[source] firewall: update to fix FS#31, FS#73, FS#154, FS#248

LEDE Commits lede-commits at lists.infradead.org
Tue Nov 8 02:35:55 PST 2016

jow pushed a commit to source.git, branch master:

commit 113544dccf113a8ed47e0a91ab2f6e02343c3e82
Author: Jo-Philipp Wich <jo at mein.io>
AuthorDate: Mon Aug 8 16:26:20 2016 +0200

    firewall: update to fix FS#31, FS#73, FS#154, FS#248
    Update to latest Git head in order to import several fixes and enhancements.
    - Disable drop invalid by default (FS#73, FS#154)
      Instead of dropping packets with conntrack state INVALID, only allow streams
      with explicit NEW or UNTRACKED conntrack state.
      This change gives user defined rules the chance to accept traffic like ICMPv6
      multicast which would be filtered away by the very early ctstate INVALID drop
      rule otherwise.
      The old behaviour can be restored by explicitely setting "drop_invalid" to 1
      in the global firewall config section.
    - Fix re-initialization of loadable iptables extensions on musl (FS#31)
      Since musl does not implement actual dlclose() semantics, it is impossible to
      re-run initializers on subsequent dlopen() calls.
      The firewall3 executable now intercepts the extension registration calls
      instead in order to be able to re-call them when needed.
      This also allowed us to switch to libxtables' builtin extension loader as a
      positive side-effect.
    - Fix masquerade rules for multiple negated IP addresses (FS#248)
      When building MASQUERADE rules for zones which specify multiple negated
      addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of
      the masquerading chain instead of creating multiple rules with inverted "-s"
    - Tag own rules using comments
      Instead of relying on the nonstandard xt_id match, use the xt_comment match
      to mark own rules. Existing comments are prefixed with "!fw3: " while
      uncommented rules are marked with a sole "!fw3" string.
      This allows removing the xt_id match entirely in a later commit.
    - Make missing ubus connection nonfatal
      Technically, firewall3 is able to operate without ubus just fine as long as
      the zones are declared using "option device" or "option subnet" instead of
      "option network" so do not abort execution if ubus could not be connected or
      of no network namespace is exported in ubus.
      This allows running firewall3 on ordinary Linux systems.
    - Fix conntrack requirement detection for indirectly connected zones
      The current code fails to apply the conntrack requirement flag recursively to
      zones, leading to stray NOTRACK rules which break conntrack based traffic
      Change the implementation to iteratively reapply the conntrack fixup logic
      until no more zones had been changed in order to ensure that all directly and
      indirectly connected zones receive the conntrack requirement flag.
    - Add support for iptables 1.6.x
      Adds support for the xtables version 11 api in order to allow building
      against iptables 1.6.x
    Signed-off-by: Jo-Philipp Wich <jo at mein.io>
 package/network/config/firewall/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 8072df7..24b2e05 100644
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -9,15 +9,15 @@
 include $(TOPDIR)/rules.mk
 PKG_MAINTAINER:=Jo-Philipp Wich <jo at mein.io>

More information about the lede-commits mailing list