目录

防火墙配置 /etc/config/firewall

管理

WebUI

CLI

配置部分

Defaults

Includes

Redirects

Zones

Forwardings

Rules

Routing

IP Sets

IPv6

SNAT


防火墙配置 /etc/config/firewall

openwrt 的防火墙管理应用fw3有三种配置机制:

配置文件:

  • /etc/firewall.user
  • /etc/config/firewall

本文主要关注配置文件和其内容,LUCI和UCI是用户抽象,最终也是修改的配置文件。

管理

  • 主要的防火墙配置文件是/etc/config/firewall, 编辑该文件修改防火墙设置。
  • 修改之前先备份
  • 一旦修改设置之后,确认无误后,通过/etc/init.d/firwwall reload重载防火墙(使用fw3 reload指令更简单,并且会检查配置文件是否有错误。
  • 任何第一个字符是#的行都不会解析,用作注释
  • UCI在/etc/config/firewall中的防火墙配置包含网络过滤规则的部分合理子集,但并不是全部。
  • 尽可能的使用fw3防火墙UCI配置。有一些场景必须要用iptables,参见Netfilter in OpenWrt

WebUI

LuCI是一种很好的观察和修改防火墙配置的机制。

  • 它在Network --> Firewall 并且紧密映射到配置文件部分。
  • 修改防火墙配置它会花费多一些时间,但是它却比配置文件具有更高的组织结构。

修改参数和重载使用保存&应用按钮.

  • LUCI会移除/etc/config/firewall所有的注释[#]行。

CLI

UCI是配置文件的一种低级抽象,其可用远程通过ssh接触。

uci add firewall rule
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='tcp udp icmp'
uci set firewall.@rule[-1].src='vpn'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].name='Reject All VPN -> LAN Traffic'
uci commit firewall
service firewall restart

这将会假定最后一条规则是VPN --> LAN转发链,所有从VPN来的包都会被拒绝。
显示防火墙配置:

# uci show firewall
firewall.@rule[20]=rule
firewall.@rule[20].target='REJECT'
firewall.@rule[20].proto='tcp udp icmp'
firewall.@rule[20].src='wan'
firewall.@rule[20].dest='lan'
firewall.@rule[20].name='Reject All VPN -> LAN Traffic'

UCI用来查看防火墙配置非常方便,但是因为以下几个原因一般不用做来修改配置

  • 必须要熟悉防火墙规则才能使规则数组工作。
  • uci不识别/etc/firewall.user脚本中的内容。
  • uci commit是保存配置所必需的,但是依旧需要调用/etc/init.d/firewall reload去重载新表

配置部分

以下是被定义的防火墙配置概览:

  • 路由器的一个最小的配置通常包含一些默认部分,至少有两块(lan和wan)和一个允许从lan到wan的转发。
  • 当不超过两个区域时,转发部分不是必要的,因为可以将该规则设置为该区域的“全局缺省”。

Defaults

defaults(默认)节的声明是全局的防火墙设置声明,不属于某一个特定节。

config defaults
    option  input                 'ACCEPT'
    option  output                'ACCEPT'
    option  forward               'REJECT'
    option  custom_chains         '1'
    option  drop_invalid          '1'
    option  syn_flood             '1'
    option  synflood_burst        '50'
    option  synflood_protect      '1'
    option  tcp_ecn               '1'
    option  tcp_syncookies        '1'
    option  tcp_window_scaling    '1'

Options

Name

Type

Required

Default

Description

input

string

no

REJECT

Set policy for the INPUT chain of the filter table.

forward

string

no

REJECT

Set policy for the FORWARD chain of the filter table.

output

string

no

REJECT

Set policy for the OUTPUT chain of the filter table.

drop_invalid

boolean

no

0

Drop invalid packets (e.g. not matching any active connection).

syn_flood

boolean

no

0

Enable SYN flood protection (obsoleted by synflood_protect setting).

synflood_protect

boolean

no

0

Enable SYN flood protection.

synflood_rate

string

no

25

Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood.

synflood_burst

string

no

50

Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate.

tcp_syncookies

boolean

no

1

Enable the use of SYN cookies.

tcp_ecn

boolean

no

0

Enable/Disable Explicit Congestion Notification. Implemented upstream in Linux Kernel. See ip-sysctl.txt.

