Skip to content
  1. Apr 05, 2024
    • Paul Donald's avatar
      luci-app-firewall: Add 'any' choice for SNAT 'family' option · 4ca87f65
      Paul Donald authored 
      

If one sets a SNAT rule via the GUI as 'automatic', the
'family' remains empty. In fw4.uc code, this is interpreted as:

/* default to IPv4 only for backwards compatibility,
 unless an explicit family any was configured */

'any' is handled by fw4 as IPv4+6.

Also prevent 'any' from triggering a validation error (non-SNAT targets
hide 'snat_ip' which remains empty, and triggered an error).

Signed-off-by: default avatarPaul Donald <newtwen+github@gmail.com>
      4ca87f65
  3. Feb 21, 2024
  5. Dec 30, 2023
    • Jonas Dreßler's avatar
      luci-mod-firewall: Expand on naming of forwarding rule inside the zone · c74c8614
      Jonas Dreßler authored 
      

Apparently the "Forward" entry of the individual firewall zones controls
forwarding within the zone (between the individual interfaces) only, and not
the forwarding of packets from the zone to other zones. This is quite
confusing, as the meaning is different from the global "Forward" option
above, which does control forwarding between zones.

Quote from user jow on the forum:
> The per-zone forward controls forwarding traffic among the ifaces of this
> zone. Traffic from/to other zones is handled by the global forward policy,
> or individual forwardings or rules.

See https://forum.openwrt.org/t/likely-bug-in-openwrt-firewall-rule-generation/18152

Let's try to be a bit more concise with the naming here and rename this
entry to "Intra zone forward", which hopefully makes the difference clear.

Signed-off-by: default avatarJonas Dreßler <verdre@v0yd.nl>
      c74c8614
  7. Nov 28, 2023
  9. Oct 12, 2023
  11. Jul 31, 2023
  13. Jul 12, 2023
  15. Jun 10, 2023
  17. May 16, 2023
  19. Apr 05, 2023
    • Dirk Brenken's avatar
      luci-app-firewall: fix the IPv6 forwards/snats view · 148759a5
      Dirk Brenken authored 
      * corrects the view as IPv4 and IPv6 for rules where the family is 'any' and the IP not set (this fixes #9c55500f

), e.g. a forward rule like that:

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

Signed-off-by: default avatarDirk Brenken <dev@brenken.org>
      148759a5
  21. Mar 30, 2023
  23. Mar 29, 2023
  25. Mar 15, 2023
  27. Feb 17, 2023
  29. Feb 04, 2023
  31. Mar 30, 2022
  33. Feb 16, 2022
  35. Jan 06, 2022
  37. Dec 09, 2021
  39. Nov 11, 2021
  41. Nov 10, 2021
  43. Aug 31, 2021
  45. Aug 11, 2021
  47. Aug 04, 2021
  49. Jun 03, 2021
  51. Mar 15, 2021
  53. Mar 01, 2021
  55. Feb 19, 2021
  57. Jan 13, 2021
  59. Dec 16, 2020