2013-02-17 19:26:52 +00:00
|
|
|
#
|
2016-01-29 17:26:41 +00:00
|
|
|
# Copyright (C) 2013-2016 OpenWrt.org
|
2016-05-02 17:46:23 +00:00
|
|
|
# Copyright (C) 2016 LEDE project
|
2013-02-17 19:26:52 +00:00
|
|
|
#
|
|
|
|
# This is free software, licensed under the GNU General Public License v2.
|
|
|
|
# See /LICENSE for more information.
|
|
|
|
#
|
|
|
|
|
|
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
|
2013-06-04 12:21:52 +00:00
|
|
|
PKG_NAME:=firewall
|
firewall: update to fix FS#31, FS#73, FS#154, FS#248
Update to latest Git head in order to import several fixes and enhancements.
- Disable drop invalid by default (FS#73, FS#154)
Instead of dropping packets with conntrack state INVALID, only allow streams
with explicit NEW or UNTRACKED conntrack state.
This change gives user defined rules the chance to accept traffic like ICMPv6
multicast which would be filtered away by the very early ctstate INVALID drop
rule otherwise.
The old behaviour can be restored by explicitely setting "drop_invalid" to 1
in the global firewall config section.
- Fix re-initialization of loadable iptables extensions on musl (FS#31)
Since musl does not implement actual dlclose() semantics, it is impossible to
re-run initializers on subsequent dlopen() calls.
The firewall3 executable now intercepts the extension registration calls
instead in order to be able to re-call them when needed.
This also allowed us to switch to libxtables' builtin extension loader as a
positive side-effect.
- Fix masquerade rules for multiple negated IP addresses (FS#248)
When building MASQUERADE rules for zones which specify multiple negated
addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of
the masquerading chain instead of creating multiple rules with inverted "-s"
arguments.
- Tag own rules using comments
Instead of relying on the nonstandard xt_id match, use the xt_comment match
to mark own rules. Existing comments are prefixed with "!fw3: " while
uncommented rules are marked with a sole "!fw3" string.
This allows removing the xt_id match entirely in a later commit.
- Make missing ubus connection nonfatal
Technically, firewall3 is able to operate without ubus just fine as long as
the zones are declared using "option device" or "option subnet" instead of
"option network" so do not abort execution if ubus could not be connected or
of no network namespace is exported in ubus.
This allows running firewall3 on ordinary Linux systems.
- Fix conntrack requirement detection for indirectly connected zones
The current code fails to apply the conntrack requirement flag recursively to
zones, leading to stray NOTRACK rules which break conntrack based traffic
policing.
Change the implementation to iteratively reapply the conntrack fixup logic
until no more zones had been changed in order to ensure that all directly and
indirectly connected zones receive the conntrack requirement flag.
- Add support for iptables 1.6.x
Adds support for the xtables version 11 api in order to allow building
against iptables 1.6.x
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-08 14:26:20 +00:00
|
|
|
PKG_VERSION:=2016-11-07
|
2013-02-17 19:26:52 +00:00
|
|
|
PKG_RELEASE:=$(PKG_SOURCE_VERSION)
|
|
|
|
|
|
|
|
PKG_SOURCE_PROTO:=git
|
2016-06-06 19:16:47 +00:00
|
|
|
PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git
|
2013-02-17 19:26:52 +00:00
|
|
|
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
|
firewall: update to fix FS#31, FS#73, FS#154, FS#248
Update to latest Git head in order to import several fixes and enhancements.
- Disable drop invalid by default (FS#73, FS#154)
Instead of dropping packets with conntrack state INVALID, only allow streams
with explicit NEW or UNTRACKED conntrack state.
This change gives user defined rules the chance to accept traffic like ICMPv6
multicast which would be filtered away by the very early ctstate INVALID drop
rule otherwise.
The old behaviour can be restored by explicitely setting "drop_invalid" to 1
in the global firewall config section.
- Fix re-initialization of loadable iptables extensions on musl (FS#31)
Since musl does not implement actual dlclose() semantics, it is impossible to
re-run initializers on subsequent dlopen() calls.
The firewall3 executable now intercepts the extension registration calls
instead in order to be able to re-call them when needed.
This also allowed us to switch to libxtables' builtin extension loader as a
positive side-effect.
- Fix masquerade rules for multiple negated IP addresses (FS#248)
When building MASQUERADE rules for zones which specify multiple negated
addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of
the masquerading chain instead of creating multiple rules with inverted "-s"
arguments.
- Tag own rules using comments
Instead of relying on the nonstandard xt_id match, use the xt_comment match
to mark own rules. Existing comments are prefixed with "!fw3: " while
uncommented rules are marked with a sole "!fw3" string.
This allows removing the xt_id match entirely in a later commit.
- Make missing ubus connection nonfatal
Technically, firewall3 is able to operate without ubus just fine as long as
the zones are declared using "option device" or "option subnet" instead of
"option network" so do not abort execution if ubus could not be connected or
of no network namespace is exported in ubus.
This allows running firewall3 on ordinary Linux systems.
- Fix conntrack requirement detection for indirectly connected zones
The current code fails to apply the conntrack requirement flag recursively to
zones, leading to stray NOTRACK rules which break conntrack based traffic
policing.
Change the implementation to iteratively reapply the conntrack fixup logic
until no more zones had been changed in order to ensure that all directly and
indirectly connected zones receive the conntrack requirement flag.