tcp_window_scaling

boolean

no

1

Enable TCP window scaling.

accept_redirects

boolean

no

0

Accepts redirects. Implemented upstream in Linux Kernel. See ip-sysctl.txt.

accept_source_route

boolean

no

0

Implemented upstream in Linux Kernel. See ip-sysctl.txt.

custom_chains

boolean

no

1

Enable generation of custom rule chain hooks for user generated rules. User rules would be typically stored in firewall.user but some packages e.g. BCP38 also make use of these hooks.

disable_ipv6

boolean

no

0

Disable IPv6 firewall rules.

flow_offloading

boolean

no

0

Enable software flow offloading for connections. (decrease cpu load / increase routing throughput)

flow_offloading_hw

boolean

no

0

Enable hardware flow offloading for connections. (depends on flow_offloading and hw capability)

tcp_reject_code

reject_code

no

0

Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)

any_reject_code

reject_code

no

1

Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)

auto-helper

bool

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

Includes

可以通过在防火墙配置中指定一个或多个包含部分来包含自定义的防火墙脚本:

config include
option path '/etc/firewall.user'

  • 脚本/etc/firewall.user 默认为空.

Options

Name

Type

Required

Default

Description

enabled

boolean

no

1

Allows to disable the corresponding include without having to delete the section

type

string

no

script

Specifies the type of the include, can be script for traditional shell script includes or restore for plain files in iptables-restore format

path

file name

yes

/etc/firewall.user

Specifies a shell script to execute on boot or firewall restarts

family

string

no

any

Specifies the address family (ipv4ipv6 or any) for which the include is called

reload

boolean

no

0

Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains

包含的类型脚本可以包含任意命令,例如高级iptables规则或流量控制所需的tc命令。

  •  由于自定义iptables规则比通用规则更具体,所以必须确保使用-I (insert)而不是-A (append),这样自定义规则就会出现在默认规则之前。
  •  如果规则存在于iptables中,则不会重新添加它。标准的iptables -I或-A将添加一个重复的规则。

Example

以下是/etc/firewall.user脚本的示例,该脚本允许CloudFlare.com访问HTTP 80和HTTPS 443端口。 如果您的uhttpd隐藏在CF代理后面,请使用。

# Replace the ips-v4 with v6 if needed
for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; doo
  iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
done

NOTE: 它使用HTTP获取ip列表,因为要通过https获取wget,我们需要安装ca-certs。这使您容易受到MiTM攻击,但这是可以让你免于互联网黑客的攻击。

Redirects

端口转发(DNAT)在 redirect节被定义。端口重定向通常也称为端口转发或虚拟服务器。

  • 与给定规则匹配的指定源区域上的所有传入流量将被定向到指定的内部主机。
  • 端口范围被指定为start:stop,例如6666:6670(类似于iptables语法)。

Destination NAT

config redirect
    option  target      'DNAT'
    option  proto       'tcp'
    option  src         'wan'
    option  src_dport   '19900'
    option  dest        'lan'
    option  dest_port   '22'
    option  dest_ip     '192.168.1.1'
    option  name        'Allow Redirect WAN -> LAN (SSH)'

openstack防火墙和安全组 openwrt 防火墙 区域_防火墙配置_03

 如果配置节中没有包含src_dport,则在任意端口上与其他配置选项匹配的包将被转发到该配置节中指定的目标端口。这可能会对在config部分打开的目标端口上运行的应用程序造成安全风险。测试这个问题的一种方法是使用 Gibson Research Corporation的ShieldsUP!服务,并探测路由器上所需的端口。 响应可以是打开,关闭或隐身(丢弃)。 在打开或关闭端口的情况下,数据包到达目标主机,并向后发送确认/回复数据包。隐藏的端口丢弃数据包; 从探测系统(Gibson Research)的角度来看,该系统无法确切地知道那些数据包是否到达目标主机。

Source NAT

Masquerade是最常见的SNAT形式,它将流量源从WAN更改为路由器的公共IP。SNAT也可以手工完成:

config redirect
    option  target      'SNAT'
    option  proto       'icmp'
    option  src         'dmz'
    option  src_ip      '192.168.1.250'
    option  src_dip     '1.2.3.4'
    option  dest        'wan'
    option  name        'SNAT: DMZ ICMP 192.168.1.250 -> 1.2.3.4'

