| Commit message (Collapse) | Author | Age | |
|---|---|---|---|
| * | firewall: insert SNAT and DNAT rules according to the order of the ↵ | Jo-Philipp Wich | 2010-10-08 |
| | | | | | | | configuration file (#8052) SVN-Revision: 23318 | ||
| * | firewall: also establish forward rules when setting up nat reflection, back ↵ | Jo-Philipp Wich | 2010-10-03 |
| | | | | | | | out early if reflection is disabled SVN-Revision: 23201 | ||
| * | firewall: fix chain selection logic, option dest must be ignored for notrack ↵ | Jo-Philipp Wich | 2010-09-28 |
| | | | | | | | targets SVN-Revision: 23143 | ||
| * | firewall: don't setup nat reflection if negations are used | Jo-Philipp Wich | 2010-09-28 |
| | | | | | SVN-Revision: 23142 | ||
| * | fireall: - support negations for src_ip, dest_ip, src_dip options in rules ↵ | Jo-Philipp Wich | 2010-09-28 |
| | | | | | | | and redirects - add NOTRACK target to rule sections, allows to define fine grained notrack rules SVN-Revision: 23141 | ||
| * | firewall: protect iptables invocations with locks in interface ops, it might ↵ | Jo-Philipp Wich | 2010-09-19 |
| | | | | | | | run concurrently due to hotplug invocations on network restart SVN-Revision: 23090 | ||
| * | firewall: make invalid redirects and duplicate zones non-fatal, print a ↵ | Jo-Philipp Wich | 2010-09-16 |
| | | | | | | | notice and discard them SVN-Revision: 23080 | ||
| * | firewall: run ifdown hotplug events synchronized, fixes a racecondition on ↵ | Jo-Philipp Wich | 2010-09-15 |
| | | | | | | | "ifup iface" when ifdown and ifup events are delivered with a small dealy SVN-Revision: 23064 | ||
| * | firewall: deliver remove hotplug events for all active zones/networks when ↵ | Jo-Philipp Wich | 2010-09-14 |
| | | | | | | | restarting the firewall SVN-Revision: 23062 | ||
| * | firewall: - simplify masquerade rule setup - remove various subshell ↵ | Jo-Philipp Wich | 2010-09-11 |
| | | | | | | | invocations - speedup fw() by not relying on xargs and pipes - rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source SVN-Revision: 23024 | ||
| * | firewall: - fix possible endless loop when the family option is used for ↵ | Jo-Philipp Wich | 2010-09-05 |
| | | | | | | | forwardings - only generate forwarding rules in SNAT redirect sections if src_dip is specified SVN-Revision: 22938 | ||
| * | firewall: introduce SNAT support for redirect sections | Jo-Philipp Wich | 2010-09-05 |
| | | | | | SVN-Revision: 22937 | ||
| * | firewall: add option to disable NAT reflection | Jo-Philipp Wich | 2010-09-04 |
| | | | | | SVN-Revision: 22908 | ||
| * | firewall: - handle NAT reflection in firewall hotplug, solves synchronizing ↵ | Jo-Philipp Wich | 2010-09-04 |
| | | | | | | | issues on boot - introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation SVN-Revision: 22888 | ||
| * | firewall: - fix processing of rules with an ip family option - append ↵ | Jo-Philipp Wich | 2010-08-31 |
| | | | | | | | interface rules at the end of internal zone chains, simplifies injecting user or addon rules - support simple file logging (option log + option log_limit per zone) SVN-Revision: 22847 | ||
| * | firwall: fix nat reflection for zones covering multiple networks | Jo-Philipp Wich | 2010-07-31 |
| | | | | | SVN-Revision: 22442 | ||
| * | firewall: add basic NAT reflection/NAT loopback support | Jo-Philipp Wich | 2010-07-31 |
| | | | | | SVN-Revision: 22441 | ||
| * | firewall: allow redirecting only destination port (#7197) | Jo-Philipp Wich | 2010-07-16 |
| | | | | | SVN-Revision: 22227 | ||
| * | firewall: fix another notrack related bug | Jo-Philipp Wich | 2010-07-15 |
| | | | | | SVN-Revision: 22218 | ||
| * | firewall: - notrack support was broken in multiple ways, fix it - also ↵ | Jo-Philipp Wich | 2010-07-15 |
| | | | | | | | consider a zone conntracked if any redirect references it (#7196) SVN-Revision: 22215 | ||
| * | firewall: - support alias ifnames different from parent ifname - properly ↵ | Jo-Philipp Wich | 2010-06-02 |
| | | | | | | | handle multiple subnets per alias (v4+v6) SVN-Revision: 21656 | ||
| * | firewall: Initial alias interface support. This allows to define zones ↵ | Jo-Philipp Wich | 2010-06-01 |
| | | | | | | | covering alias interfaces and associated entries like rules and forwardings. SVN-Revision: 21653 | ||
| * | firewall: change the order of IPv4/IPv6 address detection, fixes mixed ↵ | Jo-Philipp Wich | 2010-05-31 |
| | | | | | | | notation v6 improperly detected as v4 address SVN-Revision: 21642 | ||
| * | firewall: fix support for netranges in redirect and rule sections | Jo-Philipp Wich | 2010-05-30 |
| | | | | | SVN-Revision: 21640 | ||
| * | firewall: count rules per chain and family, fix wrong order of ip6tables ↵ | Jo-Philipp Wich | 2010-05-22 |
