Skip to content
  1. Apr 05, 2024
    • Paul Donald's avatar
      luci-app-firewall: Add 'any' choice for SNAT 'family' option · 4ca87f65
      Paul Donald authored 
      

If one sets a SNAT rule via the GUI as 'automatic', the
'family' remains empty. In fw4.uc code, this is interpreted as:

/* default to IPv4 only for backwards compatibility,
 unless an explicit family any was configured */

'any' is handled by fw4 as IPv4+6.

Also prevent 'any' from triggering a validation error (non-SNAT targets
hide 'snat_ip' which remains empty, and triggered an error).

Signed-off-by: default avatarPaul Donald <newtwen+github@gmail.com>
      4ca87f65
  3. Dec 30, 2023
    • Jonas Dreßler's avatar
      luci-mod-firewall: Expand on naming of forwarding rule inside the zone · c74c8614
      Jonas Dreßler authored 
      

Apparently the "Forward" entry of the individual firewall zones controls
forwarding within the zone (between the individual interfaces) only, and not
the forwarding of packets from the zone to other zones. This is quite
confusing, as the meaning is different from the global "Forward" option
above, which does control forwarding between zones.

Quote from user jow on the forum:
> The per-zone forward controls forwarding traffic among the ifaces of this
> zone. Traffic from/to other zones is handled by the global forward policy,
> or individual forwardings or rules.

See https://forum.openwrt.org/t/likely-bug-in-openwrt-firewall-rule-generation/18152

Let's try to be a bit more concise with the naming here and rename this
entry to "Intra zone forward", which hopefully makes the difference clear.

Signed-off-by: default avatarJonas Dreßler <verdre@v0yd.nl>
      c74c8614
  5. Nov 28, 2023
  7. Oct 12, 2023
  9. Jul 31, 2023
  11. Jul 12, 2023
  13. Jun 10, 2023
  15. May 16, 2023
  17. Apr 05, 2023
    • Dirk Brenken's avatar
      luci-app-firewall: fix the IPv6 forwards/snats view · 148759a5
      Dirk Brenken authored 
      * corrects the view as IPv4 and IPv6 for rules where the family is 'any' and the IP not set (this fixes #9c55500f

), e.g. a forward rule like that:

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

Signed-off-by: default avatarDirk Brenken <dev@brenken.org>
      148759a5
  19. Mar 30, 2023
  21. Mar 29, 2023
  23. Mar 15, 2023
  25. Feb 17, 2023
  27. Feb 04, 2023
  29. Mar 30, 2022
  31. Feb 16, 2022
  33. Jan 06, 2022
  35. Nov 11, 2021
  37. Nov 10, 2021
  39. Aug 31, 2021
  41. Aug 11, 2021
  43. Aug 04, 2021
  45. Mar 15, 2021
  47. Mar 01, 2021
  49. Jan 13, 2021
  51. Nov 20, 2020
  53. Oct 01, 2020
  55. Jul 05, 2020
  57. Apr 03, 2020
  59. Mar 26, 2020
  61. Mar 02, 2020