Mirrors
/
aredn
mirror of https://github.com/aredn/aredn.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
aredn/files/etc/local/mesh-firewall/01-tunnels

111 lines
5.2 KiB
Plaintext
Raw Normal View History

feature: FirewallIncludes: Migrate tunnel firewal rules to new include format. These rules setup chains that may be needed by other firewall rules as such we need to set them up early to be sure includes work.
2016-01-09 16:23:48 -07:00
#!/bin/sh
<<'LICENSE'
Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
bugfix: aredn firewall blocking traffic when using tunnel feature (#524) fixes #522 tested by: Matthew KB9OIV <Matthew.annen@gmail.com> tested by: Chris K3ADA <sutehk.cs@gmail.com> Resolves 2 issues with tunnel iptable rules. A rule needed to be shifted down by 1 position in chain given upgrade to openwrt 19.07. Reload of rules was not correctly retaining chain order and creating duplicate entries, inadvertantly blocking intended traffic.
2020-04-29 19:54:29 -06:00
Copyright (C) 2020 Joe Ayers
bugfix: Tunnel firewall rule chain names are incorrect. Based on previously reverted commit 646702aab92ea75b8be1b11298ac15d261e8ab33
2016-01-16 21:09:23 -07:00
Copyright (C) 2015 Conrad Lara and Joe Ayers
feature: FirewallIncludes: Migrate tunnel firewal rules to new include format. These rules setup chains that may be needed by other firewall rules as such we need to set them up early to be sure includes work.
2016-01-09 16:23:48 -07:00
See Contributors file for additional contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 3 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Additional Terms:
Additional use restrictions exist on the AREDN(TM) trademark and logo.
See AREDNLicense.txt for more info.
Attributions to the AREDN Project must be retained in the source code.
If importing this code into a new or existing project attribution
to the AREDN project must be added to the source code.
Sourcecode license text spelling correction. Inside the source files the word "contained" was mispelled as "conained" The website currently lists this correctly as "contained" This was an error in the intial stamping of the source files in changeset:5c3ee1d0686c6e6f2907fe4fc393d86d6c5a69b5/aredn_ar71xx Line is part of "Additional Conditions" permitted by GPLv3. Line does not impact coders prior to the AREDN setup date as it was added by the AREDN team. Change-Id: I3bc09aea548100f35c08aebe8686b8d4808d56d8 Signed-off-by: Conrad Lara - KG6JEI <KG6JEI@amsat.org> Signed-off-by: Joe Ayers <ae6xe@arrl.net> Signed-off-by: Darryl Quinn <k5dlq@arrl.net> Signed-off-by: Trevor Paskett - K7FPV <snoopytjp@gmail.com>
2016-12-23 22:23:58 -07:00
You must not misrepresent the origin of the material contained within.
feature: FirewallIncludes: Migrate tunnel firewal rules to new include format. These rules setup chains that may be needed by other firewall rules as such we need to set them up early to be sure includes work.
2016-01-09 16:23:48 -07:00
Modified versions must be modified to attribute to the original source
and be marked in reasonable ways as differentiate it from the original
version.
LICENSE
Wireguard tunnel support (#968) * Wireguard tunnel support * Fix wireguard firewall rules * Add Wireguard tunnels to LQM * Filter vlans on main bridge * If you paste a tunnel config into any field, it will auto-populate all fields correctly * Fix bad password keyword * Fix bad feeds change * Fix bad merge
2023-12-06 12:39:23 -07:00
if [ "$MESHFW_TUNNELS_ENABLED" != "1" -a "$MESHFW_WG_TUNNELS_ENABLED" != "1" ]; then
exit 0;
feature: FirewallIncludes: Migrate tunnel firewal rules to new include format. These rules setup chains that may be needed by other firewall rules as such we need to set them up early to be sure includes work.