Options

Name

Type

Required

Default

Description

name

string

no

string

Name of redirect

src

zone name

yes for DNATtarget

(none)

Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is wan.

src_ip

ip address

no

(none)

Match incoming traffic from the specified source ip address.

src_dip

ip address

yes for SNATtarget

(none)

For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address.

src_mac

mac address

no

(none)

Match incoming traffic from the specified mac address.

src_port

port or range

no

(none)

Match incoming traffic originating from the given source port or port range on the client host.

src_dport

port or range

no

(none)

For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNATrewrite the source ports to the given value.

proto

protocol name or number

no

tcpudp

Match incoming traffic using the given protocol.

dest

zone name

yes for SNATtarget

(none)

Specifies the traffic destination zone. Must refer to one of the defined zone names. For DNAT target on Attitude Adjustment, NAT reflection works only if this is equal to lan.

dest_ip

ip address

yes for DNATtarget

(none)

For DNAT, redirect matched incoming traffic to the specified internal host. For SNAT, match traffic directed at the given address. For DNAT if the dest_ip value matches the local ip addresses of the router, as shown in the ifconfig, then the rule is translated in a DNAT + input 'accept' rule. Otherwise it is a DNAT + forward rule.

dest_port

port or range

no

(none)

For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified, not disparate ports as with Rules (below).

ipset

string

no

(none)

If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark.

mark

string

no

(none)

If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10to match all but mark #16.

start_date

date (yyyy-mm-dd)

no

(always)

If specifed, only match traffic after the given date (inclusive).

stop_date

date (yyyy-mm-dd)

no

(always)

If specified, only match traffic before the given date (inclusive).

start_time

time (hh:mm:ss)

no

(always)

If specified, only match traffic after the given time of day (inclusive).

stop_time

time (hh:mm:ss)

no

(always)

If specified, only match traffic before the given time of day (inclusive).

weekdays

list of weekdays

no

(always)

If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on Sundays, Mondays, Thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.

monthdays

list of dates

no

(always)

If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.

utc_time

boolean

no

0

Treat all given time values as UTC time instead of local time.

target

string

no

DNAT

NAT target (DNAT or SNAT) to use when generating the rule.

family

string

no

any

Protocol family (ipv4ipv6 or any) to generate iptables rules for.

reflection

boolean

no

1

Activate NAT reflection for this redirect - applicable to DNAT targets.

reflection_src

string

no

internal

The source address to use for NAT-reflected packets if reflection is 1. This can be internal or external, specifying which interface’s address to use. Applicable to DNAT targets.

limit

string

no

(none)

Maximum average matching rate; specified as a number, with an optional /second/minute/hour or /daysuffix. Examples: 3/second3/sec or 3/s.

limit_burst

integer

no

5

Maximum initial number of packets to match, allowing a short-term average above limit.

enabled

string

no

1 or yes

Enable the redirect rule or not.

helper

cthelper

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

Zones

zone section groups one or more interfaces and serves as a source or destination for forwardingsrules and redirects.

config zone
    option  name        'wan'
    option  network     'wan wan6'
    option  input       'REJECT'
    option  output      'ACCEPT'
    option  forward     'REJECT'
    option  masq        '1'
    option  mtu_fix     '1'
  • MASQUERADE (NAT) of outgoing traffic (WAN) is controlled on a per-zone basis on the outgoing interface.
     
  • INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone.
  • OUTPUT rules for a zone describe what happens to traffic originating from the router itself going through an interface in that zone.
  • FORWARD rules for a zone describe what happens to traffic passing between different interfaces belonging in the same zone.

Options

Name

Type

Required

Default

Description

name

zone name

yes

(none)

Unique zone name. 11 characters is the maximum working firewall zone name length.

network

list

no

(none)

List of interfaces attached to this zone. If omitted and neither extra* options, subnets nor devices are given, the value of name is used by default. Alias interfaces defined in the network config cannot be used as valid 'standalone' networks. Use list syntax .

masq

boolean

no

0

Specifies whether outgoing zone traffic should be masqueraded. This is typically enabled on the wan zone.

masq_src

list of subnets

no

0.0.0.0/0

Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.

masq_dest

list of subnets

no

0.0.0.0/0

Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.

masq_allow_invalid

boolean

no

0

Do not add DROP INVALID rules, if masquerading is used. The DROP rules are supposed to prevent NATleakage (see commit in firewall3).

mtu_fix

boolean

no

0

Enable MSS clamping for outgoing zone traffic.

input

string

no

DROP

Default policy (ACCEPTREJECTDROP) for incoming zone traffic.

forward

string

no

DROP

Default policy (ACCEPTREJECTDROP) for forwarded zone traffic.

output

string

no

DROP

Default policy (ACCEPTREJECTDROP) for outgoing zone traffic.

family

string

no

any

The protocol family (ipv4ipv6 or any) these iptables rules are for.

log

int

no

0

Bit field to enable logging in the filter and/or mangle tables, bit 0 = filter, bit 1 = mangle. (Since r6397-7cc9914aae)

log_limit

string

no

10/minute

Limits the amount of log messages per interval.

device

list

no

(none)

List of raw network device names attached to this zone, e.g. ppp+ to match any PPP interface.

subnet

list

no

(none)

List of IP subnets attached to this zone.

extra

string

no

(none)

Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therefor direction-specific options like --dport should not be used here - in this case the extra_src and extra_dest options should be used instead.

extra_src

string

no

Value of extra

Extra arguments passed directly to iptables for source classification rules.

extra_dest

string

no

Value of extra

Extra arguments passed directly to iptables for destination classification rules.

custom-chains

bool

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

enabled

bool

no

yes

if set to 0, zone is disabled

auto_helper

bool

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

helper

cthelper

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

Forwardings

The forwarding sections control the traffic flow between zones, and may enable MSS clamping for specific directions.

config forwarding
    option  src         'lan'
    option  dest        'wan'
  • Only one direction is covered by a forwarding rule. To allow bidirectional traffic flows between two zones, two forwardings are required, with src and dest reversed in each.

Options

Name

Type

Required

Default

Description

name

forward name

no

(none)

Unique forwarding name.

src

zone name

yes

(none)

Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is 'wan'.

dest

zone name

yes

(none)

Specifies the traffic destination zone. Must refer to one of the defined zone names

mtu_fix

boolean

no

0

Enable MSS clamping for traffic flowing from the source zone to the destination zone (Deprecated and moved to zonesections in 8.09.2+)

family

string

no

any

Protocol family (ipv4ipv6 or any) to generate iptables rules for.

enabled

bool

no

yes

if set to 0, forward is disabled

openstack防火墙和安全组 openwrt 防火墙 区域_防火墙配置_03

 The iptables rules generated for this section rely on the state match which needs connection tracking to work.

  • At least one of the src or dest zones needs to have connection tracking enabled through the masq option.

Rules

The rule section is used to define basic accept, drop, or reject rules to allow or restrict access to specific ports or hosts.

config rule
    option  target      'REJECT'
    option  proto       'tcp'
    option  src         'lan'
    option  src_ip      '192.168.1.2'
    option  src_mac     '00:11:22:33:44:55'
    option  src_port    '80'
    option  dest        'wan'
    option  dest_ip     '194.25.2.129'
    option  dest_port   '120'
  • In fw3, the src and dest are tied to the target:
  • If src and dest are given, the rule matches forwarded traffic
  • If only src is given, the rule matches incoming traffic
  • If only dest is given, the rule matches outgoing traffic
  • If neither src nor dest are given, the rule defaults to an outgoing traffic rule
     
  • Port ranges are specified as start:stop, for instance 6666:6670 (similar to the iptables syntax).

Options

Name

Type

Required

Default

Description

name

string

no

(none)

Name of rule

src

zone name

yes (

openstack防火墙和安全组 openwrt 防火墙 区域_防火墙配置_03

 optional since Firewall v2, version 58 and above)

(none)

Specifies the traffic source zone. Must refer to one of the defined zone names.

src_ip

ip address

no

(none)

Match incoming traffic from the specified source ip address

src_mac

mac address

no

(none)

Match incoming traffic from the specified mac address

src_port

port or range

no

(none)

Match incoming traffic from the specified source port or port range, if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1.

proto

protocol name or number

no

tcpudp

Match incoming traffic using the given protocol. Can be one of tcpudptcpudpudpliteicmpespahsctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.

icmp_type

list of type names or numbers

no

any

For protocol icmp select specific icmp types to match. Values can be either exact icmp type numbers or type names (see below).

dest

zone name

no

(none)

Specifies the traffic destination zone. Must refer to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.

dest_ip

ip address

no

(none)

Match incoming traffic directed to the specified destination ip address. With no dest zone, this is treated as an input rule!

dest_port

port or range

no

(none)

Match incoming traffic directed at the given destination port or port range, if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1.

ipset

string

no

(none)

If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'.

mark

mark/mask

no

(none)

If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16.

start_date

date (yyyy-mm-dd)

no

(always)

If specifed, only match traffic after the given date (inclusive).

stop_date

date (yyyy-mm-dd)

no

(always)

If specified, only match traffic before the given date (inclusive).

start_time

time (hh:mm:ss)

no

(always)

If specified, only match traffic after the given time of day (inclusive).

stop_time

time (hh:mm:ss)

no

(always)

If specified, only match traffic before the given time of day (inclusive).

weekdays

list of weekdays

no

(always)

If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.

monthdays

list of dates

no

(always)

If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.

utc_time

boolean

no

0

Treat all given time values as UTC time instead of local time.

target

string

yes

DROP

Firewall action (ACCEPTREJECTDROPMARKNOTRACK) for matched traffic

set_mark

mark/mask

yes for target MARK

(none)

Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed

set_xmark

Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed

family

string

no

any

Protocol family (ipv4ipv6 or any) to generate iptables rules for.

limit

string

no

(none)

Maximum average matching rate; specified as a number, with an optional /second/minute/hour or /day suffix. Examples: 3/minute3/min or 3/m.

limit_burst

integer

no

5

Maximum initial number of packets to match, allowing a short-term average above limit

extra

string

no

(none)

Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec.

enabled

boolean

no

yes

Enable or disable rule.

device

string

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

direction

direction

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

 direction_out

set_helper

cthelper

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

helper

cthelper

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

ICMP Name Types

address-mask-reply

host-redirect

pong

time-exceeded

address-mask-request

host-unknown

port-unreachable

timestamp-reply

any

host-unreachable

precedence-cutoff

timestamp-request

communication-prohibited

ip-header-bad

protocol-unreachable

TOS-host-redirect

destination-unreachable

network-prohibited

redirect

TOS-host-unreachable

echo-reply

network-redirect

required-option-missing

TOS-network-redirect

echo-request

network-unknown

router-advertisement

TOS-network-unreachable

fragmentation-needed

network-unreachable

router-solicitation

ttl-exceeded

host-precedence-violation

parameter-problem

source-quench

ttl-zero-during-reassembly

host-prohibited

ping

source-route-failed

ttl-zero-during-transit

Routing

IP Sets

fw3 supports referencing or creating ipsets to simplify matching of large address or port lists without the need for creating one rule per item to match.

  •  This needs the kmod-ipt-ipset kernel module installed.

Options

Name

Type

Required

Default

Description

enabled

boolean

no

1

Allows to disable the declaration of the ipset without the need to delete the section.

external

string

no

(none)

If the external option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the external option is unset, the firewall will create the ipset on start and destroy it on stop.

name

string

yes if externalis unset 

no if externalis set

(none) if externalis unset 

value of externalif externalis set

Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects.

family

string

no

ipv4

Protocol family (ipv4 or ipv6) to create ipset for. Only applicable to storage types hash and list, the bitmap type implies ipv4.

storage

string

no

varies

Specifies the storage method (bitmaphash or list) used by the ipset, the default varies depending on the used datatypes (see match option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. bitmap:ip vs. hash:ip).

match

list of direction/type tuples

yes

(none)

Specifies the matched data types (ipportmacnet or set) and their direction (src or dest). The direction is joined with the datatype by an underscore to form a tuple, e.g. src_port to match source ports or dest_net to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. hash:ip,port, specify the packet fields to match on in quotes or comma-separated (i.e. “match dest_ip dest_port”).

iprange

IP range

yes for storage type bitmapwith datatype ip

(none)

Specifies the IP range to cover, see ipset(8). Only applicable to the hash storage type.

