freifunk-franken
/
firmware
9
7
Fork 13
Code Issues 48 Pull Requests 7 Releases 17 Wiki Activity

layer3: add option to enable stateful firewall on client network #284

Closed
jkimmel wants to merge 2 commits from jkimmel/firmware:stateful-firewall into master
pull from: jkimmel/firmware:stateful-firewall
merge into: freifunk-franken:master
Conversation 2 Commits 2 Files Changed 25 +342 -119
jkimmel commented 2023-04-11 10:44:07 +02:00
Owner
Copy Link

Add the following option to the client config section in
/etc/config/gateway to enable a basic stateful firewall:

config client
    option stateful_firewall '1'

The firewall will forward icmp mesages and allow any outbound client
traffic and related inbound traffic.

Add the following option to the client config section in `/etc/config/gateway` to enable a basic stateful firewall: ``` config client option stateful_firewall '1' ``` The firewall will forward icmp mesages and allow any outbound client traffic and related inbound traffic.
jkimmel added the
feature
layer3
packages/fff
RFC
RFT
 labels 2023-04-11 10:44:07 +02:00
jkimmel added 1 commit 2023-04-11 10:44:08 +02:00
ci/woodpecker/pr/woodpecker Pipeline was successful Details
8be918ad49 WIP: fff-firewall: Switch from ip/ebtables to nftables 
Include nftables and appropriate modules. Translate ip- and ebtables
rules to their nftables counterparts. Remove ip/ebtables and modules.

This change intentionally tries to keep structural changes at a minimum
to keep the rule translation comprehensible.

kmod-nft-bridge is not required for fff-node, because it was merged into
a single kernel module since Linux 4.17:
[1] 02c7b25e5f
[2] fbaf48387e

Fixes: #252

Signed-off-by: Fabian Bläse <fabian@blaese.de>
Co-authored-by: Johannes Kimmel <fff@bareminimum.eu>
fbl requested review from fbl 2023-04-11 10:44:52 +02:00
jkimmel added a new dependency 2023-04-11 18:08:04 +02:00
#275 fff-firewall: Switch from ip/ebtables to nftables
rohammer reviewed 2023-04-12 09:49:05 +02:00
jkimmel force-pushed stateful-firewall from 2f9cf3c091 to eaa40f7034 2023-04-12 10:01:18 +02:00 Compare
fbl commented 2023-05-20 12:04:46 +02:00
Owner
Copy Link

Acked-by: Fabian Bläse <fabian@blaese.de>

`Acked-by: Fabian Bläse <fabian@blaese.de>`
fbl added this to the 20240119-beta milestone 2023-05-20 12:05:05 +02:00
fbl removed the
RFC
RFT
 labels 2023-12-26 20:24:00 +01:00
fbl refused to review 2023-12-26 20:24:02 +01:00
fbl commented 2023-12-26 20:24:08 +01:00
Owner
Copy Link

Applied.

Applied.
fbl closed this pull request 2023-12-26 20:24:08 +01:00
All checks were successful
ci/woodpecker/pr/woodpecker Pipeline was successful
Details

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
RFC

   
RFT

   
WIP

   
blocked

   
bsp

touching bsp files or adding devices

  
bug

Something is not working

  
build/scripts/tools

touching buildscript or other tools

  
duplicate

This issue or pull request already exists

  
feature

New feature

  
fixed

Issue that got resolved

  
layer3

only for layer3 FW

  
mantis

Imported from mantis

  
more details required

Reported information is insufficient to debug the issue

  
needs changes

   
node

only for node FW

  
packages/fff

touching our packages

  
rejected

Rejected or won't fix

  
security

   
trivial

simple non-functional changes that are mostly matter of taste

  
upstream

touching upstream version, build or feed patches

No Label
RFC
RFT
WIP
blocked
bsp
bug
build/scripts/tools
duplicate
feature
fixed
layer3
mantis
more details required
needs changes
node
packages/fff
rejected
security
trivial
upstream
Milestone
Clear milestone
No items
No Milestone
20240119-beta
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Depends on
#275 fff-firewall: Switch from ip/ebtables to nftables
freifunk-franken/firmware
Reference: freifunk-franken/firmware#284
No description provided.
Delete Branch "jkimmel/firmware:stateful-firewall"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?