2016-01-09 16:23:48 -07:00
fi
bugfix: aredn firewall blocking traffic when using tunnel feature (#524) fixes #522 tested by: Matthew KB9OIV <Matthew.annen@gmail.com> tested by: Chris K3ADA <sutehk.cs@gmail.com> Resolves 2 issues with tunnel iptable rules. A rule needed to be shifted down by 1 position in chain given upgrade to openwrt 19.07. Reload of rules was not correctly retaining chain order and creating duplicate entries, inadvertantly blocking intended traffic.
2020-04-29 19:54:29 -06:00
# In all cases - restart, flush, clear -- it is necessary to clean up any remenant rules to ensure chain order is correct
Update AREDN to OpenWRT 22.3.2 (Major Upgrade) (#574) * Update to Openwrt 21.02 and add support for the CPE710 v1 Update scripts to change references to ifname to device due to a change in Openwrt naming reverse-wpad-basic-wolfssl and disable SSL on Curl NOTE: The compile host must have python3-distutils installed for gpsd to build * aredn: initial working upgrade to openwrt 21.02.1 * aredn: update 1 to working upgrade to openwrt 21.02.1 * aredn: add cpe710v1 to build config * Andrew's patches * Remove duplicates + display perl * Temp disable wifi extension patch * ifname/ports support * Add spectrum patch back in * Generic function to extra interfaces * New api to get wifi ifname * Disables jails * Style link * aredn: partial upgrade to openwrt 22.0.3.0 added AC device images and partial migration to 22.0.3.0 firewall upgrade pending * aredn: update mesh-release and revert config.mk * Unused * NFT firewall rewrite * Common-isze configs * Fix network layout for hap2 * Use local packages dev (new firewall rules) * Add HAP2 * Add pause after network restart to let bridge reinitialize * Various lua fixes for new lua version * Tweak config * Re-fix networking (lost patch change) * Add new radio names * Tolerate missing wifi * Fix hap-lite switch setup * More devices * New radio id * Build Rocket 5AC lite * Remove need for luci.sys * Remove need for luci.sys * Explicitly name wlan interfaces * Handle different compatibility verisoning * Update networking for switches * ipref version bump * Extra flag for curl * Better compat_version fix * Remove wolfssl * Fix dns server * Fix device name * Unused * Remove things we dont need * Remove unused packages * Generic macaddr overrides * Fix uci commit * Fix luci.template.parser to avoid luci.http loading the real thing * Rocket-M build * Add search-domain dhcp option * Turn of ipv6 * No IPV6 in dnsmasq * Override mac addresses if devices all the same * Working from master (for now) * Put back hostap * Disable old ethmac fixup * Tweak configs * Move back to v22.03.2 Leave ipq4019 builds to master * Need IPV6 to compile nft firewall * Rocket-M fixes * Before we start * WIP * Working snapshot * Cleaned patches * Merged patch * Single patch to support HAP2 * Fix typo * Add nanostation-m * 5/10Mhz patch * 5+10MHz patch for ath10k-ct driver * Extend 2Ghz channel check to include -4 to -1 * Add chanbw setup for ath10k (like ath9k) * Added TP-Link CPE710 v1 * Override firmwares * Missing patch * Dropbear config like 3.22.8.0 * Add Ubiquiti Rocket 5AC Lite * Fix c6 * Update * Need more scan channels * Remove IPV6 * Improve mac fixups * Put back missing nft app * IPv6 removed so dont have to disable it * Fix rocket-m flash bug * Fix nanostation-m * Nanobridge is tiny * Fix wifi order for ar750 * Rocket M5 XW support * New rates * Fix firewall4 so we don't need IPv6 * Allow channel width to be restricted * Move channel list into library * Fix naming * Mechanism to block specific channels on specific radios * Refresh buttons * routerboard-sxt-5nd * CPE605 v1.0 * Improve rocket m xw * tpink * Update patch * Update to remove disable * Remove BW restrictions on cpe710 * Restrict to what has been tested * Remove test BW restrictions * sxtsq-5-ac * Update * Update * powerbeam-m5-300 support * Fix * Fix hap2 * Tidy unused patches * Remove limit * Add ubnt_bullet-m-ar7241 * Added ubnt_nanobeam-ac-gen2 * Fix typo * Tolerate missing dtd ip * Explicitly