- Add support for iptables 1.6.x
Adds support for the xtables version 11 api in order to allow building
against iptables 1.6.x
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-08 14:26:20 +00:00
|
|
|
PKG_SOURCE_VERSION:=0367860636aa55e9ee064709ec2814906e1f246b
|
2016-10-04 12:28:54 +00:00
|
|
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
|
firewall: update to fix FS#31, FS#73, FS#154, FS#248
Update to latest Git head in order to import several fixes and enhancements.
- Disable drop invalid by default (FS#73, FS#154)
Instead of dropping packets with conntrack state INVALID, only allow streams
with explicit NEW or UNTRACKED conntrack state.
This change gives user defined rules the chance to accept traffic like ICMPv6
multicast which would be filtered away by the very early ctstate INVALID drop
rule otherwise.
The old behaviour can be restored by explicitely setting "drop_invalid" to 1
in the global firewall config section.
- Fix re-initialization of loadable iptables extensions on musl (FS#31)
Since musl does not implement actual dlclose() semantics, it is impossible to
re-run initializers on subsequent dlopen() calls.
The firewall3 executable now intercepts the extension registration calls
instead in order to be able to re-call them when needed.
This also allowed us to switch to libxtables' builtin extension loader as a
positive side-effect.
- Fix masquerade rules for multiple negated IP addresses (FS#248)
When building MASQUERADE rules for zones which specify multiple negated
addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of
the masquerading chain instead of creating multiple rules with inverted "-s"
arguments.
- Tag own rules using comments
Instead of relying on the nonstandard xt_id match, use the xt_comment match
to mark own rules. Existing comments are prefixed with "!fw3: " while
uncommented rules are marked with a sole "!fw3" string.
This allows removing the xt_id match entirely in a later commit.
- Make missing ubus connection nonfatal
Technically, firewall3 is able to operate without ubus just fine as long as
the zones are declared using "option device" or "option subnet" instead of
"option network" so do not abort execution if ubus could not be connected or
of no network namespace is exported in ubus.
This allows running firewall3 on ordinary Linux systems.
- Fix conntrack requirement detection for indirectly connected zones
The current code fails to apply the conntrack requirement flag recursively to
zones, leading to stray NOTRACK rules which break conntrack based traffic
policing.
Change the implementation to iteratively reapply the conntrack fixup logic
until no more zones had been changed in order to ensure that all directly and
indirectly connected zones receive the conntrack requirement flag.
- Add support for iptables 1.6.x
Adds support for the xtables version 11 api in order to allow building
against iptables 1.6.x
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-08 14:26:20 +00:00
|
|
|
PKG_MIRROR_MD5SUM:=1a087c92c73c3736dd19445d2f470abc2c1eb623956ddd55284c2e6a733198ce
|
2016-05-02 17:46:23 +00:00
|
|
|
PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
|
2014-11-02 12:20:54 +00:00
|
|
|
PKG_LICENSE:=ISC
|
2013-02-17 19:26:52 +00:00
|
|
|
|
2016-01-18 13:21:37 +00:00
|
|
|
PKG_CONFIG_DEPENDS := CONFIG_IPV6
|
2013-02-17 19:26:52 +00:00
|
|
|
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
|
|
|
include $(INCLUDE_DIR)/cmake.mk
|
|
|
|
|
2013-06-04 12:21:52 +00:00
|
|
|
define Package/firewall
|
2013-02-17 19:26:52 +00:00
|
|
|
SECTION:=net
|
2013-06-04 12:21:52 +00:00
|
|
|
CATEGORY:=Base system
|
|
|
|
TITLE:=OpenWrt C Firewall
|
2015-09-17 15:31:45 +00:00
|
|
|
DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +kmod-ipt-nat
|
2013-02-17 19:26:52 +00:00
|
|
|
endef
|
|
|
|
|
2013-06-04 12:21:52 +00:00
|
|
|
define Package/firewall/description
|
2013-02-17 19:26:52 +00:00
|
|
|
This package provides a config-compatible C implementation of the UCI firewall.
|
|
|
|
endef
|
|
|
|
|
2013-06-04 12:21:52 +00:00
|
|
|
define Package/firewall/conffiles
|
2013-03-05 13:45:09 +00:00
|
|
|
/etc/config/firewall
|
|
|
|
/etc/firewall.user
|
|
|
|
endef
|
|
|
|
|
2013-05-21 10:15:14 +00:00
|
|
|
TARGET_CFLAGS += -ffunction-sections -fdata-sections
|
2013-05-24 12:49:06 +00:00
|
|
|
TARGET_LDFLAGS += -Wl,--gc-sections
|
2013-05-27 15:13:19 +00:00
|
|
|
CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1)
|
2013-05-21 10:15:14 +00:00
|
|
|
|
2013-06-04 12:21:52 +00:00
|
|
|
define Package/firewall/install
|
2013-02-17 19:26:52 +00:00
|
|
|
$(INSTALL_DIR) $(1)/sbin
|
2013-06-04 12:30:50 +00:00
|
|
|
$(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3
|
2013-02-17 19:26:52 +00:00
|
|
|
$(INSTALL_DIR) $(1)/etc/init.d
|
|
|
|
$(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
|
|
|
|
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
|
|
|
|
$(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall
|
2013-03-05 13:45:09 +00:00
|
|
|
$(INSTALL_DIR) $(1)/etc/config/
|
|
|
|
$(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
|
|
|
|
$(INSTALL_DIR) $(1)/etc/
|
|
|
|
$(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
|
2013-02-17 19:26:52 +00:00
|
|
|
endef
|
|
|
|
|
2013-06-04 12:21:52 +00:00
|
|
|
$(eval $(call BuildPackage,firewall))
|