mirror of https://github.com/hak5/openwrt.git
firewall: update to fix FS#31, FS#73, FS#154, FS#248
Update to latest Git head in order to import several fixes and enhancements. - Disable drop invalid by default (FS#73, FS#154) Instead of dropping packets with conntrack state INVALID, only allow streams with explicit NEW or UNTRACKED conntrack state. This change gives user defined rules the chance to accept traffic like ICMPv6 multicast which would be filtered away by the very early ctstate INVALID drop rule otherwise. The old behaviour can be restored by explicitely setting "drop_invalid" to 1 in the global firewall config section. - Fix re-initialization of loadable iptables extensions on musl (FS#31) Since musl does not implement actual dlclose() semantics, it is impossible to re-run initializers on subsequent dlopen() calls. The firewall3 executable now intercepts the extension registration calls instead in order to be able to re-call them when needed. This also allowed us to switch to libxtables' builtin extension loader as a positive side-effect. - Fix masquerade rules for multiple negated IP addresses (FS#248) When building MASQUERADE rules for zones which specify multiple negated addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of the masquerading chain instead of creating multiple rules with inverted "-s" arguments. - Tag own rules using comments Instead of relying on the nonstandard xt_id match, use the xt_comment match to mark own rules. Existing comments are prefixed with "!fw3: " while uncommented rules are marked with a sole "!fw3" string. This allows removing the xt_id match entirely in a later commit. - Make missing ubus connection nonfatal Technically, firewall3 is able to operate without ubus just fine as long as the zones are declared using "option device" or "option subnet" instead of "option network" so do not abort execution if ubus could not be connected or of no network namespace is exported in ubus. This allows running firewall3 on ordinary Linux systems. - Fix conntrack requirement detection for indirectly connected zones The current code fails to apply the conntrack requirement flag recursively to zones, leading to stray NOTRACK rules which break conntrack based traffic policing. Change the implementation to iteratively reapply the conntrack fixup logic until no more zones had been changed in order to ensure that all directly and indirectly connected zones receive the conntrack requirement flag. - Add support for iptables 1.6.x Adds support for the xtables version 11 api in order to allow building against iptables 1.6.x Signed-off-by: Jo-Philipp Wich <jo@mein.io>lede-17.01
parent
9c91335dc7
commit
113544dccf
|
@ -9,15 +9,15 @@
|
||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=firewall
|
PKG_NAME:=firewall
|
||||||
PKG_VERSION:=2016-07-28
|
PKG_VERSION:=2016-11-07
|
||||||
PKG_RELEASE:=$(PKG_SOURCE_VERSION)
|
PKG_RELEASE:=$(PKG_SOURCE_VERSION)
|
||||||
|
|
||||||
PKG_SOURCE_PROTO:=git
|
PKG_SOURCE_PROTO:=git
|
||||||
PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git
|
PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git
|
||||||
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
|
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
|
||||||
PKG_SOURCE_VERSION:=47b23946cb2d51c486cd01596744955f850e2060
|
PKG_SOURCE_VERSION:=0367860636aa55e9ee064709ec2814906e1f246b
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
|
||||||
PKG_MIRROR_MD5SUM:=25a0244ce0a8663a1c996d55b707afd36fec55a7eaecbeb5671fcdfa67a44cb1
|
PKG_MIRROR_MD5SUM:=1a087c92c73c3736dd19445d2f470abc2c1eb623956ddd55284c2e6a733198ce
|
||||||
PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
|
PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
|
||||||
PKG_LICENSE:=ISC
|
PKG_LICENSE:=ISC
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue