- Previously we only supported multiple ICMP types on the same rule
by adding multiple keys:
Key: type
Value: echo-request
Key: type
Value: echo-reply
Now it's possible to specify them using ',':
Key: type
Value: echo-request,echo-reply
- Validate ICMP types before adding them.
Now you can add rules to allow multiple protocols.
For example you can add a rule to allow dport/sport for both TCP
and UDP.
There're two options to allow a port:
Statement {
Name: tcp
Values:
Key: dport
Value: 1234
}
Statement {
Name: meta
Values:
Key: l4proto
Value: tcp,udp
Key: dport
Value: 1234
}
Closes#951.
The DNS rule to intercept DNS responses must always be at the top of
the (input-filter) rules, otherwise we won't receive DNS resolutions.
Adding, removing or changing system fw rules was removing the rule from 1st
position.
Another approach to this problem could be to remove&&add only the dns rule,
instead of disable-enable interception+rules monitor.
On some kernels (4.19), adding the interception rule to the
inet-mangle-output chain failed.
According to the nftables wiki, the mangle-output chain have (must?) to
be of type Route:
"route type: ... mangle table ... for the output hook (for other
hooks use type filter instead)."
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types
So if we fail adding the interception rule, we retry it with type Filter
instead of Route.
Related: #781 , ced9a24
This is part of latest commit ced9a24933
- When reusing a chain, configure the new policy.
- Don't backup existing rules when reloading the configuration.
On some systems after disabling and enabling the interception, the
DNS rule was not being re-added, with error: chain already exists.
When the interception is disabled, we firstly remove the rules,
and secondly if the chain and table is empty we try to remove them
as well.
However, on some systems even if "nft list ruleset" didn't list the
chains to hold our rules, it failed with error "already exists".
Before adding a chain now we check if it exists, and if it does we
reuse it.
Closes#781
- Allow to use commas to define conntrack states:
("related,established")
- Remove profile's rules when switching from Deny to Allow.
- Fixed checking duplicated rules.
Closes#778
Added more options to match connections against packets metainformation:
skuid, skgid, l4proto, protocol
Fixed setting mark on packets via meta (although it results in an error
-> [invalid type]).
If the table family where we're adding a daddr/saddr is inet, we need to
specify the protocol of the IP being added.
Otherwise, listing the rules they appear as:
@nh,128,32 3232235777 accept
instead of: daddr 192.168.1.111 accept
seen here: #704
* Allow to configure firewall rules from the GUI (WIP)
New features:
- Configure and list system firewall rules from the GUI (nftables).
- Configure chains' policies.
- Add simple rules to allow incoming ports.
- Add simple rules to exclude apps (ports) from being intercepted.
This feature is only available for nftables. iptables is still supported,
you can add rules to the configuration file and they'll be loaded, but
you can't configure them from the GUI.
More information: #592
We were not deleting our rules correctly on exit if another fw tool had
added rules to the nftables tables. This problem caused to detect that
our rules were not added, so we added them again.