| | | | | | | | rules when ipv4 only or dual family rules are defined SVN-Revision: 21533 | ||
| * | firewall: don't apply default udp/68 rule to ip6tables | Jo-Philipp Wich | 2010-05-19 |
| | | | | | SVN-Revision: 21509 | ||
| * | firewall: - fix ip6tables rules when icmp_type option is set - add "family" ↵ | Jo-Philipp Wich | 2010-05-19 |
| | | | | | | | option to zones, forwardings, redirects and rules to selectively apply rules to iptables and/or ip6tables SVN-Revision: 21508 | ||
| * | firewall: add commented disable_ipv6 option to default config | Jo-Philipp Wich | 2010-05-19 |
| | | | | | SVN-Revision: 21505 | ||
| * | firewall: implement disable_ipv6 uci option | Jo-Philipp Wich | 2010-05-19 |
| | | | | | SVN-Revision: 21503 | ||
| * | firewall (#7355) - partially revert r21486, start firewall on init again - ↵ | Jo-Philipp Wich | 2010-05-19 |
| | | | | | | | skip iface hotplug events if base fw is not up yet - get ifname and up state with uci_get_state() in iface setup since the values gathered by scan_interfaces() may be outdated when iface coldplugging happens (observed with pptp) - ignore up state when bringing down interfaces because ifdown reverts state vars before dispatching the iface event - bump package revision SVN-Revision: 21502 | ||
| * | firewall: fix a possible deadlock when the firewall config has syntax errors ↵ | Jo-Philipp Wich | 2010-05-18 |
| | | | | | | | during restart SVN-Revision: 21501 | ||
| * | firewall: use uci_get_state() wrapper | Jo-Philipp Wich | 2010-05-17 |
| | | | | | SVN-Revision: 21493 | ||
| * | firewall: properly clear hooks in fw_stop() to prevent extensions from being ↵ | Jo-Philipp Wich | 2010-05-17 |
| | | | | | | | called twice after fw_restart() SVN-Revision: 21488 | ||
| * | firewall: - defer firewall start until the first interface is brought up by ↵ | Jo-Philipp Wich | 2010-05-17 |
| | | | | | | | hotplug, fixes race conditions on slow devices - create a file lock during firewall start and wait for it in hotplug events, prevents race conditions between start and addif - start firewall actions in background from hotplug handler since the firewall itself fires further hotplug events which results in a deadlock if not forked off - get loaded state direcly from the uci binary since updated value is not recognized by config_get after uci_set_state - bump package revision to r2 SVN-Revision: 21486 | ||
| * | firewall: properly unset position for delete command, fixes rule removal in ↵ | Jo-Philipp Wich | 2010-05-05 |
| | | | | | | | ifdown SVN-Revision: 21378 | ||
| * | firewall: fix bug in iface hotplug handler | Jo-Philipp Wich | 2010-05-05 |
| | | | | | SVN-Revision: 21360 | ||
| * | firewall: - replace uci firewall with a modular dual stack implementation ↵ | Jo-Philipp Wich | 2010-05-01 |
| | | | | | | | developed by Malte S. Stretz - bump version to 2 SVN-Revision: 21286 | ||
| * | allow ping | Travis Kemen | 2010-03-18 |
| | | | | | SVN-Revision: 20261 | ||
| * | firewall: insert rules at the beginning of chains again while maintaining ↵ | Jo-Philipp Wich | 2010-03-02 |
| | | | | | | | non reversed order, fixes wrong ordering introduced by r18015 SVN-Revision: 19946 | ||
| * | firewall: fix bad number error in fw_redirect() (#6704) | Jo-Philipp Wich | 2010-02-20 |
| | | | | | SVN-Revision: 19765 | ||
| * | Add destination ip of the wan adapter useful if you have multiple ip addresses. | Travis Kemen | 2010-02-11 |
| | | | | | SVN-Revision: 19574 | ||
| * | firewall: fix a race condition preventing interfaces from being added to the ↵ | Jo-Philipp Wich | 2010-01-19 |
| | | | | | | | firewall on boot SVN-Revision: 19232 | ||
| * | firewall: fix fallout from r18716 (fixes #6338) | Felix Fietkau | 2009-12-10 |
| | | | | | SVN-Revision: 18733 | ||
| * | firewall: get rid of recursive shell script inclusion to improve hush ↵ | Felix Fietkau | 2009-12-09 |
| | | | | | | | compatibility SVN-Revision: 18716 | ||
| * | firewall: initialize dest_port with src_dport if omitted in redirect ↵ | Jo-Philipp Wich | 2009-12-01 |
| | | | | | | | sections to narrow down corresponding forward rules to the actual target ports - thanks Niels Boehm! (#6249) SVN-Revision: 18617 | ||
| * | firewall: fix zone defaults | Felix Fietkau | 2009-10-11 |
| | | | | | SVN-Revision: 18028 | ||
| * | firewall: do not process rules in reverse | Felix Fietkau | 2009-10-10 |
| | | | | | SVN-Revision: 18015 | ||
| * | firewall: fix MSS issue affection RELATED new connections (closes: #5173) | Nicolas Thill | 2009-09-27 |
| | | | | | SVN-Revision: 17762 | ||
| * | firewall: add sanity checks to zone default rules (patch from #5459) | Felix Fietkau | 2009-09-24 |
| | | | | | SVN-Revision: 17713 | ||
| * | firewall: move the config_get out of the loop, no need to call it multiple times | Jo-Philipp Wich | 2009-09-14 |
| | | | | | SVN-Revision: 17581 | ||