Age | Commit message (Collapse) | Author |
|
follow-up to 46e6b9ba44a33937c7ba89273da9d2f7fde985ad
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
|
|
Either software or hardware offloading is in use at a time. Make a
dropdown list for them to reflect this on the firewall section of LuCI.
Closes #6247
Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
|
|
The implied logic in the functions to build display text is a bit of
a minefield.
Now, if family=4+6 is selected, display 4+6.
This part is a follow-up to: 4ca87f6576272d4a4659e995bef00cf34d5746e9
Previously it would display only IPv6.
Now, if family=auto i.e. '' is selected then display 4 only.
fw4 internally treats no family as IPv4 only, meaning that IPv6 was not
SNATed. (This treatment is 'incorrect' but because it has always been
this way, this behaviour is retained for backwards compatibility, and
user expectations.)
Previous logic was incorrect (bug) and would display:
Forwarded IPv4 and IPv6
misleading the user.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
|
|
If one sets a SNAT rule via the GUI as 'automatic', the
'family' remains empty. In fw4.uc code, this is interpreted as:
/* default to IPv4 only for backwards compatibility,
unless an explicit family any was configured */
'any' is handled by fw4 as IPv4+6.
Also prevent 'any' from triggering a validation error (non-SNAT targets
hide 'snat_ip' which remains empty, and triggered an error).
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
|
|
Ref: https://forum.openwrt.org/t/question-about-firewall-rules/188656
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Apparently the "Forward" entry of the individual firewall zones controls
forwarding within the zone (between the individual interfaces) only, and not
the forwarding of packets from the zone to other zones. This is quite
confusing, as the meaning is different from the global "Forward" option
above, which does control forwarding between zones.
Quote from user jow on the forum:
> The per-zone forward controls forwarding traffic among the ifaces of this
> zone. Traffic from/to other zones is handled by the global forward policy,
> or individual forwardings or rules.
See https://forum.openwrt.org/t/likely-bug-in-openwrt-firewall-rule-generation/18152
Let's try to be a bit more concise with the naming here and rename this
entry to "Intra zone forward", which hopefully makes the difference clear.
Signed-off-by: Jonas Dreßler <verdre@v0yd.nl>
|
|
Allow creating redirects using IP family `any`.
This helps redirect both IPv4 and IPv6 traffic.
It is used to intercept traffic on the router.
Signed-off-by: Vladislav Grigoryev <vg.aetera@gmail.com>
|
|
Ensure that user supplied set name values conform to the nftables identifier
syntax constraints.
Fixes: #6633
Fixes: 0484343903 ("luci-app-firewall: implement IPsets GUI")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
This allows to to define multiple zones for NAT reflection rules.
Fixes: #1560
Signed-off-by: Julien Cassette <julien.cassette@gmail.com>
|
|
luci-app-firewall: missing variable declaration
|
|
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
|
|
This adds entries for ICMPv6 MLD types. This fixes the ICMPv6 MLD types to be consistent with fw4.
These types were added to fw4 in this commit:
- https://github.com/openwrt/firewall4/commit/e6e82a55206cf7017f26b92f7097f779161b5cac
But were omitted from the corresponding luci-app-firewall commit:
- https://github.com/openwrt/luci/commit/88a016cbff7eacf3a8248bc4949904abacef6685
Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
|
|
* corrects the view as IPv4 and IPv6 for rules where the family is 'any' and the IP not set (this fixes #9c55500), e.g. a forward rule like that:
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
|
luci-app-firewall: add masq6 option for zones
|
|
Fixes: 48086e1c7b ("luci-app-firewall: Add ipset field to snats")
Fixes: d0d891c23e ("luci-app-firewall: Add ipset field to forwards (redirects)")
Fixes: f407a013ba ("luci-app-firewall: Add ipset field to rules")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Allow configure Masquerading6 via LuCI interface.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
|
Signed-off-by: Paul Dee <itsascambutmailmeanyway@gmail.com>
|
|
Signed-off-by: Paul Dee <itsascambutmailmeanyway@gmail.com>
|
|
Signed-off-by: Paul Dee <itsascambutmailmeanyway@gmail.com>
|
|
Enable it and place it between snats and custom tabs
Tested on 22.03.2, 22.03.3
Signed-off-by: Paul Dee <itsascambutmailmeanyway@gmail.com>
|
|
Extended icmp selections in firewall
|
|
Allow setup ipv6 for Port Forwards and NAT Rules if firewall4 is
used.
Add 'Restrict to address family' option for NAT Rules, if family is
any/empty , assume it is ipv4. this allow setup NAT6 rules in web ui
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
|
|
Ensure that the description of the masquerade option does not end up in
the grid section overview as it messes up the table layout.
Fixes: c54efde717 ("luci-app-firewall: Add clarification to masquerading option")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
luci complement to https://github.com/openwrt/firewall4/commit/e6e82a55206cf7017f26b92f7097f779161b5cac
Tested on 22.03.3
Signed-off-by: Paul Dee <itsascambutmailmeanyway@gmail.com>
|
|
This prevents its inconsistent checked/unchecked behaviour when exiting
and re-entering the dialogue.
Tested on 22.03.3
Signed-off-by: Paul Dee <itsascambutmailmeanyway@gmail.com>
|
|
Signed-off-by: Martijn Staal <27222398+mastaal@users.noreply.github.com>
|
|
Fixes: #5749
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Fixes: #5685
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Initial changes required for firewall4 compatibility:
* depend on uc-firewall instead of firewall
* detect installed version of firewall and hide incompatible features
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
|
|
Prevent incorrectly replacing unrecognized protocol numbers with -1.
Fixes: #5587
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Use the new `firewall.getZoneColorStyle()` helper to apply background
color styles.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
No functional changes but required for styling rules.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
to firewall 'Match ICMP type' field.
See issue #5213
Signed-off-by: Paul Dee <systemcrash@users.noreply.github.com>
|
|
10 lines are very few and there is much unused space
Signed-off-by: Fritz D. Ansel <fdansel@yandex.ru>
|
|
Signed-off-by: Stan Grishin <stangri@melmac.net>
|
|
Rework some further code instances to fall back to the legacy ipv4/ipv6
properties if needed.
Fixes: c7b7b42cd3 ("treewide: Update JS using luci-rpc getHostHints")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Update frontend JS code which uses luci-rpc getHostHints to support the new
response format which removes the `ipv4` and `ipv6` host hint string fields
and replaces them with `ipaddrs` and `ip6addrs` weighted string list fields.
Signed-off-by: Niels Widger <niels@qacafe.com>
[rework code to be forwards/backwards compatible, fix some Network.Hosts
methods, fix IP choice ordering, change commit subject, rewrap commit
message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Fixes: #4812
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Fixes: #4845
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Store multiple space separated custom address values as separate uci
list items in the configuration.
Fixes: #4822
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
|
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
|
Before the change, the options '*' and 'any' in the drop down were not
recognized as valid options, when loaded from the uci. With this change,
the options '*' and 'any' are mapped to 'all' and saved as such. This
change is especially important if the proto option is changed manually
to '*' or 'any' in shell and then further configured via LuCI.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
|
Fixes: #4608
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
The "Match ICMP type" drop-down menu was missing this ICMPv6 type. According to RFC 4890 section 4.3.1 it is essential for communications and must not be dropped. This patch allows for doing this through LuCI.
Signed-off-by: Robby K <robbyke@gmail.com>
|
|
Fixes: #4220
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|