handlers to assign a firewall zone for an interface
in the data section to allow for dynamic firewall zone assignment.
SVN-Revision: 38504
- do not insert duplicate rules when setting up reflection to a zone containing multiple interfaces
- set up reflection for any protocol, not just TCP and UDP
SVN-Revision: 38361
- optimizes chain usage for ingress rules
- adds limit match support for redirect rules
- fixes automatic redirect dest detection on little endian systems
- leaves base chains in place on reload to allow user rules to target e.g. "reject"
SVN-Revision: 36871
- simplifies using ipsets for rules and redirects, match direction can be specified in-place like option ipset 'setname src dst dst'
- uses zone_name_src_ACTION chains for input rules, this fixes logging with log enabled src zones
SVN-Revision: 36854
- reduce mssfix related log spam (#10681)
- separate src and dest terminal chains (#11453, #12945)
- disable per-zone custom chains by default, they're rarely used
Additionally introduce options "device", "subnet", "extra", "extra_src" and "extra_dest"
to allow defining zones not related to uci interfaces, e.g. to match "ppp+" or any tcp
traffic to and from a specific port.
SVN-Revision: 35484
- use comment match to keep track of per-network rules
- setup reflection for any interface which is part of a masqueraded zone, not just "wan"
- delete per-network reflection rules if network is brought down
SVN-Revision: 34472
