firewall4/root/usr/share/ucode, branch masterOpenWrt nftables firewallhttps://git-03.infra.openwrt.org/project/firewall4/atom?h=master2025-03-17T17:36:00Zfw4: fix reading kernel version2025-03-17T17:36:00ZMieczyslaw Nalewaj2024-11-20T17:52:26Zurn:sha1:b6e5157527d361f99ad52eaa6da273cb0f2dfd59
Fix reading kernel version for kernels with revision 0 e.g. 6.12
Repair incorrect shift of the revision number causing incorrect value for > 255.
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
fw4: allow family `any` for ipsets not matching IP addresses2025-03-17T16:08:52ZJo-Philipp Wich2024-07-27T13:36:52Zurn:sha1:42d3b3d4ca214d967eabb1138be386ddd0665726
When filtering by MAC address, it is usually necessary to filter both IPv4
and IPv6.
If it is not allowed to set the family of ipset to any, it will be necessary
to create a separate, identical ipset for both IPv4 and IPv6.
Fixes: https://github.com/openwrt/firewall4/issues/16
Suggested-by: zsien <i@zsien.cn>
[fix redirect cases, reword commit subject, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Revert "fw4: allow family `any` for ipsets not matching IP addresses"2025-03-17T15:49:39ZJo-Philipp Wich2025-03-17T15:49:34Zurn:sha1:edfdfc6df48477e449935955d637b5f957f6c825
This reverts commit ad3cba79c19209beaff61279338b1146b343cdc1.
The proposed change does not cover all cases.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: allow family `any` for ipsets not matching IP addresses2025-03-17T15:41:09ZJo-Philipp Wich2024-07-27T13:36:52Zurn:sha1:ad3cba79c19209beaff61279338b1146b343cdc1
When filtering by MAC address, it is usually necessary to filter both IPv4
and IPv6.
If it is not allowed to set the family of ipset to any, it will be necessary
to create a separate, identical ipset for both IPv4 and IPv6.
Fixes: https://github.com/openwrt/firewall4/issues/16
Suggested-by: zsien <i@zsien.cn>
[reword commit subject, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: skip not existing netdev names in flowtable device list2024-06-03T14:49:40ZJo-Philipp Wich2024-06-03T14:49:40Zurn:sha1:dfbcc1cd127c78fc61bb870d36d2512b571d223b
In case interface configurations are present which refer to not existing
network devices, such device names might end up in the flowtable list,
leading to `No such file or directory` errors when attempting to load
the resulting ruleset.
Solve this issue by testing for each netdev name whether it refers to
an existing device.
Fixes: e009588 ("fw4: do not add physical devices for soft offload")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: do not add physical devices for soft offload2024-05-31T22:13:05ZJo-Philipp Wich2024-03-15T08:49:33Zurn:sha1:e00958884416f59b273595f941d198de63acc1dd
Let kernel heuristics take care of offloading decapsulation.
When software flow offloading is requested, avoid manually resolving and
adding lower physical devices to the flow table in order to let kernel
heuristics deal with the proper offloading en/decapsulation.
Fixes: https://github.com/openwrt/openwrt/issues/13410
Ref: https://github.com/openwrt/openwrt/issues/10224
Submitted-by: Andris PE <neandris@gmail.com>
[refactor code, reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: substitute double quotes in strings2024-05-21T06:54:02ZJo-Philipp Wich2024-05-21T06:54:02Zurn:sha1:4c01d1ebf99e8ecfa69758a9b4f450ecef7b93cd
The nftables parser has no concept of escape characters in quoted strings,
nor does it support alternative quoting styles so it is currently
impossible to emit double quoted strings containing double quotes.
This could cause nftables to choke on generated rulesets that contain
strings with embedded quotes, e.g. within firewall rule comments.
Since firewall3 (iptables based) historically allowed arbitrary characters
in comments and since we want to stay backwards compatible with existing
uci configurations we can not restrict the allowed input values either.
Work around the issue by substituting all double quotes with single quotes
when quoting strings for interpolation into the ruleset.
Fixes: https://github.com/openwrt/luci/issues/7091
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: add log_limit to rules and redirects2023-11-03T12:37:19ZLuiz Angelo Daros de Luca2023-08-01T19:51:58Zurn:sha1:187405075911d408fa48e97ce343e76a2a30ef12
Just like zone log_limit, now you can specify a different log limit to a
single rule or redirect.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[whitespace cleanup, properly format limit expressions]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: add support for zone log_limit2023-11-03T12:34:35ZLuiz Angelo Daros de Luca2023-07-31T22:18:30Zurn:sha1:597dc90fb71419c42c13c27fe24e3d350e6e33dc
It is equivalent to the fw3 feature, affecting not accepted packets
and rules explicitily setting the log property.
Input rules not associated with a zone will not have log_limit.
Forward rules will use src zone log_limit or, if missing, dest zone
log_limit.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[properly handle null zone references, whitespace and indentation cleanup,
testcase cleanup, slight code simplification, use dot for named limit,
properly format limit expressions]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fw4: perform strict validation of zone and set names2023-10-12T07:33:32ZJo-Philipp Wich2023-10-12T07:33:32Zurn:sha1:4101dd42473bfda24e3bfd958f0edfff8c8efa90
The nft syntax grammar requires unquoted chain and set names which imposes
certain format restrictions. Introduce a new `identifier` datatype and use
it for validating set and zone names.
Fixes: https://github.com/openwrt/luci/issues/6633
Signed-off-by: Jo-Philipp Wich <jo@mein.io>