gix hap2 mac addresses * Fix some broken patches * Hap2 wont work at 5MHz * Ubiquiti LiteBeam 5AC Gen2 * Fix compat_version for sxt 5ac * Update patch * Unused * Fix lan configuration for some devices * Rolling average of noise level * Unused * Split out the ath10k rssi monitor (its very simple at the moment) * Ignore .DS_Store * Reboot if ethernet doesnt come up (but only once!) * reboot returns - add exit * Add some logging info * Fix ] * Check all possibly ethernet bridges * Improve mac fixing * Remove HostAP on small memory devices * Reduce dropbear footprint * Add setsid * Kill hostap when upgrading to save memory * Different way to detect hostapd unavailable * New build steps * Improve manager logging * Fix name conflict for the two monitors * Try to improve test mesh name resolve problem * Migrate tiny to generic (tiny doesnt work properly) * Typo * Another attempt to fix macs for Mikrotik * Protect against missing trackers * Fix wpad for ipq40xx * Remove old tunnel check code * Enable ZRAM swap to aid low memory devices * ath10k noise can something be out of range - protect against that * Updated with current devices and status * Update firmware which has been tested * Updated with more builds * More binary/README * Fix css error * Start noise at sensible base level * Unfix the css so it looks how it use to. * Save as much memory as we can on lowmem nodes * Hide some options on low memory devices * Add "eol" to 32MB devices * Restart network rather than reboot node if it seems to be broken * Fixes * Revert network reset * Fix ar750 networking * Continue to trim tiny configs * More devices * Dump IW output messages * Fix Rocket 5AC intermittent ethernet issue * Ethernet fix for PowerBeam 5AC 500 * More tiny size reduction * More support data * Fixed POE and USB power features * Add Ubiquiti NanoBeam AC (gen1) * NanoStation (not NanoBeam) * Add mii-tool package * Device updates * Bump update time to 5 minutes * Fix ethernet negotiation for rocker-5ac and nanobeam * Fix iplookup * Config changes based on call feedback * Radio listing fixes * Update with more untested builds * Fallback TxMbps extracted from iw station dump * Fix tunnel detection for low memory nodes * Remove unused feed packages * snapshot build * Update stability info * Add powerbeam-5ac-500 * Typo * Add missing 3.22.1.0 * Add MikroTik LHG 5 AC * Fix permissions * Fix permissions * AirGrid's take Bullet builds * Mikrotik AC3 * Improve supportdata structure a little to make it easier to find things * Restore WAN VLAN overrides * Fix vlan regex for hap2 and hap3 * Support old and new style poe controls * hap-ac3 is version 1.1 * Handle typo in some openwrt config files * Fix HAP AC3 install * Update hap ac3 status * Support user overrides for network ports (non-swconfig devices) * LHG 5AC support * Remove -nand * Remove non-working platform.sh change * tunnel weight override * Omit LinkQualityMult when value is 1 * Add mANTBox 19s and 15s * Support ath79 mikrotik devices which require ath10k in the initramfs Co-authored-by: apcameron <apcameron@softhome.net> Co-authored-by: Joe AE6XE <ae6xe@arrl.net> Co-authored-by: Joe Ayers <joe@arrl.net>
2022-12-22 13:22:49 -07:00
nft flush chain ip fw4 forwarding_vpn_rule 2>/dev/null
nft flush chain ip fw4 input_vpn 2>/dev/null
nft flush chain ip fw4 accept_vpn 2>/dev/null
nft flush chain ip fw4 reject_vpn 2>/dev/null
nft flush chain ip fw4 forward_vpn 2>/dev/null
nft flush chain ip fw4 accept_to_vpn 2>/dev/null
nft flush chain ip fw4 reject_to_vpn 2>/dev/null
nft delete chain ip fw4 forwarding_vpn_rule 2>/dev/null
nft delete chain ip fw4 input_vpn 2>/dev/null
nft delete chain ip fw4 accept_vpn 2>/dev/null
nft delete chain ip fw4 reject_vpn 2>/dev/null
nft delete chain ip fw4 forward_vpn 2>/dev/null
nft delete chain ip fw4 accept_to_vpn 2>/dev/null
nft delete chain ip fw4 reject_to_vpn 2>/dev/null
bugfix: On firewall reload some tunnel rules were not being inserted into the default chains which are flushed on both reload and restart of firewall by OpenWRT fw scripts.