portrange

Port range

yes for storage type bitmapwith datatype port

(none)

Specifies the port range to cover, see ipset(8). Only applicable to the hash storage type.

netmask

integer

no

32

If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between 1 and 32, see ipset(8). Only applicable to the bitmap storage type with match ip or the hash storage type with match ip.

maxelem

integer

no

65536

Limits the number of items that can be added to the set, only applicable to the hash and list storage types.

hashsize

integer

no

1024

Specifies the initial hash size of the set, only applicable to the hash storage type.

timeout

integer

no

0

Specifies the default timeout for entries added to the set. A value of 0 means no timeout.

entry

setentry

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

loadfile

string

no

openstack防火墙和安全组 openwrt 防火墙 区域_ci

openstack防火墙和安全组 openwrt 防火墙 区域_ci

Storage / Match Options

The order of datatype matches is significant

Family

Storage

Match

Notes

ipv4

bitmap

ip

Requires iprange option

ipv4

bitmap

ip mac

Requires iprange option

ipv4

bitmap

port

Requires portrange option

any

hash

ip

-

any

hash

net

-

any

hash

ip port

-

any

hash

net port

-

any

hash

ip port ip

-

any

hash

ip port net

-

-

list

set

Meta type to create a set-of-sets

IPv6

As described above, the option family is used for distinguishing between IPv4, IPv6 and both protocols. However the family is inferred automatically if IPv6 addresses are used:

config rule
    option  src         'wan'
    option  src_ip      'fdca:f00:ba3::/64'
    option  target      'ACCEPT'

Similar, such a rule is detected as IPv4 only:

config rule
    option  src         'wan'
    option  dest_ip     '88.77.66.55'
    option  target      'REJECT'
  • Rules without IP addresses are automatically added to iptables and ip6tables, unless overridden by the family option.
  • Redirect rules (port forwards) are always IPv4 (for now) since there is no IPv6 DNAT support (yet).

SNAT

openstack防火墙和安全组 openwrt 防火墙 区域_ci

 need to find how to use to document this

Options

snats.c:23:	FW3_OPT("enabled",             bool,      snat,     enabled),
snats.c:25:	FW3_OPT("name",                string,    snat,     name),
snats.c:26:	FW3_OPT("family",              family,    snat,     family),
snats.c:28:	FW3_OPT("src",                 device,    snat,     src),
snats.c:29:	FW3_OPT("device",              string,    snat,     device),
snats.c:31:	FW3_OPT("ipset",               setmatch,  snat,     ipset),
snats.c:33:	FW3_LIST("proto",              protocol,  snat,     proto),
snats.c:35:	FW3_OPT("src_ip",              network,   snat,     ip_src),
snats.c:36:	FW3_OPT("src_port",            port,      snat,     port_src),
snats.c:38:	FW3_OPT("snat_ip",             network,   snat,     ip_snat),
snats.c:39:	FW3_OPT("snat_port",           port,      snat,     port_snat),
snats.c:41:	FW3_OPT("dest_ip",             network,   snat,     ip_dest),
snats.c:42:	FW3_OPT("dest_port",           port,      snat,     port_dest),
snats.c:44:	FW3_OPT("extra",               string,    snat,     extra),
snats.c:46:	FW3_OPT("limit",               limit,     snat,     limit),
snats.c:47:	FW3_OPT("limit_burst",         int,       snat,     limit.burst),
snats.c:49:	FW3_OPT("connlimit_ports",     bool,      snat,     connlimit_ports),
snats.c:51:	FW3_OPT("utc_time",            bool,      snat,     time.utc),
snats.c:52:	FW3_OPT("start_date",          date,      snat,     time.datestart),
snats.c:53:	FW3_OPT("stop_date",           date,      snat,     time.datestop),
snats.c:54:	FW3_OPT("start_time",          time,      snat,     time.timestart),
snats.c:55:	FW3_OPT("stop_time",           time,      snat,     time.timestop),
snats.c:56:	FW3_OPT("weekdays",            weekdays,  snat,     time.weekdays),
snats.c:57:	FW3_OPT("monthdays",           monthdays, snat,     time.monthdays),
snats.c:59:	FW3_OPT("mark",                mark,      snat,     mark),
snats.c:61:	FW3_OPT("target",              target,    snat,     target),