Openwrt has a own firewall service called fw3, that supports firewall zones.
Docker can bypass the handling of the zone rules in openwrt via custom
tables. These are "always" processed before the openwrt firewall.
Which is prone to errors!
Since not everyone is aware that the firewall of openwrt will
not be passed. And this is a security problem because a mapped port is
visible on all interfaces and so also on the WAN side.
If the firewall handling in docker is switched off, then the port in
fw3 must be explicitly released and it cannot happen that the
port is accidentally exported to the outside world via the interfaces on
the WAN zone.
So all rules for the containers should and so must be made in fw3.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Up to now only the docker0 interface and bridge is created by default.
In order to create other interfaces and to integrate them into the
openwrt these functions can now be called with arguments.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
nopingtime UCI option rationale:
I want relatively fast reaction(i.e. 1m or 2m) for 'no internet' condition,
but i don't want my router to reboot every 1 minute if there is still no
internet after reboot.
initd_watchcat:
* add: nopingtime uci option support
* add: defaults to all non-critical options
* add: log warnings for non-critical errors(when option is missed and
default is applyed)
* fix: error handling and config_get defaults are somtimes in conflict
because of config_get defaults. They are gone now, error handling improved.
* fix: calling watchcat.sh with 'period' mode instead of 'ping'. Typo?
* fix: pingperiod default changed from period/20 to more reasonable period/5
watchcat.sh:
* add: nopingtime uci option support( sleep if uptime < nopingtime )
* remove: [ "$mode" = "allways" ] && mode="always" - not needed, already
done by initd_watchcat in load_watchcat() func
* add: echo 1 > /proc/sys/kernel/sysrq before sysrq-trigger
* refactor: eliminated once used not needed variables, code size reduced.
* PKG_RELEASE bumped up
Signed-off-by: Vasily Trotzky <trotzky.vas@gmail.com>
1.clang ld not supports symvers
2.macos has not mutex_lock, use pthread_mutex_lock instead
3.macos not define SO_PEERCRED, use LOCAL_PEERCRED instead
Signed-off-by: Liangbin Lian <jjm2473@gmail.com>
procd-seccomp switched to OCI-compliant seccomp parser instead of our
(legacy, OpenWrt-specific) format. Convert ruleset to new format.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
iputils upstream changed build params with version s20200821
Latest OpenWRT iputils ping now appears to report the openwrt
version tag, rather than iputils date tag
This commit sends a test ping to localhost to evaluate the
capabilities of iputils ping.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Allow `mwan3 interfaces` to get uptime via an internal function and
thus remove the dependency on rpcd for `mwan3 interface` calls.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
This includes security fixes for:
* CVE-2020-28362: panic during recursive division of very large numbers
* CVE-2020-28366: arbitrary code can be injected into cgo generated
files
* CVE-2020-28367: improper validation of cgo flags can lead to remote
code execution at build time
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Upstream commit 90884c62 ("xl2tpd-control refactoring") introduced in
1.3.16 changed command names
The l2tp protocol handler part was from @danvd in pull request
openwrt/packages#13866
Fixes f07319d6 ("xl2tpd: bump to version 1.3.16")
Ref: https://github.com/openwrt/packages/pull/13866
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* blocked_interfaces blocks all packets to docker0 from the given
interface. This is needed because all the iptables commands dockerd
adds operate before any of the fw3 generated rules.
Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Florian Eckert
Vasily Trotzky
Liangbin Lian
Jan Pavlinec
Rosen Penev
Martin Schiller
Daniel Golle
Aaron Goodman
Michal Hrusecky
James White
Jan Hák
Jeffery To
Michael Heimpold
Hirokazu MORIKAWA
Yousong Zhou
Dirk Brenken
Alexandru Ardelean
Gerard Ryan