2016-01-16 21:22:53 -07:00
bugfix: aredn firewall blocking traffic when using tunnel feature (#524) fixes #522 tested by: Matthew KB9OIV <Matthew.annen@gmail.com> tested by: Chris K3ADA <sutehk.cs@gmail.com> Resolves 2 issues with tunnel iptable rules. A rule needed to be shifted down by 1 position in chain given upgrade to openwrt 19.07. Reload of rules was not correctly retaining chain order and creating duplicate entries, inadvertantly blocking intended traffic.
2020-04-29 19:54:29 -06:00
echo " * Adding vtun firewall rules..."
Update AREDN to OpenWRT 22.3.2 (Major Upgrade) (#574) * Update to Openwrt 21.02 and add support for the CPE710 v1 Update scripts to change references to ifname to device due to a change in Openwrt naming reverse-wpad-basic-wolfssl and disable SSL on Curl NOTE: The compile host must have python3-distutils installed for gpsd to build * aredn: initial working upgrade to openwrt 21.02.1 * aredn: update 1 to working upgrade to openwrt 21.02.1 * aredn: add cpe710v1 to build config * Andrew's patches * Remove duplicates + display perl * Temp disable wifi extension patch * ifname/ports support * Add spectrum patch back in * Generic function to extra interfaces * New api to get wifi ifname * Disables jails * Style link * aredn: partial upgrade to openwrt 22.0.3.0 added AC device images and partial migration to 22.0.3.0 firewall upgrade pending * aredn: update mesh-release and revert config.mk * Unused * NFT firewall rewrite * Common-isze configs * Fix network layout for hap2 * Use local packages dev (new firewall rules) * Add HAP2 * Add pause after network restart to let bridge reinitialize * Various lua fixes for new lua version * Tweak config * Re-fix networking (lost patch change) * Add new radio names * Tolerate missing wifi * Fix hap-lite switch setup * More devices * New radio id * Build Rocket 5AC lite * Remove need for luci.sys * Remove need for luci.sys * Explicitly name wlan interfaces * Handle different compatibility verisoning * Update networking for switches * ipref version bump * Extra flag for curl * Better compat_version fix * Remove wolfssl * Fix dns server * Fix device name * Unused * Remove things we dont need * Remove unused packages * Generic macaddr overrides * Fix uci commit * Fix luci.template.parser to avoid luci.http loading the real thing * Rocket-M build * Add search-domain dhcp option * Turn of ipv6 * No IPV6 in dnsmasq * Override mac addresses if devices all the same * Working from master (for now) * Put back hostap * Disable old ethmac fixup * Tweak configs * Move back to v22.03.2 Leave ipq4019 builds to master * Need IPV6 to compile nft firewall * Rocket-M fixes * Before we start * WIP * Working snapshot * Cleaned patches * Merged patch * Single patch to support HAP2 * Fix typo * Add nanostation-m * 5/10Mhz patch * 5+10MHz patch for ath10k-ct driver * Extend 2Ghz channel check to include -4 to -1 * Add chanbw setup for ath10k (like ath9k) * Added TP-Link CPE710 v1 * Override firmwares * Missing patch * Dropbear config like 3.22.8.0 * Add Ubiquiti Rocket 5AC Lite * Fix c6 * Update * Need more scan channels * Remove IPV6 * Improve mac fixups * Put back missing nft app * IPv6 removed so dont have to disable it * Fix rocket-m flash bug * Fix nanostation-m * Nanobridge is tiny * Fix wifi order for ar750 * Rocket M5 XW support * New rates * Fix firewall4 so we don't need IPv6 * Allow channel width to be restricted * Move channel list into library * Fix naming * Mechanism to block specific channels on specific radios * Refresh buttons * routerboard-sxt-5nd * CPE605 v1.0 * Improve rocket m xw * tpink * Update patch * Update to remove disable * Remove BW restrictions on cpe710 * Restrict to what has been tested * Remove test BW restrictions * sxtsq-5-ac * Update * Update * powerbeam-m5-300 support * Fix * Fix hap2 * Tidy unused patches * Remove limit * Add ubnt_bullet-m-ar7241 * Added ubnt_nanobeam-ac-gen2 * Fix typo * Tolerate missing dtd ip * Explicitly gix hap2 mac addresses * Fix some broken patches * Hap2 wont work at 5MHz * Ubiquiti LiteBeam 5AC Gen2 * Fix compat_version for sxt 5ac * Update patch * Unused * Fix lan configuration for some devices * Rolling average of noise level * Unused * Split out the ath10k rssi monitor (its very simple at the moment) * Ignore .DS_Store * Reboot if ethernet doesnt come up (but only once!) * reboot returns - add exit * Add some logging info * Fix ] * Check all possibly ethernet bridges * Improve mac fixing * Remove HostAP on small memory devices * Reduce dropbear footprint * Add setsid * Kill hostap when upgrading to save memory * Different way to detect hostapd unavailable * New build steps * Improve manager logging * Fix name conflict for the two monitors * Try to improve test mesh name resolve problem * Migrate tiny to generic (tiny doesnt work properly) * Typo * Another attempt to fix macs for Mikrotik * Protect against missing trackers * Fix wpad for ipq40xx * Remove old tunnel check code * Enable ZRAM swap to aid low memory devices * ath10k noise can something be out of range - protect against that * Updated with current devices and status * Update firmware which has been tested * Updated with more builds * More binary/README * Fix css error * Start noise at sensible base level * Unfix the css so it looks how it use to. * Save as much memory as we can on lowmem nodes * Hide some options on low memory devices * Add "eol" to 32MB devices * Restart network rather than reboot node if it seems to be broken * Fixes * Revert network reset * Fix ar750 networking * Continue to trim tiny configs * More devices * Dump IW output messages * Fix Rocket 5AC intermittent ethernet issue * Ethernet fix for PowerBeam 5AC 500 * More tiny size reduction * More support data * Fixed POE and USB power features * Add Ubiquiti NanoBeam AC (gen1) * NanoStation (not NanoBeam) * Add mii-tool package * Device updates * Bump update time to 5 minutes * Fix ethernet negotiation for rocker-5ac and nanobeam * Fix iplookup * Config changes based on call feedback * Radio listing fixes * Update with more untested builds * Fallback TxMbps extracted from iw station dump * Fix tunnel detection for low memory nodes * Remove unused feed packages * snapshot build * Update stability info * Add powerbeam-5ac-500 * Typo * Add missing 3.22.1.0 * Add MikroTik LHG 5 AC * Fix permissions * Fix permissions * AirGrid's take Bullet builds * Mikrotik AC3 * Improve supportdata structure a little to make it easier to find things * Restore WAN VLAN overrides * Fix vlan regex for hap2 and hap3 * Support old and new style poe controls * hap-ac3 is version 1.1 * Handle typo in some openwrt config files * Fix HAP AC3 install * Update hap ac3 status * Support user overrides for network ports (non-swconfig devices) * LHG 5AC support * Remove -nand * Remove non-working platform.sh change * tunnel weight override * Omit LinkQualityMult when value is 1 * Add mANTBox 19s and 15s * Support ath79 mikrotik devices which require ath10k in the initramfs Co-authored-by: apcameron <apcameron@softhome.net> Co-authored-by: Joe AE6XE <ae6xe@arrl.net> Co-authored-by: Joe Ayers <joe@arrl.net>
2022-12-22 13:22:49 -07:00
nft add chain ip fw4 forwarding_vpn_rule
nft add chain ip fw4 input_vpn
nft add chain ip fw4 accept_vpn
nft add chain ip fw4 reject_vpn
nft add chain ip fw4 forward_vpn
nft add chain ip fw4 accept_to_vpn
nft add chain ip fw4 reject_to_vpn
Remove firewall counters except for specific ports
2023-01-24 23:55:00 -07:00
nft insert rule ip fw4 forward iifname "tun*" jump forward_vpn
nft add rule ip fw4 input iifname "tun*" jump input_vpn
nft add rule ip fw4 output oifname "tun*" jump accept_vpn # instead of creating a output_vpn chain
Wireguard tunnel support (#968) * Wireguard tunnel support * Fix wireguard firewall rules * Add Wireguard tunnels to LQM * Filter vlans on main bridge * If you paste a tunnel config into any field, it will auto-populate all fields correctly * Fix bad password keyword * Fix bad feeds change * Fix bad merge
2023-12-06 12:39:23 -07:00
nft insert rule ip fw4 forward iifname "wg*" jump forward_vpn
nft add rule ip fw4 input iifname "wg*" jump input_vpn
nft add rule ip fw4 output oifname "wg*" jump accept_vpn # instead of creating a output_vpn chain
nft add rule ip fw4 input_vpn icmp type echo-request accept
nft add rule ip fw4 input_vpn tcp dport 2222 accept
nft add rule ip fw4 input_vpn tcp dport 8080 accept
nft add rule ip fw4 input_vpn tcp dport 80 accept
nft add rule ip fw4 input_vpn udp dport 698 accept
nft add rule ip fw4 input_vpn tcp dport 23 accept
nft add rule ip fw4 input_vpn tcp dport 9090 accept
nft add rule ip fw4 input_vpn udp dport 161 accept
Remove firewall counters except for specific ports
2023-01-24 23:55:00 -07:00
nft add rule ip fw4 input_vpn ct status dnat accept comment \"!vtun: Accept port redirections\"
nft add rule ip fw4 input_vpn jump reject_vpn
nft insert rule ip fw4 forward_vpn jump forwarding_vpn_rule
nft add rule ip fw4 forward_vpn jump accept_to_vpn
Update AREDN to OpenWRT 22.3.2 (Major Upgrade) (#574) * Update to Openwrt 21.02 and add support for the CPE710 v1 Update scripts to change references to ifname to device due to a change in Openwrt naming reverse-wpad-basic-wolfssl and disable SSL on Curl NOTE: The compile host must have python3-distutils installed for gpsd to build * aredn: initial working upgrade to openwrt 21.02.1 * aredn: update 1 to working upgrade to openwrt 21.02.1 * aredn: add cpe710v1 to build config * Andrew's patches * Remove duplicates + display perl * Temp disable wifi extension patch * ifname/ports support * Add spectrum patch back in * Generic function to extra interfaces * New api to get wifi ifname * Disables jails * Style link * aredn: partial upgrade to openwrt 22.0.3.0 added AC device images and partial migration to 22.0.3.0 firewall upgrade pending * aredn: update mesh-release and revert config.mk * Unused * NFT firewall rewrite * Common-isze configs * Fix network layout for hap2 * Use local packages dev (new firewall rules) * Add HAP2 * Add pause after network restart to let bridge reinitialize * Various lua fixes for new lua version * Tweak config * Re-fix networking (lost patch change) * Add new radio names * Tolerate missing wifi * Fix hap-lite switch setup * More devices * New radio id * Build Rocket 5AC lite * Remove need for luci.sys * Remove need for luci.sys * Explicitly name wlan interfaces * Handle different compatibility verisoning * Update networking for switches * ipref version bump * Extra flag for curl * Better compat_version fix * Remove wolfssl * Fix dns server * Fix device name * Unused * Remove things we dont need * Remove unused packages * Generic macaddr overrides * Fix uci commit * Fix luci.template.parser to avoid luci.http loading the real thing * Rocket-M build * Add search-domain dhcp option * Turn of ipv6 * No IPV6 in dnsmasq * Override mac addresses if devices all the same * Working from master (for now) * Put back hostap * Disable old ethmac fixup * Tweak configs * Move back to v22.03.2 Leave ipq4019 builds to master * Need IPV6 to compile nft firewall * Rocket-M fixes * Before we start * WIP * Working snapshot * Cleaned patches * Merged patch * Single patch to support HAP2 * Fix typo * Add nanostation-m * 5/10Mhz patch * 5+10MHz patch for ath10k-ct driver * Extend 2Ghz channel check to include -4 to -1 * Add chanbw setup for ath10k (like ath9k) * Added TP-Link CPE710 v1 * Override firmwares * Missing patch * Dropbear config like 3.22.8.0 * Add Ubiquiti Rocket 5AC Lite * Fix c6 * Update * Need more scan channels * Remove IPV6 * Improve mac fixups * Put back missing nft app * IPv6 removed so dont have to disable it * Fix rocket-m flash bug * Fix nanostation-m * Nanobridge is tiny * Fix wifi order for ar750 * Rocket M5 XW support * New rates * Fix firewall4 so we don't need IPv6 * Allow channel width to be restricted * Move channel list into library * Fix naming * Mechanism to block specific channels on specific radios * Refresh buttons * routerboard-sxt-5nd * CPE605 v1.0 * Improve rocket m xw * tpink * Update patch * Update to remove disable * Remove BW restrictions on cpe710 * Restrict to what has been tested * Remove test BW restrictions * sxtsq-5-ac * Update * Update * powerbeam-m5-300 support * Fix * Fix hap2 * Tidy unused patches * Remove limit * Add ubnt_bullet-m-ar7241 * Added ubnt_nanobeam-ac-gen2 * Fix typo * Tolerate missing dtd ip * Explicitly gix hap2 mac addresses * Fix some broken patches * Hap2 wont work at 5MHz * Ubiquiti LiteBeam 5AC Gen2 * Fix compat_version for sxt 5ac * Update patch * Unused * Fix lan configuration for some devices * Rolling average of noise level * Unused * Split out the ath10k rssi monitor (its very simple at the moment) * Ignore .DS_Store * Reboot if ethernet doesnt come up (but only once!) * reboot returns - add exit * Add some logging info * Fix ] * Check all possibly ethernet bridges * Improve mac fixing * Remove HostAP on small memory devices * Reduce dropbear footprint * Add setsid * Kill hostap when upgrading to save memory * Different way to detect hostapd unavailable * New build steps * Improve manager logging * Fix name conflict for the two monitors * Try to improve test mesh name resolve problem * Migrate tiny to generic (tiny doesnt work properly) * Typo * Another attempt to fix macs for Mikrotik * Protect against missing trackers * Fix wpad for ipq40xx * Remove old tunnel check code * Enable ZRAM swap to aid low memory devices * ath10k noise can something be out of range - protect against that * Updated with current devices and status * Update firmware which has been tested * Updated with more builds * More binary/README * Fix css error * Start noise at sensible base level * Unfix the css so it looks how it use to. * Save as much memory as we can on lowmem nodes * Hide some options on low memory devices * Add "eol" to 32MB devices * Restart network rather than reboot node if it seems to be broken * Fixes * Revert network reset * Fix ar750 networking * Continue to trim tiny configs * More devices * Dump IW output messages * Fix Rocket 5AC intermittent ethernet issue * Ethernet fix for PowerBeam 5AC 500 * More tiny size reduction * More support data * Fixed POE and USB power features * Add Ubiquiti NanoBeam AC (gen1) * NanoStation (not NanoBeam) * Add mii-tool package * Device updates * Bump update time to 5 minutes * Fix ethernet negotiation for rocker-5ac and nanobeam * Fix iplookup * Config changes based on call feedback * Radio listing fixes * Update with more untested builds * Fallback TxMbps extracted from iw station dump * Fix tunnel detection for low memory nodes * Remove unused feed packages * snapshot build * Update stability info * Add powerbeam-5ac-500 * Typo * Add missing 3.22.1.0 * Add MikroTik LHG 5 AC * Fix permissions * Fix permissions * AirGrid's take Bullet builds * Mikrotik AC3 * Improve supportdata structure a little to make it easier to find things * Restore WAN VLAN overrides * Fix vlan regex for hap2 and hap3 * Support old and new style poe controls * hap-ac3 is version 1.1 * Handle typo in some openwrt config files * Fix HAP AC3 install * Update hap ac3 status * Support user overrides for network ports (non-swconfig devices) * LHG 5AC support * Remove -nand * Remove non-working platform.sh change * tunnel weight override * Omit LinkQualityMult when value is 1 * Add mANTBox 19s and 15s * Support ath79 mikrotik devices which require ath10k in the initramfs Co-authored-by: apcameron <apcameron@softhome.net> Co-authored-by: Joe AE6XE <ae6xe@arrl.net> Co-authored-by: Joe Ayers <joe@arrl.net>
2022-12-22 13:22:49 -07:00
if [ "$MESHFW_MESHGW" = "1" ] ; then
Remove firewall counters except for specific ports
2023-01-24 23:55:00 -07:00
nft insert rule ip fw4 forward_vpn jump accept_to_wan
bugfix: aredn firewall blocking traffic when using tunnel feature (#524) fixes #522 tested by: Matthew KB9OIV <Matthew.annen@gmail.com> tested by: Chris K3ADA <sutehk.cs@gmail.com> Resolves 2 issues with tunnel iptable rules. A rule needed to be shifted down by 1 position in chain given upgrade to openwrt 19.07. Reload of rules was not correctly retaining chain order and creating duplicate entries, inadvertantly blocking intended traffic.
2020-04-29 19:54:29 -06:00
fi
Remove firewall counters except for specific ports
2023-01-24 23:55:00 -07:00
nft add rule ip fw4 forward_vpn ct status dnat accept comment \"!vtun: Accept port forwards\"
nft add rule ip fw4 forward_vpn jump accept_to_dtdlink
nft add rule ip fw4 forward_vpn jump accept_to_lan
nft add rule ip fw4 forward_vpn jump accept_to_wifi
nft add rule ip fw4 forward_vpn jump reject_to_vpn
nft add rule ip fw4 accept_vpn oifname "tun*" accept
nft add rule ip fw4 accept_vpn iifname "tun*" accept
nft add rule ip fw4 reject_vpn oifname "tun*" reject
nft add rule ip fw4 reject_vpn iifname "tun*" reject
nft add rule ip fw4 accept_to_vpn oifname "tun*" accept
nft add rule ip fw4 reject_to_vpn oifname "tun*" reject
Wireguard tunnel support (#968) * Wireguard tunnel support * Fix wireguard firewall rules * Add Wireguard tunnels to LQM * Filter vlans on main bridge * If you paste a tunnel config into any field, it will auto-populate all fields correctly * Fix bad password keyword * Fix bad feeds change * Fix bad merge
2023-12-06 12:39:23 -07:00
nft add rule ip fw4 accept_vpn oifname "wg*" accept
nft add rule ip fw4 accept_vpn iifname "wg*" accept
nft add rule ip fw4 reject_vpn oifname "wg*" reject
nft add rule ip fw4 reject_vpn iifname "wg*" reject
nft add rule ip fw4 accept_to_vpn oifname "wg*" accept
nft add rule ip fw4 reject_to_vpn oifname "wg*" reject
Remove firewall counters except for specific ports
2023-01-24 23:55:00 -07:00
nft insert rule ip fw4 forward_dtdlink jump accept_to_vpn
nft insert rule ip fw4 forward_wifi jump accept_to_vpn
nft insert rule ip fw4 forward_lan jump accept_to_vpn
Add missing mss clamping to tunnels (#980) * Add missing mss clamping for tunnels * Change to add from insert on firewall
2023-12-06 12:53:35 -07:00
nft add rule ip fw4 mangle_forward iifname "tun*" tcp flags syn tcp option maxseg size set rt mtu
nft add rule ip fw4 mangle_forward oifname "tun*" tcp flags syn tcp option maxseg size set rt mtu
nft add rule ip fw4 mangle_forward iifname "wg*" tcp flags syn tcp option maxseg size set rt mtu
nft add rule ip fw4 mangle_forward oifname "wg*" tcp flags syn tcp option maxseg size set rt mtu